Part Two: Generating a PKI (Public Key Infrastructure) for my OpenVPN Deployment
In part one of the DIY home VPN experiment, I introduced the project that I am working on - a client-server VPN utilizing OpenVPN. I will be deploying a VPN server using three different methods: 1) a VM running on VMware Fusion, 2) using CentOS on a Raspberry Pi, and 3) using DD-WRT on a consumer router; however, I would like to begin by building the common foundation - the PKI.
What is a PKI, or public key infrastructure?
According to Oracle, a PKI "is a set of policies and procedures to establish a secure information exchange [1]." It may consist of certificates, public and private keys, a certificate authority (CA), and the Secure Sockets Layer (SSL) [1].
In essence, the PKI is the foundation that will enable private network communication over a non-private medium, and this is where I will begin.
To generate the PKI, I will be using the easy-rsa package (version 3.x) which can be found on GitHub, on my iMac running OS X 10.9.1.
- I will begin by opening up a new terminal window (Finder > Applications > Utilities > Terminal) and extracting the easy-rsa package that I downloaded from GitHub.
unzip easy-rsa-master.zip -d /tmp/
- Next, I move into the directory where I extracted the easy-rsa package:
cd /tmp/easy-rsa-master/easyrsa3/ - Now, I am ready to setup my PKI.
./easyrsa init-pki ./easyrsa build-caI chose a passphrase for my private key, and gave my certificate a DN (Distinguished Name): ‘MyVPN’.
I now have the root signing authority for my PKI.
- Next, I will build the Diffie-Hellman parameters which are required by the server for SSL.
./easyrsa gen-dh
- Next, I created the private keys and a certificates for the clients that will be connecting to my VPN. In this case, the clients will be called 'client1', 'client2', and 'client3'.
./easyrsa build-client-full client1./easyrsa build-client-full client2./easyrsa build-client-full client3
- Finally, I created the private key and certificate for the OpenVPN server.
./easyrsa build-server-full MyOpenVPNServer
Here is the contents of my newly generated 'pki' subfolder:
pki/.rnd
pki/ca.crt
pki/certs_by_serial
pki/certs_by_serial/01.pem
pki/certs_by_serial/02.pem
pki/certs_by_serial/03.pem
pki/certs_by_serial/04.pem
pki/dh.pem
pki/index.txt
pki/index.txt.attr
pki/index.txt.attr.old
pki/index.txt.old
pki/issued
pki/issued/client1.crt
pki/issued/client2.crt
pki/issued/client3.crt
pki/issued/MyOpenVPNServer.crt
pki/private
pki/private/ca.key
pki/private/client1.key
pki/private/client2.key
pki/private/client3.key
pki/private/MyOpenVPNServer.key
pki/reqs
pki/reqs/client1.req
pki/reqs/client2.req
pki/reqs/client3.req
pki/reqs/MyOpenVPNServer.req
pki/serial
pki/serial.old
the DIY home VPN experiment series:
- Introduction.
- Generating a PKI (Public Key Infrastructure) for my OpenVPN.
- My Virtualized OpenVPN Server.
- Deploying OpenVPN using CentOS on a Raspberry Pi.
Be sure to follow me to receive updates when more posts in this series become available. If you like this article, please share it with others.
(Revised January 16, 2014 at 10:42 PM ET)
References
[1]
“The Public Key Infrastructure Approach to Security.” [Online]. Available: http://docs.oracle.com/cd/B10501_01/network.920/a96582/pki.htm. [Accessed: 17-Jan-2014].
[2]
“easy-rsa/README.quickstart.md at master · OpenVPN/easy-rsa · GitHub.” [Online]. Available: https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md. [Accessed: 17-Jan-2014].
[3]
“How To Install and Configure OpenVPN On Your DD-WRT Router.” [Online]. Available: http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/. [Accessed: 17-Jan-2014].
[4]
“RSA Key Management.” [Online]. Available: http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html. [Accessed: 17-Jan-2014].
No comments:
Post a Comment