PKI using Easy-RSA

Configuration #

1. copy vars.example to vars
2. define EASYRSA to something sensible, such as /usr/local/etc/easy-rsa

Procedure #

1. Initialize PKI

   ./easyrsa init-pki
   

2. Building the CA

   ./easyrsa build-ca
   

   check CA

   openssl x509 -in /path/to/ca.crt -text -noout
   

3. Generate an empty CRL(Certificate Revocation List)

   ./easyrsa gen-crl
   

   verify the CRL

   openssl crl -noout -text -in /path/to/crl.pem
   

4. Build server certificate Prevents one of your clent certificates from being used as a server in a Man-In-The_middle attack.

   ./easyrsa build-server-full movpn-server
   

   Verify server certificate.

   openssl x509 -noout -text -in /path/to/movpn-server.crt
   

5. Build client certificate

   ./easyrsa build-client-full client1
   

   Verify client certificate.

   openssl x509 -noout -text -in /path/to/client1.crt
   

Links #