Learn how to install EasyRSA3 on Red Hat Enterprise Linux (RHEL) 8 with this step-by-step guide. Follow detailed instructions to set up and configure EasyRSA for managing your own certificate authority (CA) effortlessly. #centlinux #linux #cryptography
EasyRSA3 is the third major version of the EasyRSA utility, which is a tool for managing a Public Key Infrastructure (PKI) and creating digital certificates and keys. It is used to set up and manage a Certificate Authority (CA) and to issue and manage certificates. EasyRSA3 brings several improvements and updates over previous versions, making it more flexible, secure, and easier to use. Key features and capabilities of EasyRSA3 include:
EasyRSA3 is widely used in scenarios where secure communications are necessary, such as setting up VPNs with OpenVPN, securing web servers, and other applications requiring a robust PKI solution. Its ease of use, flexibility, and security features make it a popular choice for network administrators and security professionals.
There are several alternatives to EasyRSA 3 for managing Public Key Infrastructure (PKI) and creating digital certificates and keys. Some of the popular alternatives include:
Each of these alternatives has its strengths and may be better suited to different environments and use cases. Depending on your specific requirements, such as ease of use, integration capabilities, or scale, you may choose one of these tools as a replacement or complement to EasyRSA 3.
Recommended Book: The Linux Command Line, 2nd Edition: A Complete Introduction (PAID LINK) by William Shotts
Recommended Online Training: SSL/TLS Fundamentals
We are using a minimal RHEL 8 virtual machine with following specifications.
Connect with easyrsa-01.centlinux.com as root user by using a SSH client.
It is a best practice to update software packages in your Linux distro, before installing any new software on it.
Therefore, execute dnf command to update software packages in your CentOS / Red Hat Enterprise Linux.
# dnf update -y
Verify the Linux Kernel version being used in this installation guide.
# uname -r
4.18.0-240.22.1.el8_3.x86_64
Verify the Linux distro version being used in this installation guide.
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)
With the help of wget command, download latest version of EasyRSA.
# cd /opt/ # wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
Extract downloaded tarball by executing tar command to install EasyRSA3.
# tar xvf EasyRSA-3.0.8.tgz
Rename the extracted directory as follows.
# mv EasyRSA-3.0.8 easy-rsa
Invoke the easyrsa command to generate pki directory.
# cd easy-rsa # ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/easy-rsa/pki
Generate your Certificate Authority (CA) certificate, which will be used to sign server and client Certificate Signing Requests (CSR).
# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ................+++++ ............................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CentLinux CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/easy-rsa/pki/ca.crt
Generate a RSA Private Key and CSR for your Linux server.
# ./easyrsa gen-req easyrsa-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
..................................+++++
.........+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3156.k8Hinw/tmp.d8ywZV'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [easyrsa-01.centlinux.com]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/easyrsa-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/easyrsa-01.centlinux.com.key
Sign your server CSR by using Certificate Authority (CA) private key.
# ./easyrsa sign-req server easyrsa-01.centlinux.com Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = easyrsa-01.centlinux.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-3182.jIol30/tmp.3py67u Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'easyrsa-01.centlinux.com' Certificate is to be certified until Aug 12 08:41:53 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt
You have successfully signed the SSL certificate of your Linux server.
To verify is your SSL Certificate is correctly generated, you can execute openssl command as follows.
# openssl verify -CAfile pki/ca.crt /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt
/opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt: OK
Generate a strong Diffie-Hellman key to be used by the key exchange process.
# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............+..............................................................................................................................................................++*++*++*++*
DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem
Generate a SSL certificate for your client machines.
# ./easyrsa gen-req client-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
.....+++++
.........................................................+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3291.u5C952/tmp.8Ra4q5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client-01.centlinux.com]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/client-01.centlinux.com.key
Sign the client SSL certificate as follows.
# ./easyrsa sign-req client client-01.centlinux.com
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client-01.centlinux.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3318.NwnX5d/tmp.YpLhll
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client-01.centlinux.com'
Certificate is to be certified until Aug 12 09:00:41 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/client-01.centlinux.com.crt
You have successfully generated and signed the client SSL certificate.
Copy your Certificate Authority (CA) certificate in /etc/pki/ca-trust/source/anchors/ of your Linux clients to add your CA to their trusted CA list.
Read Also: How to install EasyRSA on Rocky Linux 9
If you found this guide on installing EasyRSA3 on RHEL 8 helpful and need further assistance, consider hiring a professional. I offer comprehensive installation, configuration, and troubleshooting services for EasyRSA and other security tools.
Check out my Fiverr gig for more details and to book a service: Linux System Administrator
Let’s ensure your certificate authority is set up and running smoothly!
Puppy Linux is a fast, lightweight OS designed for speed and simplicity, perfect for old…
Learn how to change Apache document root in Linux by following this step-by-step guide. Adjust…
Discover how to change Apache port in Linux easily. Follow our simple guide to modify…
Learn how to create a virtual host in Apache Server with this comprehensive guide. Set…
Discover 10 practical tasks for the RHCSA exam with step-by-step solutions. Boost your Linux skills…
Discover the ultimate Fail2ban configuration guide. Learn how to set up, customize, and optimize Fail2ban…
This website uses cookies.