Easier easy-rsa
Posted on 2015-December-28 in programming
If you have ever set up an OpenVPN server, you probably had to fight your way through the certificate generation steps. Something like what is detailed here:
https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
The official OpenVPN guide refers to easy-rsa, which is a royal pain in the butt. Even with the HOWTO in front of me, it takes me ages to set things up and if I ever have to come back later to generate more client certificates, I inevitably end up restarting from scratch because I cannot remember which steps I took and where I stored files.
Does not seem so difficult though. You need to generate a Root CA, and then use it to sign a server certificate (which is stored on your server) and client certificates which you distribute to your clients. I re-implemented the whole thing as a Python script in a couple of hours, tested it with an openvpn instance, and it works quite well. The script can be found here:
https://github.com/nicolas314/2cca
It is called two-cent CA because that is exactly what it is. There is no support for security modules like smart cards or HSMs because I do not need them, but since it is based on python-openssl it should not be too hard to make it work with P11 tokens.
Here is an example session where I create the root, a server identity, and two client identities for Alice and Bob.
$ python 2cca.py root Give a name to your new root authority (default: Root CA) Name: MyRoot Which country is it located in? (default: ZZ) Provide a 2-letter country code like US, FR, UK Country: ZZ Which city is it located in? (optional) City: What organization is it part of? (default: Home) Organization: Home --- generating key pair (2048 bits) Specify a certificate duration in days (default: 3650) Duration: --- self-signing certificate --- saving results to root.crt and root.key done
$ python 2cca.py server --- loading root certificate and key Give a name to your new server (default: openvpn-server) Name: myopenvpn-server Which country is it located in? (default: ZZ) Provide a 2-letter country code like US, FR, UK Country: ZZ Which city is it located in? (optional) City: --- generating key pair (2048 bits) Specify a certificate duration in days (default: 3650) Duration: --- signing certificate with root --- saving results to myopenvpn-server.crt and myopenvpn-server.key
$ python 2cca.py client --- loading root certificate and key Give a name to your new client (default: openvpn-client) Name: Alice Which country is it located in? (default: ZZ) Provide a 2-letter country code like US, FR, UK Country: UK Which city is it located in? (optional) City: Cambridge --- generating key pair (2048 bits) Specify a certificate duration in days (default: 3650) Duration: --- signing certificate with root --- saving results to Alice.crt and Alice.key
$ python 2cca.py client --- loading root certificate and key Give a name to your new client (default: openvpn-client) Name: Bob Which country is it located in? (default: ZZ) Provide a 2-letter country code like US, FR, UK Country: US Which city is it located in? (optional) City: Boston --- generating key pair (2048 bits) Specify a certificate duration in days (default: 3650) Duration: --- signing certificate with root --- saving results to Bob.crt and Bob.key
& ls 2cca.py Alice.key Bob.key myopenvpn-server.crt root.crt Alice.crt Bob.crt README.md myopenvpn-server.key root.key
You want to keep root.crt for what OpenVPN calls the CA certificate. Do not loose root.key, you will need it whenever you will want to issue more client or server certificates. Install the other files as required.
Tested on Linux (Debian, Archlinux) and OSX.
Enjoy!