How to create keys with easy-rsa without a password prompt.

Posted: May 25, 2015. At: 1:01 PM. This was 2 years ago. Post ID: 8211

To create a new set of keys for OpenVPN using Easy-RSA, we firstly need to clean our environment and get ready for the build.

$ ./easyrsa init-pki

Now we need to build the certificate authority.

$ ./easyrsa build-ca nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........+++
.............................................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:WOPR
 
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/ubuntu/EasyRSA-3.0.0-rc2/pki/ca.crt

Now build the DH (Diffie-Helllman) parameters.

$ ./easyrsa gen-dh

And we can build the server keys.

$ ./easyrsa build-server-full john-server nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..........................+++
...........................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-server.key'
-----
Using configuration from /home/ubuntu/EasyRSA-3.0.0-rc2/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'john-server'
Certificate is to be certified until May 22 01:26:02 2025 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

And I build one client key for myself.

$ ./easyrsa build-client-full john-client nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..............................+++
..................................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-client.key'
-----
Using configuration from /home/ubuntu/EasyRSA-3.0.0-rc2/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'john-client'
Certificate is to be certified until May 22 01:28:13 2025 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

I am generating a certificate request here.

$ ./easyrsa gen-req john-req nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....+++
........................................................+++
writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-req.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [john-req]:John1
 
Keypair and certificate request completed. Your files are:
req: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/reqs/john-req.req
key: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-req.key

Now I need to add a passkey to the server key.

$ ./easyrsa set-rsa-pass john-server
 
Note: using Easy-RSA configuration from: ./vars
 
If the key is currently encrypted you must supply the decryption passphrase.
You will then enter a new PEM passphrase for this key.
 
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
 
Key passphrase successfully changed

This configuration will create a good working OpenVPN configuration that will allow secure communication between a client and a server machine. This is necessary for securely administering a remote server with an encrypted tunnel.

No comments have been made. Use this form to start the conversation :)

Leave a Reply