CentOS 7, CA infrastructure

Install Easy-RSA scripts

We will use auxiliary scripts for creating of encryption keys for OpenVPN server and clients.

Enable epel repo:

yum -y install epel-release
yum -y install easy-rsa

CA preparation

Copy the easy-rsa scripts to OpenVPN config directory:

cd /etc/openvpn
cp -r /usr/share/easy-rsa/2.0/ ./CA
cd CA

Set default parameters for certificates in vars file:

export KEY_CITY="Hermosa Beach"
export KEY_ORG="Adventurer"
export KEY_EMAIL="big_boss@adventurer.us"
export KEY_OU="Core"

Define the version of used openssl:

ln -s openssl-1.0.0.cnf openssl.cnf

Load the variables from file vars to env:

source ./vars

Create CA:


Creating keys for OpenVPN server and clients


Generate and sign the server keys:

./build-key-server VPN_SRV_KEY

Say “YES” on question about signing key and add key to DB.

Create the Diffie-Hellman key:


Create key for tls-authentication:

openvpn --genkey --secret keys/ta.key


Generate and sign client(s) keys:

source ./vars
./build-key CLIENT_NAME

Say “YES” on question about signing key and add key to DB.

Disable client key

If private key become to know for third person, you should disable this key to prevent penetration to private network.

Disable client key:

source ./vars
./revoke-full CLIENT_NAME
cp keys/crl.pem /etc/openvpn/server

Location of crl.pem is determined in OpenVPN server config file.

crl.pem - contain the list of disabled client, so this file should be copied each time after revoking of client key.