Actions
CA Setup¶
- TODO: copy these instructions inline
Signing Instructions¶
On the host machine or desktop¶
- Create directory
- Create key:
- Create CSR:
- Copy CSR to CA VM:
On CA.¶
- Start VM (should have been on already).
- Enter easy-rsa directory:
- Import CSR
dsorber@cauth:~/easy-rsa$ ./easyrsa import-req /tmp/opnsense.req opnsense Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) The request has been successfully imported with a short name of: opnsense You may now use this name to perform signing operations on this request.
- Sign the request:
dsorber@cauth:~/easy-rsa$ ./easyrsa sign-req server opnsense Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= countryName = US stateOrProvinceName = Maryland localityName = Derwood organizationName = SorberHome organizationalUnitName = EngineeringDepartment commonName = opnsense.sorber.home Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-1713.Noeorx/tmp.1I1wpB Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'Maryland' localityName :ASN.1 12:'Derwood' organizationName :ASN.1 12:'SorberHome' organizationalUnitName:ASN.1 12:'EngineeringDepartment' commonName :ASN.1 12:'opnsense.sorber.home' Certificate is to be certified until Nov 1 20:07:12 2025 GMT (825 days) Write out database with 1 new entries Data Base Updated - Copy certificate request back to host machine:
Delete (Redo) Cert¶
NOTE: you cannot directly delete, instead you must revoke and then renew:
- First revoke the old cert:
a$ ./easyrsa revoke ldap Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) Please confirm you wish to revoke the certificate with the following subject: subject= countryName = US stateOrProvinceName = Maryland localityName = Rockville organizationName = SorberHome organizationalUnitName = Engineering Department commonName = ldap.sorber.home X509v3 Subject Alternative Name: DNS:ldap.sorber.home Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-855.AoD20p/tmp.VHmRtz Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key: Revoking Certificate CF7A9E0FC35194FB0FF3A2E255777C70. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. - Next create CRL
$ ./easyrsa gen-crl Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-891.zEkAB8/tmp.CN4pfy Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key: An updated CRL has been created. CRL file: /home/dsorber/easy-rsa/pki/crl.pem
- Follow the instructions above to create a new CSR, upload, and then sign.
Updated by 3 months ago · 2 revisions