Abstract
This document describes using EasyRSA to generate certs for OpenVPN tunnels with FlexEdge devices.
Products
FlexEdge DA50A, DA70A
Use Case
Generating certs for OpenVPN tunnels.
Installing EasyRSA
Package is available as a zip file.
https://github.com/OpenVPN/easy-rsa/releases
Version used for this document is 3.0.8
No standard installation procedure, simply unzip the file.
You should get such a directory:
This directory and all subdirectories should be archived in order to be able to create other certificates later if needed.
A copy of “vars.example” file can be edited and renamed “vars” if using default values is not desired.
For example, if you need to change validity of CA which is by default set to 10 years.
Same for certificates validity which is by default set to 825 days.
Using EasyRSA
Simply double-click on EasyRSA-Start.bat
A terminal window opens running EasyRSA shell.
Step 1, initialize PKI and create CA
Use commands:
./easyrsa init-pki
./easyrsa build-ca
A “pki” subdirectory is then created, which contains among others the public certificate “ca.crt”.
The latter is used by the OpenVPN server and all clients.
PKI stands for Public Key Infrastructure.
A password is required during this process in order to protect the use of the private key.
You also have to give the name (common name or cn) of this certificate, used to authenticate the entity using this certificate.
Step 2, generate encryption key
Use command:
./easyrsa gen-dh
Be patient, it takes a while, as by default a 2048 bits key is generated.
The result file, “dh.pem” is located in “pki” folder.
It is used by the OpenVPN server.
Step 3, generate certificates for the OpenVPN server
Use command:
./easyrsa build-server-full server
A password is required during this process in order to protect the use of the private key.
Result files are:
“server.crt” (public) in “issued” subfolder
“server.key” (private) in “private” subfolder
Step 4, generate certificates for each OpenVPN client
Use command for each openVPN client:
./easyrsa build-client-full <client-name>
where <client_name> is the authentication name (cn) for each clients
A password is required during this process in order to protect the use of the private key.
Result files are:
“<client_name>.crt” (public) in “issued” subfolder
“<client_name>.key” (private) in “private” subfolder
Step 5, where to use this information in Crimson
Public, private key, password and CA certificate
For the DAxxA server:
The password is the one used (PEM pass phrase) during corresponding certificate creation.
For each DAxxA client:
Note that if at least one “Device Personality” setting is defined, you can choose between “Regular” or “Custom” parameters.
Disclaimer
It is the customer's responsibility to review the advice provided herein and its applicability to the system. Red Lion makes no representation about specific knowledge of the customer's system or the specific performance of the system. Red Lion is not responsible for any damage to equipment or connected systems. The use of this document is at your own risk. Red Lion standard product warranty applies.
Red Lion Technical Support
If you have any questions or trouble contact Red Lion Technical Support by clicking here or calling 1-877-432-9908.
For more information: http://www.redlion.net/support/policies-statements/warranty-statement