Creating x509 certificates

In this guide we will be using easyrsa 2.0 (which should come with OpenVPN, and already be on your VyOS installation) to generate our certificates. This part can be skipped if you are generating your certificates through some other means.

It will be assumed that all certificates/keys are stored in the /config/auth/keys folder. If you are using your own CA, you can generate csr's using the following command (stored in the /config/auth folder by default), and then sign it with your CA.

generate vpn x509 key-pair <CERTIFICATE>

Setting up

First we will need to copy the easyrsa folder over to our /config/auth folder, as all files here persist during updates.

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /config/auth/
cd /config/auth/

Now we need to set up the environment. We do this by "sourcing" the provided vars file, which contains default values used for the creation of certificates. This file can be edited if you wish to change default values before "sourcing" it. The clean-all script removes all previous keys, providing a new environment to create certificates in.

source vars

Building the CA

First we will build our ca. Necessary details can be entered during creation (otherwise if left blank they will be taken from the default values provided in the vars file).


Building certificates

Certificates can be built with the following command.

./build-key <CERTIFICATE>

If you wish to build it with a password, use the following command.

./build-key-pass <CERTIFICATE>

If you skip signing the certificate, you will just need to run an extra command to sign it.

./sign-req <CERTIFICATE>

In some cases (for OpenVPN), certificates for servers need to be built with the following command. This designates the certificate as a server-only certificate by setting nsCertType=server. It will be mentioned when this needs to be used.

./build-key-server <CERTIFICATE>

Building the DH parameters

Next, the DH file need to be built. Note that this is not always required.


Revoking certificates

A certificate can be revoked with a simple command. This will either generate a new crl.pem file if none exists in the keys directory, or add to it. This file then needs to be specified in the configuration for it to be used. It is common to generate a dummy certificate and immediately revoke it, to create a "blank" crl.pem file for use.

./revoke-full <CERTIFICATE>

something something

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt