Differences

This shows you the differences between two versions of the page.

--- operating_systems:linux:debian:openvpn [2019/06/11 13:17] – maferreira
+++ operating_systems:linux:debian:openvpn [2020/10/15 13:40] (current) – maferreira
@@ Line 4: / Line 4: @@
 Download easy-rsa v3.0.4 and install it.
+<note warning>We don't use the git clone version because we would need to use the build.sh script with the --version=3.0.4 version to generate the final version</note>
   # wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
   # tar -xvzf EasyRSA-3.0.4.tgz
   # rm EasyRSA-3.0.4.tgz
   # mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
+<note warning>Make sure you have this option set: set_var EASYRSA_PKI		"/etc/openvpn/easy-rsa/pki" in /etc/openvpn/easy-rsa/vars</note>
 Initialize a new PKI and generate a CA keypair that will be used to sign certificates.
@@ Line 13: / Line 18: @@
   # export EASYRSA=$(pwd)
   # easyrsa init-pki
-  # easyrsa build-ca
+  # easyrsa build-ca nopass
 <note important>
-Pass phrase = **totem**\\
+**Common name :** Testing server OpenVPN certificate
-Common name = **Testing server OpenVPN certificate**
 </note>
+Now build the intermediate certificate.
+  # ./easyrsa build-server-full server nopass
+Once you have generated and signed OpenVPN server certificate, rename the root CA and CA (intermediate) certificates.
+  # cd /etc/openvpn/easy-rsa/pki/
+  # mv ca.crt root_ca.crt
+  # mv private/ca.key private/root_ca.key
+  # mv issued/server.crt issued/ca.crt
+  # mv private/server.key private/ca.key
+Also move **ca.crt** to /etc/openvpn/easy-rsa/pki.
+  # mv /etc/openvpn/easy-rsa/pki/issued/ca.crt /etc/openvpn/easy-rsa/pki
+Make sure pki directory has the following rights, otherwise easygateway web interface won't detect the root_ca.crt file (file_exists() php function):
+  drwxrwx--x 6 root       root        4096 Jun 17 16:23 pki
+References:\\
+https://wiki.archlinux.org/index.php/Easy-RSA\\
+https://wiki.debian.org/OpenVPN