Menu

Generando Certificados SSL con Easy-RSA

27 junio, 2014 - Linux

Editar el archivo de configuracion vars y personalizaremos las siguientes lineas

vim /etc/openvpn/easy-rsa/vars    

editar las lineas

export KEY_SIZE=1024 aunque puede ser 2048 pero aumentará enormemente el uso de cpu

#reemplazar por tus datos personales / entidad cerfiticadora
export KEY_COUNTRY=”AR”
export KEY_PROVINCE=”BA”
export KEY_CITY=”Capital Federal”
export KEY_ORG=”Epelbyte”
export KEY_EMAIL=”epel@epelbyte.com”
#valores expresados en dias, el primero es de 20años para la Autoridad de Certificacion y
#el segundo de 10 años para los certificados. Estos valores pueden ser de menor plazo
#para tener un mayor control aunque aun no tengo muy en claro de que forma.
export CA_EXPIRE=7300
export KEY_EXPIRE=3650

cd /etc/openvpn/easy-rsa/  
source ./vars    
./clean-all #mucho cuidado al ejecutar este comando puesto que borrara todos los certificados que ta tengamos creados de alguna otra ocasión.

Ahora procederemos a realizar la Autoridad Certificadora (CA)
./build-ca

 

Generating a 1024 bit RSA private key
……………..++++
…………………………………….+++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BA]:
Locality Name (eg, city) [Capital Federal]:
Organization Name (eg, company) [EpelByte]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [EpelByte CA]:
Name [EasyRSA]:
Email Address [epel@epelbyte.com]:

Si todo salio bien podremos ver dentro del diectorio openvpn/easy-rsa/keys los files ca.crt y ca.key

ls /etc/openvpn/easy-rsa/keys

Creamos ahora el certificado para el Servidor

./build-key-server vpnserver
Generating a 1024 bit RSA private key
………..+++
…………+++
writing new private key to ‘serverepel.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BA]:
Locality Name (eg, city) [Capital Federal]:
Organization Name (eg, company) [EpelByte]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [vpnserver]:
Name [EasyRSA]:EpelByte
Email Address [epel@epelbyte.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’AR’
stateOrProvinceName :PRINTABLE:’BA’
localityName :PRINTABLE:’Capital Federal’
organizationName :PRINTABLE:’Oficina’
commonName :PRINTABLE:’vpnserver’
name :PRINTABLE:’Gabriel Epelbaum’
emailAddress :IA5STRING:’gepelbaum@gmail.com’
Certificate is to be certified until Jun 24 21:00:07 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 Creamos el Certificado para el Cliente

./build-key epelbyte 
Generating a 1024 bit RSA private key
……..++++++
……………………+++++
writing new private key to ‘cliente.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BA]:
Locality Name (eg, city) [Capital Federal]:
Organization Name (eg, company) [Epelbyte]:
Organizational Unit Name (eg, section) []:Cliente
Common Name (eg, your name or your server’s hostname) [Cliente]:
Name [EasyRSA]:
Email Address [epel@epelbyte.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’AR’
stateOrProvinceName :PRINTABLE:’BA’
localityName :PRINTABLE:’Capital Federal’
organizationName :PRINTABLE:’Epelbyte’
organizationalUnitName:PRINTABLE:’Cliente’
commonName :PRINTABLE:’Cliente’
name :PRINTABLE:’Epelbyte’
emailAddress :IA5STRING:’epel@epelbyte.com’
Certificate is to be certified until Jun 24 21:24:27 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 Generando el parametro Diffie-Hellman

./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
…………………………………………………………..+*………………………………………………………………++*++*++*

Es muy importante que las claves sean enviadas por un medio seguro tal como ssh o scp

.key claves privadas  no deverian intercambiarse nunca

.crt certificados que contienen las claves publicas

 

Saludos, DonEpel.

fuentes:
http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
http://tuxjm.net/docs/Creacion_de_Redes_Privadas_Virtuales_en_GNU_Linux_con_OpenVPN/html-multiples/configurar-una-autoridad-certificadora.html

One thought on “Generando Certificados SSL con Easy-RSA

  • Pingback: Implementacion rapida de openvpn en debianEpelByte.com | EpelByte.com

  • Dejá un comentario

    Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *