easy-rsa

Siehe auch

easy-rsa ist ein Shell-basiertes CLI-Tool zur Erstellung und Verwaltung einer PKI-CA - sprich es kann eine CA erstellen sowie Zertifikate, Intermediate-CAs und Zertifikatsperrlisten (CRL) anfordern und signieren. Stand 2024-06 wird Easy-RSA gemeinsam mit OpenVPN entwickelt, obwohl es sich um getrennte Projekte handelt. Mit Hilfe von Easy-RSA lassen sich Zertifikate für OpenVPN, Webserver und andere Arten von Software generieren.

Easy-RSA verwaltet die PKI im jeweils aktuellen Verzeichnis. In den Beispielen unten wird in /etc/pki/easy-rsa gearbeitet.

Installation

dnf -y install easy-rsa

Easy-RSA lässt sich auch über ein vars-File konfigurieren:

/etc/pki/easy-rsa/pki/vars
set_var EASYRSA_ALGO                rsa
set_var EASYRSA_BATCH               ""
set_var EASYRSA_CA_EXPIRE           3650
set_var EASYRSA_CERT_EXPIRE         825
set_var EASYRSA_CRL_DAYS            180
set_var EASYRSA_CURVE               secp384r1
set_var EASYRSA_DIGEST              "sha256"
set_var EASYRSA_DN                  "cn_only"
set_var EASYRSA_EXT_DIR             "$EASYRSA/x509-types"
set_var EASYRSA_KDC_REALM           "CHANGEME.EXAMPLE.COM"
set_var EASYRSA_KEY_SIZE            2048
set_var EASYRSA_NO_PASS             1
set_var EASYRSA_NS_COMMENT          "Easy-RSA Generated Certificate"
set_var EASYRSA_NS_SUPPORT          "no"
set_var EASYRSA_OPENSSL             "openssl"
set_var EASYRSA_PKI                 "$PWD/pki"
set_var EASYRSA_PRE_EXPIRY_WINDOW   90
set_var EASYRSA_PRESERVE_DN         1
set_var EASYRSA_RAND_SN             "yes"
set_var EASYRSA_REQ_CITY            "San Francisco"
set_var EASYRSA_REQ_COUNTRY         "US"
set_var EASYRSA_REQ_EMAIL           "me@example.net"
set_var EASYRSA_REQ_ORG             "Copyleft Certificate Co"
set_var EASYRSA_REQ_OU              "My Organizational Unit"
set_var EASYRSA_REQ_PROVINCE        "California"
set_var EASYRSA_SSL_CONF            "$EASYRSA_PKI/openssl-easyrsa.cnf"
set_var EASYRSA_TEMP_DIR            "$EASYRSA_PKI"

Diese Eigenschaften lassen sich auch als Environment-Variablen setzen (diese haben Vorrang). Für Anmerkungen siehe /usr/share/doc/easy-rsa/vars.example.

CA erstellen

Angenommen, es soll eine CA im Verzeichnis /etc/pki/easy-rsa verwaltet werden:

mkdir -p /etc/pki/easy-rsa
cd /etc/pki/easy-rsa

Easy-RSA konfigurieren (erzeugt ./pki/*.cnf)

/usr/share/easy-rsa/3/easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/pki/easy-rsa/pki

CA erstellen:

/usr/share/easy-rsa/3/easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
.................+++++
.....................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/pki/easy-rsa/pki/ca.crt

Tipp

--batch schaltet interaktive Abfragen ab.

Das Kommando erstellt folgende Dateien und Verzeichnisse:

./pki/ca.crt                        # das CA-Zertifikat
./pki/private/ca.key                # Private Key der CA
./pki/index.txt                     # die Easy-RSA "Datenbank"
./pki/index.txt.attr

./pki/certs_by_serial/

./pki/issued/

./pki/renewed/certs_by_serial/
./pki/renewed/private_by_serial/
./pki/renewed/reqs_by_serial/

./pki/revoked/certs_by_serial/
./pki/revoked/private_by_serial/
./pki/revoked/reqs_by_serial/

./pki/serial

So erstellte CAs gelten 10 Jahre.

CSR erstellen

Request mit dem Common Name „info@linuxfabrik.ch“ mittels EasyRSA erstellen und signieren. Wer Easy-RSA auf dem Client einsetzt: Der Client muss auch vorher wie in „CA erstellen“ vorgehen und seine eigene PKI erstellen.

/usr/share/easy-rsa/3/easyrsa gen-req info@linuxfabrik.ch
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
...........................+++++
............................................................................................+++++
writing new private key to '/etc/pki/easy-rsa/pki/easy-rsa-7555.JtHhWc/tmp.6lTbPU'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [info@linuxfabrik.ch]:

Keypair and certificate request completed. Your files are:
req: /etc/pki/easy-rsa/pki/reqs/info@linuxfabrik.ch.req
key: /etc/pki/easy-rsa/pki/private/info@linuxfabrik.ch.key

Das Kommando erstellt folgende Dateien und Verzeichnisse:

./pki/private/info@linuxfabrik.ch.key   # der Private Key
./pki/reqs/info@linuxfabrik.ch.req      # der CSR

Per Default gelten Zertifikate 2 Jahre.

CSR importieren

Falls der Request auf einer anderen Maschine erstellt wurde, diesen z.B. in /tmp ablegen und in der Ziel-PKI importieren:

/usr/share/easy-rsa/3/easyrsa import-req /tmp/info@linuxfabrik.ch.req info@linuxfabrik.ch

CSR signieren

/usr/share/easy-rsa/3/easyrsa sign-req client info@linuxfabrik.ch
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = info@linuxfabrik.ch


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/pki/easy-rsa/pki/easy-rsa-7629.Egr3SW/tmp.Uypmcm
Enter pass phrase for /etc/pki/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'info@linuxfabrik.ch'
Certificate is to be certified until Sep 28 12:42:39 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/pki/easy-rsa/pki/issued/info@linuxfabrik.ch.crt

Das signierte Zertifikat liegt in

./pki/easy-rsa/pki/issued/info@linuxfabrik.ch.crt

Zertifikat als PKCS12-Datei exportieren

/usr/share/easy-rsa/3/easyrsa export-p12 info@linuxfabrik.ch
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Enter pass phrase for /etc/pki/easy-rsa/pki/private/info@linuxfabrik.ch.key:
Enter Export Password:
Verifying - Enter Export Password:

Successful export of p12 file. Your exported file is at the following
location: /etc/pki/easy-rsa/pki/private/info@linuxfabrik.ch.p12

Das p12-File enthält wie üblich die gesamte Zertifikats-Chain. Wer diese nicht benötigt, kann noch bei Bedarf die Parameter noca und nokey anhängen.

Zertifikate prüfen/anschauen

/usr/share/easy-rsa/3/easyrsa show-req info@linuxfabrik.ch
/usr/share/easy-rsa/3/easyrsa show-cert info@linuxfabrik.ch

Zertifikate revozieren und CRL erstellen

/usr/share/easy-rsa/3/easyrsa revoke info@linuxfabrik.ch
EASYRSA_CRL_DAYS=1000 /usr/share/easy-rsa/3/easyrsa gen-crl

Die CRL-Datei findet sich in ./pki/crl.pem, und gilt per Default 180 Tage.

Zertifikat aus dem Filesystem entfernen

Vor dem Entfernen Zertifikat revozieren! Erst dann:

USER=info@linuxfabrik.ch
DB=/etc/pki/easy-rsa/pki/index.txt

SERNO=$(grep "$USER" $DB | cut -f4)

find /etc/pki/easy-rsa -name "$USER"* -delete
find /etc/pki/easy-rsa -name "$SERNO"* -delete
sed --in-place "/$USER/d" $DB

Easy-RSA Cheat Sheet

EasyRSA 3.1.6:

Easy-RSA 3 usage and overview

USAGE: easyrsa [global-options] COMMAND [command-options]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  rewind-renew <certificate_serial_number>
  rebuild <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  make-safe-ssl
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  upgrade <type>

Built on 2024-07-16