Project

General

Profile

CASetup » History » Version 2

Anonymous, 03/31/2026 09:00 PM
adding note

1 1
h1. CA Setup
2
3
* TODO: copy these instructions inline
4
** https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-on-ubuntu-22-04
5
6
h2. Signing Instructions
7
8
h3. On the host machine or desktop
9
10
# Create directory
11
<pre>
12
$ mkdir csr && cd csr
13
</pre>
14
# Create key:
15
<pre>
16
$ openssl genrsa -out opnsense.key 8192
17
</pre>
18
# Create CSR:
19
<pre>
20
$ openssl req -new -key opnsense.key -out opnsense.req
21
</pre>
22
# Copy CSR to CA VM:
23
<pre>
24
$ scp opnsense.req dsorber@cauth:/tmp/
25
</pre>
26
27
h3. On CA.
28
29
# Start VM (should have been on already).
30
# Enter easy-rsa directory:
31
<pre>
32
cd ~/easy-rsa
33
</pre>
34
# Import CSR
35
<pre>
36
dsorber@cauth:~/easy-rsa$ ./easyrsa import-req /tmp/opnsense.req opnsense
37
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
38
39
The request has been successfully imported with a short name of: opnsense
40
You may now use this name to perform signing operations on this request.
41
42
</pre>
43
# Sign the request:
44
<pre>
45
dsorber@cauth:~/easy-rsa$ ./easyrsa sign-req server opnsense
46
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
47
48
49
You are about to sign the following certificate.
50
Please check over the details shown below for accuracy. Note that this request
51
has not been cryptographically verified. Please be sure it came from a trusted
52
source or that you have verified the request checksum with the sender.
53
54
Request subject, to be signed as a server certificate for 825 days:
55
56
subject=
57
    countryName               = US
58
    stateOrProvinceName       = Maryland
59
    localityName              = Derwood
60
    organizationName          = SorberHome
61
    organizationalUnitName    = EngineeringDepartment
62
    commonName                = opnsense.sorber.home
63
64
65
Type the word 'yes' to continue, or any other input to abort.
66
  Confirm request details: yes
67
Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-1713.Noeorx/tmp.1I1wpB
68
Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key:
69
Check that the request matches the signature
70
Signature ok
71
The Subject's Distinguished Name is as follows
72
countryName           :PRINTABLE:'US'
73
stateOrProvinceName   :ASN.1 12:'Maryland'
74
localityName          :ASN.1 12:'Derwood'
75
organizationName      :ASN.1 12:'SorberHome'
76
organizationalUnitName:ASN.1 12:'EngineeringDepartment'
77
commonName            :ASN.1 12:'opnsense.sorber.home'
78
Certificate is to be certified until Nov  1 20:07:12 2025 GMT (825 days)
79
80
Write out database with 1 new entries
81
Data Base Updated
82
</pre>
83
# Copy certificate request back to host machine:
84
<pre>
85
$ scp /home/dsorber/easy-rsa/pki/issued/opnsense.crt dsorber@enthoo:~/Desktop/csr/
86
</pre>
87 2
88
h2. Delete (Redo) Cert
89
90
*NOTE: you cannot directly delete, instead you must revoke and then renew:*
91
92
# First revoke the old cert:
93
<pre>
94
a$ ./easyrsa revoke ldap
95
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
96
97
98
Please confirm you wish to revoke the certificate with the following subject:
99
100
subject=
101
    countryName               = US
102
    stateOrProvinceName       = Maryland
103
    localityName              = Rockville
104
    organizationName          = SorberHome
105
    organizationalUnitName    = Engineering Department
106
    commonName                = ldap.sorber.home
107
108
X509v3 Subject Alternative Name:
109
    DNS:ldap.sorber.home
110
111
112
Type the word 'yes' to continue, or any other input to abort.
113
  Continue with revocation: yes
114
Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-855.AoD20p/tmp.VHmRtz
115
Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key:
116
Revoking Certificate CF7A9E0FC35194FB0FF3A2E255777C70.
117
Data Base Updated
118
119
IMPORTANT!!!
120
121
Revocation was successful. You must run gen-crl and upload a CRL to your
122
infrastructure in order to prevent the revoked cert from being accepted.
123
124
125
</pre>
126
# Next create CRL 
127
<pre>
128
$ ./easyrsa gen-crl
129
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
130
Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-891.zEkAB8/tmp.CN4pfy
131
Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key:
132
133
An updated CRL has been created.
134
CRL file: /home/dsorber/easy-rsa/pki/crl.pem
135
136
137
138
</pre>
139
# Follow the instructions above to create a new CSR, upload, and then sign.