Generating SSL User Certificates - Detailed Example
This page describes how to create SSL certificates for a OpenVPN. It assumes you have a CA (certificate authority) already set up. See linuxsetup46.html , linuxsetup71.html , and linuxsetup54.html for more details.
Step 1 - Create a certificate
In this example, we will create a certificate for our good friend Froos
Waxbiffel, whose login name is froos. The name of our hypothetical
server is "diarrhea." We will be using a package called easy-rsa. The
first step is to source all the environment variables it needs.
cd vpn/openvpn-2.0.2/easy-rsa diarrhea:/home/tjnelson/vpn/openvpn-2.0.2/easy-rsa$ . vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/tjnelson/vpn/openvpn-2.0.2/easy-rsa/keys
Next run build-key, accepting all the default parameters. These were
specified when the CA was created. Only the Common Name needs to be entered.
diarrhea:/home/tjnelson/vpn/openvpn-2.0.2/easy-rsa$ ./build-key froos Generating a 1024 bit RSA private key .................................................................++++++ ........++++++ writing new private key to 'froos.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [MD]: Locality Name (eg, city) [ROCKVILLE]: Organization Name (eg, company) [BURPI]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:diarrhea Email Address [tjnelson@diarrhea-gots-us.com]:
It then asks for a challenge password. If you enter a password here, the user will be required to type it every time they log in. So we usually will leave it blank.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/tjnelson/vpn/openvpn-2.0.2/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'MD' localityName :PRINTABLE:'ROCKVILLE' organizationName :PRINTABLE:'BURPI' commonName :PRINTABLE:'diarrhea' emailAddress :IA5STRING:'tjnelson@diarrhea-gots-us.com' Certificate is to be certified until Dec 11 21:49:45 2020 GMT (3650 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2
We got the errror "failed to update database", which means either there is already an entry in the database for Froos (possibly from a previous failed attempt to create a certificate) or the software doesn't like your commonName. The easiest solution is to make up a different commonName, for instance "explosive-diarrhea".
... Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'MD' localityName :PRINTABLE:'ROCKVILLE' organizationName :PRINTABLE:'BURPI' commonName :PRINTABLE:'explosive-diarrhea' emailAddress :IA5STRING:'tjnelson@diarrhea-gots-us.com' Certificate is to be certified until Dec 11 21:51:55 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Step 2 - Copy the keys to the keys directory
In this example, the keys are stored in /etc/openvpn/keys/.
cd easy-rsa/keys su cp froos* /etc/openvpn/keys/
Step 3 - Start up Open VPN
If OpenVPN is not running, start it up.
cd vpn/openvpn* ./openvpn server.conf echo 1 > /proc/sys/net/ipv4/ip_forward
Step 5 - Give files to user
Give the following four files to the user:
client.ovpn ca.crt froos.key froos.crt
Tell the user to click on vpn.html for instructions.