Openvpn – easyrsa vars options for PKI generation

openvpnpki

I am using OpenVPN and whilst I can generate certificates using easyrsa just fine I don't really understand the settings in the easyrsa vars file:

export KEY_COUNTRY=""
export KEY_PROVINCE=""
export KEY_CITY=""
export KEY_ORG
export KEY_EMAIL=""
export KEY_EMAIL=
export KEY_CN=
export KEY_NAME=
export KEY_OU=
export PKCS11_MODULE_PATH=
export PKCS11_PIN=1234

Can anyone explain these settings?

Best Answer

These are the settings for the certificate (certificate is a public key + (this) info signed by a Certificate authority).

So in your case, these are you country (where you live, where your company is), province (same), city (same), organization name, email, common name (unique for this CA), name, and organizational unit - in this order.

The last two lines are a path and a pin for PKCS11 (usually for smartcards).

I guess you're using easy-rsa; if you don't set this variables, it asks you for them, when you run the tool to generate a certificate.

Related Solutions

OpenVPN Setup with Windows Certificate Services PKI

Yep, it's perfectly possible. x509 is x509.

OpenVPN 2.1 (beta, but perfectly stable) supports CryptoAPI. We use it one a daily basis.

To use your existing PKI just give the OpenVPN server a copy of the CA. You can specify which clients can login in, if you don't want everyone on the CA to have access, by using CCD. Then place the following in your client configs:

cryptoapicert "THUMB:<cert_thumb>"

You can copy/paste the <cert_thumb> from the certificate details in the Windows personal cert store.

Auto Enroll is a pain and it's been a while since I struggled with it. But it does work, eventually.

Openvpn – Why does OpenVPN give the error: “unsupported certificate purpose” for an intermediate certificate

It's the EKU (ExtendedKeyUsage extension)

rfc 5280 4.2.1.12 extKeyUsage says

In general, this extension will appear only in end entity certificates.

CABforum Baseline Requirements (v1.3.4) 7.2.2 g affirms this, but along with 7.1.5 allows one case:

For a Subordinate CA Certificate to be considered Technically Constrained, the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the Subordinate CA Certificate is authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension.

EKU thus is not a restriction on the CA's use of its own key, but on EE use of keys with certificates under the CA. This is similar to the way Policies (mostly) and NameConstraints propagate downward, and unlike KeyUsage which does apply to the CA itself.

And this is what OpenSSL implements and therefore OpenVPN using OpenSSL does. On each CA cert in a server chain, if EKU is present it must include serverAuth or SGC. Similarly each CA cert in a client chain with EKU must include clientAuth.

Your intermediate CA above your server has EKU with OCSPSign but not serverAuth, so it is rejected.

Reference: crypto/x509/x509_vfy.c and crypto/x509v3/v3_purp.c in openssl-1.0.2h

Best Answer

Related Solutions

OpenVPN Setup with Windows Certificate Services PKI

Openvpn – Why does OpenVPN give the error: “unsupported certificate purpose” for an intermediate certificate

Related Topic