Creating certificates for SSL-VPN (V2 service/self-signed certificate)

This section explains the procedure for creating certificates for SSL-VPN.

This procedure describes creation when using a Linux environment (OS: CentOS 6.8, tool: EasyRSA 3.0.1).

This procedure must be performed by a superuser.

* This procedure assumes that all operations are performed in the following directory.

Work directory: /root/EasyRSA-3.0.1/

  1. Initialize the CA. 
    # ./easyrsa init-pki

    The environment for certificate creation is created.

    Certificates are generated in the following directories.

    • CA certificate, DH key: ./pki/.
    • Server and client certificates: ./pki/issued/.
    • Private key: ./pki/private/.
  2. Create the CA certificate. 
    # ./easyrsa build-ca

    A message like the following is displayed. Follow the on-screen instructions to create the CA certificate interactively.

    Generating a 2048 bit RSA private key
..........................+++
..........................................................+++
writing new private key to '/root/EasyRSA-3.0.1/pki/private/ca.key.OMjyMXpDsW'
Enter PEM pass phrase: "<passphraseForCaCertificate(Enter)>"
Verifying - Enter PEM pass phrase: "<passphraseForCaCertificate(Re-enter)>"
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:"<commonName(Optional)>"
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/EasyRSA-3.0.1/pki/ca.crt
  3. Execute the following command to confirm that the CA certificate has been created. 
    # ls –l /root/easyrsa/pki/

    If the created CA certificate is output as shown below, then creation is complete.

    -rw-------. 1 root root 1180 MM DD hh:mm ca.crt
  4. Create the server certificate and the private key. 
    # ./easyrsa build-server-full <serverCertificateAndPrivateKeyName(Optional)> nopass

    A message like the following is displayed. Follow the on-screen instructions to create the server certificate and private key interactively.

    Generating a 2048 bit RSA private key
.......................................+++
................+++
writing new private key to '/root/EasyRSA-3.0.1/pki/private/server1.key.LCqVPOrjSV'
-----
Using configuration from /root/EasyRSA-3.0.1/openssl-1.0.cnf
Enter pass phrase for /root/EasyRSA-3.0.1/pki/private/ca.key: "<passphraseForCaCertificate(Re-enter)>"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'<serverCertificateAndPrivateKeyName>'
Certificate is to be certified until  MM  DD hh:mm:ss YYYY GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
  5. Execute the following commands to confirm that the server certificate and the private key have been created.

    Execute the following command to confirm that the server certificate has been created.

    # ls –l /root/easyrsa/pki/issued/

    If the created server certificate is output in the following format, then creation is complete.

    -rw-r--r--. 1 root root 4391 MM DD hh:mm <serverCertificateAndPrivateKeyName>.crt
  6. Execute the following command in order to confirm that the private key for the server certificate has been created.

    Execute the following command to confirm that the private key for the server certificate has been created.

    # ls –l /root/easyrsa/pki/private/

    If the created private key is output as shown below, then creation is complete.

    -rw-r--r--. 1 root root 1704 MM DD hh:mm <serverCertificateAndPrivateKeyName>.key
  7. Create the DH key. 
    # ./easyrsa gen-dh

    The following message is displayed.

    Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................+................................................................+.......................
+....+...............+.......................+..............+......................+......................+......
..........................................++*++*

DH parameters of size 2048 created at /root/EasyRSA-3.0.1/pki/dh.pem
  8. Confirm that the DH key has been created. 
    # ls –l ./root/easyrsa/pki/

    If the created DH key is output as shown below, then creation is complete.

    -rw-r--r--. 1 root root  424 MM DD hh:mm dh.pem
  9. Create the client private key and certificate.
    Warning:

    Be sure to create a unique client certificate for SSL-VPN connection for each user. It is not possible for multiple users to use the same certificate for SSL-VPN connection at the same time.

    # ./easyrsa build-client-full <clientPrivateKeyAndCertificateName(Optional)> nopass

    A message like the following is displayed. Follow the on-screen instructions to create the CA certificate interactively.

    Generating a 2048 bit RSA private key
...................................................................................................................................................+++
...........+++
writing new private key to '/root/EasyRSA-3.0.1/pki/private/bps021.key.a5TcULwXAN'
-----
Using configuration from /root/EasyRSA-3.0.1/openssl-1.0.cnf
Enter pass phrase for /root/EasyRSA-3.0.1/pki/private/ca.key: "<passphraseForCaCertificate(Re-enter)>"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'<clientPrivateKeyAndCertificateName(Optional)>'
Certificate is to be certified until MM  DD hh:mm:ss YYYY GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
  10. Execute the following command to confirm that the client certificate has been created. 
    # ls –l ./root/easyrsa/pki/issued/

    If the created client certificate is output as shown below, then creation is complete.

    -rw-------. 1 root root 1704 MM  DD hh:mm <clientPrivateKeyAndCertificateName>.crt
  11. Execute the following command to confirm that the client private key has been created. 
    # ls –l ./root/easyrsa/pki/private/

    If the created client private key is output as shown below, then creation is complete.

    -rw-------. 1 root root 1704 MM DD hh:mm <clientPrivateKeyAndCertificateName>.key
Note:

Transfer created certificates to client PCs as necessary. Transfer the following certificates to the following client PCs.

  • CA certificate

    API execution environment client PCs, SSL-VPN client PCs

  • Server certificate and private key

    API execution environment client PCs

  • DH key

    API execution environment client PCs

  • Client private keys and certificates

    SSL-VPN client PCs