nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
easyrsa/README.quickstart.md
Josh Cepek b0494ab243 Add initial 3.x codebase files 
This is the initial re-write for the 3.x release series.

Signed-off-by: Josh Cepek <josh.cepek@usa.net>
2013-11-18 02:54:07 -06:00

85 lines
2.8 KiB
Markdown
Raw Blame History

Easy-RSA 3 Quickstart README
============================
This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
and specific commands by running easyrsa with the 'help' command. Additional
documentation can be found in the doc/ directory.
Setup and signing the first request
-----------------------------------
A quick run-though of what needs to happen to start a new PKI and sign your
first entity certificate.
1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca
2. On the separate system that is requesting a certificate, init its own PKI and
generate a keypair/request. Note that the init-pki is used _only_ when this
is done on a separate system (or at least a separate PKI dir.) This is the
recommended procedure. If you are not using this recommended procedure, skip
the next import-req step as well.
./easyrsa init-pki
./easyrsa gen-req EntityName
3. Transport the request (.req file) to the CA system and import it. The name
given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName
4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
5. Transport the newly signed certificate to the requesting entity. This entity
may also need the CA cert (ca.crt) unless it had a prior copy.
6. The entity now has its own keypair, and signed cert, and the CA.
Signing subsequent requests
---------------------------
Follow steps 2-6 above to generate subsequent keypairs and have the CA returned
signed certificates.
Revoking certs and creating CRLs
--------------------------------
This is a CA-specific task.
To permanently revoke an issued certificate, provide the short name used during
import:
./easyrsa revoke EntityName
To create an updated CRL that contains all revoked certs up to that point:
./easyrsa gen-crl
After generation, the CRL will need to be sent to systems that reference it.
Generating Diffie-Hellman (DH) params
-------------------------------------
After initializing a PKI, any entity can create DH params that needs them. This
is normally only used by a TLS server. While the CA PKI can generate this, it
makes more sense to do it on the server itself to avoid the need to send the
files to another system after generation.
DH params can be generated with:
./easyrsa gen-dh
Showing details of requests or certs
------------------------------------
To show the details of a request or certificate by referencing the short
EntityName, use one of the following commands. It is an error to call these
without a matching file.
./easyrsa show-req EntityName
./easyrsa show-cert EntityName
Reference in New Issue View Git Blame Copy Permalink