| 192 |
- |
1 |
Easy-RSA 3 Quickstart README
|
|
|
2 |
============================
|
|
|
3 |
|
|
|
4 |
This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
|
|
|
5 |
and specific commands can be found by running ./easyrsa -h. Additional
|
|
|
6 |
documentation can be found in the doc/ directory.
|
|
|
7 |
|
|
|
8 |
If you're upgrading from the Easy-RSA 2.x series, there are Upgrade-Notes
|
|
|
9 |
available, also under the doc/ path.
|
|
|
10 |
|
|
|
11 |
Setup and signing the first request
|
|
|
12 |
-----------------------------------
|
|
|
13 |
|
|
|
14 |
Here is a quick run-though of what needs to happen to start a new PKI and sign
|
|
|
15 |
your first entity certificate:
|
|
|
16 |
|
|
|
17 |
1. Choose a system to act as your CA and create a new PKI and CA:
|
|
|
18 |
|
|
|
19 |
./easyrsa init-pki
|
|
|
20 |
./easyrsa build-ca
|
|
|
21 |
|
|
|
22 |
2. On the system that is requesting a certificate, init its own PKI and generate
|
|
|
23 |
a keypair/request. Note that init-pki is used _only_ when this is done on a
|
|
|
24 |
separate system (or at least a separate PKI dir.) This is the recommended
|
|
|
25 |
procedure. If you are not using this recommended procedure, skip the next
|
|
|
26 |
import-req step.
|
|
|
27 |
|
|
|
28 |
./easyrsa init-pki
|
|
|
29 |
./easyrsa gen-req EntityName
|
|
|
30 |
|
|
|
31 |
3. Transport the request (.req file) to the CA system and import it. The name
|
|
|
32 |
given here is arbitrary and only used to name the request file.
|
|
|
33 |
|
|
|
34 |
./easyrsa import-req /tmp/path/to/import.req EntityName
|
|
|
35 |
|
|
|
36 |
4. Sign the request as the correct type. This example uses a client type:
|
|
|
37 |
|
|
|
38 |
./easyrsa sign-req client EntityName
|
|
|
39 |
|
|
|
40 |
5. Transport the newly signed certificate to the requesting entity. This entity
|
|
|
41 |
may also need the CA cert (ca.crt) unless it had a prior copy.
|
|
|
42 |
|
|
|
43 |
6. The entity now has its own keypair, signed cert, and the CA.
|
|
|
44 |
|
|
|
45 |
Signing subsequent requests
|
|
|
46 |
---------------------------
|
|
|
47 |
|
|
|
48 |
Follow steps 2-6 above to generate subsequent keypairs and have the CA return
|
|
|
49 |
signed certificates.
|
|
|
50 |
|
|
|
51 |
Revoking certs and creating CRLs
|
|
|
52 |
--------------------------------
|
|
|
53 |
|
|
|
54 |
This is a CA-specific task.
|
|
|
55 |
|
|
|
56 |
To permanently revoke an issued certificate, provide the short name used during
|
|
|
57 |
import:
|
|
|
58 |
|
|
|
59 |
./easyrsa revoke EntityName
|
|
|
60 |
|
|
|
61 |
To create an updated CRL that contains all revoked certs up to that point:
|
|
|
62 |
|
|
|
63 |
./easyrsa gen-crl
|
|
|
64 |
|
|
|
65 |
After generation, the CRL will need to be sent to systems that reference it.
|
|
|
66 |
|
|
|
67 |
Generating Diffie-Hellman (DH) params
|
|
|
68 |
-------------------------------------
|
|
|
69 |
|
|
|
70 |
After initializing a PKI, any entity can create DH params that needs them. This
|
|
|
71 |
is normally only used by a TLS server. While the CA PKI can generate this, it
|
|
|
72 |
makes more sense to do it on the server itself to avoid the need to send the
|
|
|
73 |
files to another system after generation.
|
|
|
74 |
|
|
|
75 |
DH params can be generated with:
|
|
|
76 |
|
|
|
77 |
./easyrsa gen-dh
|
|
|
78 |
|
|
|
79 |
Showing details of requests or certs
|
|
|
80 |
------------------------------------
|
|
|
81 |
|
|
|
82 |
To show the details of a request or certificate by referencing the short
|
|
|
83 |
EntityName, use one of the following commands. It is an error to call these
|
|
|
84 |
without a matching file.
|
|
|
85 |
|
|
|
86 |
./easyrsa show-req EntityName
|
|
|
87 |
./easyrsa show-cert EntityName
|
|
|
88 |
|
|
|
89 |
Changing private key passphrases
|
|
|
90 |
--------------------------------
|
|
|
91 |
|
|
|
92 |
RSA and EC private keys can be re-encrypted so a new passphrase can be supplied
|
|
|
93 |
with one of the following commands depending on the key type:
|
|
|
94 |
|
|
|
95 |
./easyrsa set-rsa-pass EntityName
|
|
|
96 |
./easyrsa set-ec-pass EntityName
|
|
|
97 |
|
|
|
98 |
Optionally, the passphrase can be removed completely with the 'nopass' flag.
|
|
|
99 |
Consult the command help for details.
|