Project

General

Profile

Actions

CA Setup

Signing Instructions

On the host machine or desktop

  1. Create directory
    $ mkdir csr && cd csr
    
  2. Create key:
    $ openssl genrsa -out opnsense.key 8192
    
  3. Create CSR:
    $ openssl req -new -key opnsense.key -out opnsense.req
    
  4. Copy CSR to CA VM:
    $ scp opnsense.req dsorber@cauth:/tmp/
    

On CA.

  1. Start VM (should have been on already).
  2. Enter easy-rsa directory:
    cd ~/easy-rsa
    
  3. Import CSR
    dsorber@cauth:~/easy-rsa$ ./easyrsa import-req /tmp/opnsense.req opnsense
    Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
    
    The request has been successfully imported with a short name of: opnsense
    You may now use this name to perform signing operations on this request.
    
    
  4. Sign the request:
    dsorber@cauth:~/easy-rsa$ ./easyrsa sign-req server opnsense
    Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
    
    You are about to sign the following certificate.
    Please check over the details shown below for accuracy. Note that this request
    has not been cryptographically verified. Please be sure it came from a trusted
    source or that you have verified the request checksum with the sender.
    
    Request subject, to be signed as a server certificate for 825 days:
    
    subject=
        countryName               = US
        stateOrProvinceName       = Maryland
        localityName              = Derwood
        organizationName          = SorberHome
        organizationalUnitName    = EngineeringDepartment
        commonName                = opnsense.sorber.home
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm request details: yes
    Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-1713.Noeorx/tmp.1I1wpB
    Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key:
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :ASN.1 12:'Maryland'
    localityName          :ASN.1 12:'Derwood'
    organizationName      :ASN.1 12:'SorberHome'
    organizationalUnitName:ASN.1 12:'EngineeringDepartment'
    commonName            :ASN.1 12:'opnsense.sorber.home'
    Certificate is to be certified until Nov  1 20:07:12 2025 GMT (825 days)
    
    Write out database with 1 new entries
    Data Base Updated
    
  5. Copy certificate request back to host machine:
    $ scp /home/dsorber/easy-rsa/pki/issued/opnsense.crt dsorber@enthoo:~/Desktop/csr/
    

Delete (Redo) Cert

NOTE: you cannot directly delete, instead you must revoke and then renew:

  1. First revoke the old cert:
    a$ ./easyrsa revoke ldap
    Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
    
    Please confirm you wish to revoke the certificate with the following subject:
    
    subject=
        countryName               = US
        stateOrProvinceName       = Maryland
        localityName              = Rockville
        organizationName          = SorberHome
        organizationalUnitName    = Engineering Department
        commonName                = ldap.sorber.home
    
    X509v3 Subject Alternative Name:
        DNS:ldap.sorber.home
    
    Type the word 'yes' to continue, or any other input to abort.
      Continue with revocation: yes
    Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-855.AoD20p/tmp.VHmRtz
    Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key:
    Revoking Certificate CF7A9E0FC35194FB0FF3A2E255777C70.
    Data Base Updated
    
    IMPORTANT!!!
    
    Revocation was successful. You must run gen-crl and upload a CRL to your
    infrastructure in order to prevent the revoked cert from being accepted.
    
    
  2. Next create CRL
    $ ./easyrsa gen-crl
    Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
    Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-891.zEkAB8/tmp.CN4pfy
    Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key:
    
    An updated CRL has been created.
    CRL file: /home/dsorber/easy-rsa/pki/crl.pem
    
    
  3. Follow the instructions above to create a new CSR, upload, and then sign.

Updated by 3 months ago · 2 revisions