How to create keys with easy-rsa without a password prompt.

Posted: May 25, 2015. At: 1:01 PM. This was 3 years ago. Post ID: 8211
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

To create a new set of keys for OpenVPN using Easy-RSA, we firstly need to clean our environment and get ready for the build.

$ ./easyrsa init-pki

Now we need to build the certificate authority.

$ ./easyrsa build-ca nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........+++
.............................................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:WOPR
 
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/ubuntu/EasyRSA-3.0.0-rc2/pki/ca.crt

Now build the DH (Diffie-Helllman) parameters.

$ ./easyrsa gen-dh

And we can build the server keys.

$ ./easyrsa build-server-full john-server nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..........................+++
...........................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-server.key'
-----
Using configuration from /home/ubuntu/EasyRSA-3.0.0-rc2/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'john-server'
Certificate is to be certified until May 22 01:26:02 2025 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

And I build one client key for myself.

$ ./easyrsa build-client-full john-client nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..............................+++
..................................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-client.key'
-----
Using configuration from /home/ubuntu/EasyRSA-3.0.0-rc2/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'john-client'
Certificate is to be certified until May 22 01:28:13 2025 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

I am generating a certificate request here.

$ ./easyrsa gen-req john-req nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....+++
........................................................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-req.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [john-req]:John1
 
Keypair and certificate request completed. Your files are:
req: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/reqs/john-req.req
key: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-req.key

Now I need to add a passkey to the server key.

$ ./easyrsa set-rsa-pass john-server
 
Note: using Easy-RSA configuration from: ./vars
 
If the key is currently encrypted you must supply the decryption passphrase.
You will then enter a new PEM passphrase for this key.
 
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
 
Key passphrase successfully changed

This configuration will create a good working OpenVPN configuration that will allow secure communication between a client and a server machine. This is necessary for securely administering a remote server with an encrypted tunnel.

No comments have been made. Use this form to start the conversation :)

Leave a Reply