Jason
2010-05-28 01:47:59 UTC
All,
I've been using openvpn for a few years now with my own CA using the easy-rsa scripts. Things were good. Now I need to expand. I'd like to create an Intermediate CA so a remote site can issue their own certs, but they don't have access to my CA key.
I've dug around a bit, and haven't found much regarding what order to do things in. Obviously, it involves an existing CA (with keys/ dir), and ./build-inter and ./inherit-inter from the easy-rsa scripts.
I think I'm reading too much into the explanation given in ./inherit-inter. So, if you don't mind, I'm just going to post my interpretation of what I should be doing and see if anyone laughs. ;-)
Prerequisites:
- An established CA using easy-rsa with all keys in easy-rsa/keys
- Someone bugging you for the ability to create certs (not needed, but it helps)
- root access and access to the CA key file.
End-Goal:
- a new easy-rsa directory (called inter0/ in the example) with the absolute
bare minimum to create certs.
HOWTO Steps:
***@ubuntu:~$ sudo su
***@ubuntu:/home/jason# cd /path/to/easy-rsa
***@ubuntu:.../easy-rsa# source ./vars
***@ubuntu:.../easy-rsa# ./build-inter "inter0"
***@ubuntu:.../easy-rsa# mkdir -p ../inter0/keys
***@ubuntu:.../easy-rsa# cp * ../inter0/
***@ubuntu:.../easy-rsa# exit
***@ubuntu:.../easy-rsa# sudo su
***@ubuntu:.../easy-rsa# cd ../inter0
***@ubuntu:.../inter0# vim ./vars # change fields for ICA
***@ubuntu:.../inter0# source ./vars
***@ubuntu:.../inter0# ./inherit-inter ../easy-rsa/keys/ "inter0"
***@ubuntu:.../inter0# ./build-key-pass "test"
Questions:
Okay, the above appears to work. Can I just tar up inter0/ and securely transfer it to the remote site? It's ca.key is definitely different than mine in easy-rsa/keys/.
Also, what do I need to transfer to my vpn server in order to accept the client certs generated by inter0? Do I just append inter0/keys/ca.crt >>easy-rsa/keys/ca.crt ? Obviously on the vpn server...
Last, any nuances to maintaining the CRLs wrt intermediate CA certs?
Any pointers appreciated.
thx,
Jason.
I've been using openvpn for a few years now with my own CA using the easy-rsa scripts. Things were good. Now I need to expand. I'd like to create an Intermediate CA so a remote site can issue their own certs, but they don't have access to my CA key.
I've dug around a bit, and haven't found much regarding what order to do things in. Obviously, it involves an existing CA (with keys/ dir), and ./build-inter and ./inherit-inter from the easy-rsa scripts.
I think I'm reading too much into the explanation given in ./inherit-inter. So, if you don't mind, I'm just going to post my interpretation of what I should be doing and see if anyone laughs. ;-)
Prerequisites:
- An established CA using easy-rsa with all keys in easy-rsa/keys
- Someone bugging you for the ability to create certs (not needed, but it helps)
- root access and access to the CA key file.
End-Goal:
- a new easy-rsa directory (called inter0/ in the example) with the absolute
bare minimum to create certs.
HOWTO Steps:
***@ubuntu:~$ sudo su
***@ubuntu:/home/jason# cd /path/to/easy-rsa
***@ubuntu:.../easy-rsa# source ./vars
***@ubuntu:.../easy-rsa# ./build-inter "inter0"
***@ubuntu:.../easy-rsa# mkdir -p ../inter0/keys
***@ubuntu:.../easy-rsa# cp * ../inter0/
***@ubuntu:.../easy-rsa# exit
***@ubuntu:.../easy-rsa# sudo su
***@ubuntu:.../easy-rsa# cd ../inter0
***@ubuntu:.../inter0# vim ./vars # change fields for ICA
***@ubuntu:.../inter0# source ./vars
***@ubuntu:.../inter0# ./inherit-inter ../easy-rsa/keys/ "inter0"
***@ubuntu:.../inter0# ./build-key-pass "test"
Questions:
Okay, the above appears to work. Can I just tar up inter0/ and securely transfer it to the remote site? It's ca.key is definitely different than mine in easy-rsa/keys/.
Also, what do I need to transfer to my vpn server in order to accept the client certs generated by inter0? Do I just append inter0/keys/ca.crt >>easy-rsa/keys/ca.crt ? Obviously on the vpn server...
Last, any nuances to maintaining the CRLs wrt intermediate CA certs?
Any pointers appreciated.
thx,
Jason.