How to install EasyRSA3 on RHEL 8

Learn how to install EasyRSA3 on Red Hat Enterprise Linux (RHEL) 8 with this step-by-step guide. Follow detailed instructions to set up and configure EasyRSA for managing your own certificate authority (CA) effortlessly. #centlinux #linux #cryptography

What is EasyRSA3?

EasyRSA3 is the third major version of the EasyRSA utility, which is a tool for managing a Public Key Infrastructure (PKI) and creating digital certificates and keys. It is used to set up and manage a Certificate Authority (CA) and to issue and manage certificates. EasyRSA3 brings several improvements and updates over previous versions, making it more flexible, secure, and easier to use. Key features and capabilities of EasyRSA3 include:

1. Updated Command-Line Interface: EasyRSA3 introduces a more intuitive and flexible command-line interface, making it easier to use and integrate into various workflows.
2. PKI Management: Provides comprehensive tools for setting up and managing a PKI, including creating a CA, generating certificate signing requests (CSRs), issuing certificates, and managing certificate revocation lists (CRLs).
3. Support for Modern Cryptographic Standards: EasyRSA3 supports contemporary cryptographic standards and practices, ensuring that the certificates and keys generated are secure and compliant with current security protocols.
4. Simplified Configuration: Offers simplified configuration options and defaults, making it easier to get started and reducing the complexity of setting up a PKI.
5. Enhanced Security: Includes improvements in security features and practices, such as better key handling and storage practices, ensuring that the PKI is robust and secure.
6. Scripting and Automation: EasyRSA3 is designed to be scriptable and can be easily integrated into automated workflows, making it suitable for large-scale deployments and automated certificate management.
7. Cross-Platform Support: EasyRSA3 is cross-platform and can be used on various operating systems, including Linux, Windows, and macOS, providing flexibility in deployment environments.
8. Extensive Documentation: Comes with comprehensive documentation and examples, making it easier for users to understand and utilize the full capabilities of the tool.

EasyRSA3 is widely used in scenarios where secure communications are necessary, such as setting up VPNs with OpenVPN, securing web servers, and other applications requiring a robust PKI solution. Its ease of use, flexibility, and security features make it a popular choice for network administrators and security professionals.

EasyRSA3 Alternatives

There are several alternatives to EasyRSA 3 for managing Public Key Infrastructure (PKI) and creating digital certificates and keys. Some of the popular alternatives include:

OpenSSL

• A robust, full-featured open-source toolkit for SSL/TLS protocols and a general-purpose cryptography library.
• Provides extensive capabilities for certificate and key management.
• Offers a command-line interface for various cryptographic operations.

cfssl (Cloudflare’s PKI and TLS toolkit)

• A toolkit for everything TLS/SSL from Cloudflare.
• Provides command-line tools and a REST API for managing certificates.
• Supports a wide range of features including certificate generation, signing, and verification.

xca (X Certificate and Key management)

• A graphical user interface for managing X.509 certificates, RSA, DSA, and EC private keys, and certificate requests.
• Makes it easy to manage certificates and keys without extensive command-line usage.
• Supports the creation of self-signed certificates and certificate chains.

EJBCA (Enterprise Java Beans Certificate Authority)

• A full-featured CA software built on Java EE technology.
• Suitable for large-scale deployments and enterprise environments.
• Provides a web-based interface and extensive automation capabilities.

Smallstep Certificate Manager

• A modern certificate management solution designed for microservices and cloud-native environments.
• Provides automated certificate issuance, renewal, and management through APIs.
• Includes integration with popular cloud providers and Kubernetes.

Dogtag PKI

• An enterprise-grade PKI solution included in the Fedora and Red Hat ecosystems.
• Provides a comprehensive set of tools for certificate authority management, token management, and more.
• Suitable for large-scale, enterprise deployments.

Vault by HashiCorp

• A secrets management tool that can also handle PKI and certificate management.
• Provides dynamic secrets and integrates with various systems for automated secret and certificate issuance.
• Offers a secure, centralized way to manage secrets and certificates.

Each of these alternatives has its strengths and may be better suited to different environments and use cases. Depending on your specific requirements, such as ease of use, integration capabilities, or scale, you may choose one of these tools as a replacement or complement to EasyRSA 3.

Recommended Book: The Linux Command Line, 2nd Edition: A Complete Introduction (PAID LINK) by William Shotts
Recommended Online Training: SSL/TLS Fundamentals

Environment Specification

We are using a minimal RHEL 8 virtual machine with following specifications.

• CPU – 3.4 Ghz (2 cores)
• Memory – 2 GB
• Storage – 40 GB
• Operating System – Red Hat Enterprise Linux 8.3
• Hostname – easyrsa-01.centlinux.com
• IP Address – 192.168.116.238 /24

Update Software Packages in Linux Server

Connect with easyrsa-01.centlinux.com as root user by using a SSH client.

It is a best practice to update software packages in your Linux distro, before installing any new software on it.

Therefore, execute dnf command to update software packages in your CentOS / Red Hat Enterprise Linux.

# dnf update -y

Verify the Linux Kernel version being used in this installation guide.

# uname -r
4.18.0-240.22.1.el8_3.x86_64

Verify the Linux distro version being used in this installation guide.

# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)

Install EasyRSA3 on RHEL 8

With the help of wget command, download latest version of EasyRSA.

# cd /opt/
# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

Extract downloaded tarball by executing tar command to install EasyRSA3.

# tar xvf EasyRSA-3.0.8.tgz

Rename the extracted directory as follows.

# mv EasyRSA-3.0.8 easy-rsa

Create Certificate Authority Server

Invoke the easyrsa command to generate pki directory.

# cd easy-rsa
# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki

Generate your Certificate Authority (CA) certificate, which will be used to sign server and client Certificate Signing Requests (CSR).

# ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
............................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CentLinux CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt

Generate and Sign Server SSL Certificate

Generate a RSA Private Key and CSR for your Linux server.

# ./easyrsa gen-req easyrsa-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
..................................+++++
.........+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3156.k8Hinw/tmp.d8ywZV'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [easyrsa-01.centlinux.com]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/easyrsa-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/easyrsa-01.centlinux.com.key

Sign your server CSR by using Certificate Authority (CA) private key.

# ./easyrsa sign-req server easyrsa-01.centlinux.com
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = easyrsa-01.centlinux.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3182.jIol30/tmp.3py67u
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'easyrsa-01.centlinux.com'
Certificate is to be certified until Aug 12 08:41:53 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt

You have successfully signed the SSL certificate of your Linux server.

To verify is your SSL Certificate is correctly generated, you can execute openssl command as follows.

# openssl verify -CAfile pki/ca.crt /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt
/opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt: OK

Generate Diffie-Hellman Key

Generate a strong Diffie-Hellman key to be used by the key exchange process.

# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............+..............................................................................................................................................................++*++*++*++*

DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem

Generate and Sign Client SSL Certificate

Generate a SSL certificate for your client machines.

# ./easyrsa gen-req client-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
.....+++++
.........................................................+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3291.u5C952/tmp.8Ra4q5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client-01.centlinux.com]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/client-01.centlinux.com.key

Sign the client SSL certificate as follows.

# ./easyrsa sign-req client client-01.centlinux.com
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client-01.centlinux.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3318.NwnX5d/tmp.YpLhll
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client-01.centlinux.com'
Certificate is to be certified until Aug 12 09:00:41 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/client-01.centlinux.com.crt

You have successfully generated and signed the client SSL certificate.

Copy your Certificate Authority (CA) certificate in /etc/pki/ca-trust/source/anchors/ of your Linux clients to add your CA to their trusted CA list.

Read Also: How to install EasyRSA on Rocky Linux 9

Final Thoughts

If you found this guide on installing EasyRSA3 on RHEL 8 helpful and need further assistance, consider hiring a professional. I offer comprehensive installation, configuration, and troubleshooting services for EasyRSA and other security tools.

Check out my Fiverr gig for more details and to book a service: Linux System Administrator

Let’s ensure your certificate authority is set up and running smoothly!