Easier easy-rsa

Posted on 2015-December-28 in programming

OpenVPN

If you have ever set up an OpenVPN server, you probably had to fight your way through the certificate generation steps. Something like what is detailed here:

https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

The official OpenVPN guide refers to easy-rsa, which is a royal pain in the butt. Even with the HOWTO in front of me, it takes me ages to set things up and if I ever have to come back later to generate more client certificates, I inevitably end up restarting from scratch because I cannot remember which steps I took and where I stored files.

Does not seem so difficult though. You need to generate a Root CA, and then use it to sign a server certificate (which is stored on your server) and client certificates which you distribute to your clients. I re-implemented the whole thing as a Python script in a couple of hours, tested it with an openvpn instance, and it works quite well. The script can be found here:

https://github.com/nicolas314/2cca

It is called two-cent CA because that is exactly what it is. There is no support for security modules like smart cards or HSMs because I do not need them, but since it is based on python-openssl it should not be too hard to make it work with P11 tokens.

Here is an example session where I create the root, a server identity, and two client identities for Alice and Bob.

$ python 2cca.py root
Give a name to your new root authority (default: Root CA)
Name: MyRoot
Which country is it located in? (default: ZZ)
Provide a 2-letter country code like US, FR, UK
Country: ZZ
Which city is it located in? (optional)
City:
What organization is it part of? (default: Home)
Organization: Home
--- generating key pair (2048 bits)
Specify a certificate duration in days (default: 3650)
Duration:
--- self-signing certificate
--- saving results to root.crt and root.key
done
$ python 2cca.py server
--- loading root certificate and key
Give a name to your new server (default: openvpn-server)
Name: myopenvpn-server
Which country is it located in? (default: ZZ)
Provide a 2-letter country code like US, FR, UK
Country: ZZ
Which city is it located in? (optional)
City:
--- generating key pair (2048 bits)
Specify a certificate duration in days (default: 3650)
Duration:
--- signing certificate with root
--- saving results to myopenvpn-server.crt and myopenvpn-server.key
$ python 2cca.py client
--- loading root certificate and key
Give a name to your new client (default: openvpn-client)
Name: Alice
Which country is it located in? (default: ZZ)
Provide a 2-letter country code like US, FR, UK
Country: UK
Which city is it located in? (optional)
City: Cambridge
--- generating key pair (2048 bits)
Specify a certificate duration in days (default: 3650)
Duration:
--- signing certificate with root
--- saving results to Alice.crt and Alice.key
$ python 2cca.py client
--- loading root certificate and key
Give a name to your new client (default: openvpn-client)
Name: Bob
Which country is it located in? (default: ZZ)
Provide a 2-letter country code like US, FR, UK
Country: US
Which city is it located in? (optional)
City: Boston
--- generating key pair (2048 bits)
Specify a certificate duration in days (default: 3650)
Duration:
--- signing certificate with root
--- saving results to Bob.crt and Bob.key
& ls
2cca.py    Alice.key  Bob.key    myopenvpn-server.crt  root.crt
Alice.crt  Bob.crt    README.md  myopenvpn-server.key  root.key

You want to keep root.crt for what OpenVPN calls the CA certificate. Do not loose root.key, you will need it whenever you will want to issue more client or server certificates. Install the other files as required.

Tested on Linux (Debian, Archlinux) and OSX.

Enjoy!