Easy-RSA 3 Quickstart README
Easy-RSA 3 Quickstart README
This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage and specific commands can be found by running ./easyrsa -h. Additional documentation can be found in the doc/ directory.
If you're upgrading from the Easy-RSA 2.x series, there are Upgrade-Notes available, also under the doc/ path.
Setup and signing the first request
Here is a quick run-though of what needs to happen to start a new PKI and sign your first entity certificate:
Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca
On the system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that init-pki is used only when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step.
./easyrsa init-pki
./easyrsa gen-req EntityName
Transport the request (.req file) to the CA system and import it. The name given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName
Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert (ca.crt) unless it had a prior copy.
The entity now has its own keypair, signed cert, and the CA.
Signing subsequent requests
Follow steps 2-6 above to generate subsequent keypairs and have the CA return signed certificates.
Revoking certs and creating CRLs
This is a CA-specific task.
To permanently revoke an issued certificate, provide the short name used during import:
./easyrsa revoke EntityName
To create an updated CRL that contains all revoked certs up to that point:
./easyrsa gen-crl
After generation, the CRL will need to be sent to systems that reference it.
Generating Diffie-Hellman (DH) params
After initializing a PKI, any entity can create DH params that needs them. This is normally only used by a TLS server. While the CA PKI can generate this, it makes more sense to do it on the server itself to avoid the need to send the files to another system after generation.
DH params can be generated with:
./easyrsa gen-dh
Showing details of requests or certs
To show the details of a request or certificate by referencing the short EntityName, use one of the following commands. It is an error to call these without a matching file.
./easyrsa show-req EntityName
./easyrsa show-cert EntityName
Changing private key passphrases
RSA and EC private keys can be re-encrypted so a new passphrase can be supplied with one of the following commands depending on the key type:
./easyrsa set-rsa-pass EntityName
./easyrsa set-ec-pass EntityName
Optionally, the passphrase can be removed completely with the 'nopass' flag. Consult the command help for details.
Easy-RSA 3 Quickstart README的更多相关文章
- How To Set Up an OpenVPN Server on Ubuntu 14.04
Prerequisites The only prerequisite is having a Ubuntu 14.04 Droplet established and running. You wi ...
- 为你的PHP程序选择合适的密码库(初稿)
如果本文中的术语让你感到疑惑,请先参阅密码学术语及概念一文. 密码学不是魔术.加密一个应用程序并不能保证它在袭击下的安全(特别是在你没有设置验证密文的情况下).但如果出于商业需求你要确保程序的安全,传 ...
- windows下利用OpenVPN搭建VPNserver
一.OpenVPN是一款功能强大,可跨平台(支持Win 2000/XP/2003, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, 和 OpenBSD)使用的SS ...
- 利用OpenVPN实现局域网内多台机器共享上网
本文转载自 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14- ...
- Centos7搭建OpenVPN服务器
Windows下同时连接多个VPN的话,需要以管理员身份运行 C:\Program Files\TAP-Windows\bin\addtap.bat 添加虚拟网络适配器 --------------- ...
- 译: 3. Axis2快速入门指南
本指南的目的是让您尽快使用Axis2开始创建服务和客户端.我们将采用一个简单的StockQuote服务,向您展示可以创建和部署它的一些不同方式,以及快速查看Axis2附带的一个或两个实用程序.然后,我 ...
- 在ubuntu14.04上搭建OpenVPN服务
简介 在连接了不可信的网络环境后,让手机或者计算机安全的访问互联网,使用虚拟专用网络(Virtual Private Network,VPN)是一个解决办法.OpenVPN是一个SSL VPN完整解决 ...
- Jarvis OJ平台basic部分wirteup
Base64? 题目描述: GUYDIMZVGQ2DMN3CGRQTONJXGM3TINLGG42DGMZXGM3TINLGGY4DGNBXGYZTGNLGGY3DGNBWMU3WI=== Base3 ...
- 快速构建第一个Flink工程
本文简述通过maven和gradle快速构建的Flink工程.建议安装好Flink以后构建自己的Flink项目,安装与示例运行请查看:Flink快速入门--安装与示例运行. 在安装好Flink以后,只 ...
随机推荐
- 【AtCoder】ARC060
ARC060 C - 高橋君とカード / Tak and Cards 每个数减去A,然后转移N次,每次选或不选,最后是和为0的时候的方案数,负数可以通过把所有数右移2500做到 #include &l ...
- python 自动化测试
安装selenium 安装命令: pip install selenium 测试 打开一款Python编辑器,默认Python自带的IDLE也行.创建 baidu.py文件,输入以下内容: from ...
- 【规律】A Rational Sequence
题目描述 An infinite full binary tree labeled by positive rational numbers is defi ned by:• The label of ...
- 图像识别tesseract-ocr
下载地址 https://github.com/tesseract-ocr/tesseract/wiki/Data-Files. https://github.com/tesseract-ocr/te ...
- JArray
[{ "A001033": "", ", ", ", ", ", ", ", " ...
- X509证书在window server 2003/IIS 6环境部署
利用makecert.exe工具生成的X509证书在winform程序中运行正常,但是给部署在IIS中的应用程序用却获取不到证书信息,返回为空.原因是,iis没有权限读取位于证书存储区的X509证书, ...
- 【opencv 源码剖析】 四、 Mat的赋值构造函数 和 拷贝构造函数
1.赋值构造函数 右值引用 inline Mat& Mat::operator = (Mat&& m) { if (this == &m) return *this; ...
- Vue-img-preload
预加载页面上的图片资源,提高用户体验 效果预览 使用方法 下载vue-img-preload插件 npm install vue-img-preload 配置参数 eachLoaded(functio ...
- html5中本地存储概念是什么?
html5中的Web Storage包括了两种存储方式:sessionStorage和localStorage.sessionStorage用于本地存储一个会话中的数据,这些数据只有在同一个会话中的页 ...
- 3.第一个MyBatis程序_进化
1.使用工具类 将SqlSession的获取 封装成一个工具 private static SqlSession session = null; static { try { InputStream ...