-
-
Notifications
You must be signed in to change notification settings - Fork 21
no ca mode
TinCanTech edited this page Dec 22, 2021
·
1 revision
This page describes how to use Easy-TLS in No-CA mode.
OpenVPN can run in Peer-Fingerprint
mode, which means that it does not require a CA and full PKI from Easy-RSA. Instead OpenVPN uses self-signed certificate fingerprints to validate each end.
- OpenVPN version 2.6.0
- Easy-TLS: For generating self-signed certificates and building TLS keys.
Install Easy-RSA3 first and initialise:./easyrsa init-pki
- Download the complete file list for Easy-TLS into your working directory.
Initialise Easy-TLS in No CA mode:./easytls init-tls no-ca
- Create self signed server certificate:
./easytls self-sign-server your-server-name
(Abbreviation:sss
)
- Create self signed client certificates:
./easytls self-sign-client your-client-name
(Abbreviation:ssc
)
Use-r|--ss-peer-fingerprint=<Server_commonName>
to enable automatic sharing of fingerprints.
The client fingerprint is added to a list in the server inline file
and the server fingerprint is added to the client inline file.
Example:./easytls -r=server01 ssc client01
- Set your
CUSTOM_GROUP
:
./easytls config custom.group your-custom-group
- Build TLS-Crypt-V2 Server key:
./easytls build-tls-crypt-v2-server your-server-name
(Abbreviation:btcv2s
)
- Build TLS-Crypt-V2 Client keys:
./easytls build-tls-crypt-v2-client your-server-name your-client-name
(Abbreviation:btcv2c
)
Optionally, you can add MAC hardware addresses to the client keys. Sub-keys are also supported.
- Inline your certificates and keys:
./easytls inline-tls-crypt-v2 node-name
(Abbreviation:itcv2
)
- The Server and Client inline-files are located in
./easytls
directory in your Easy-RSA working directory.
Note: Thefinger-print
is copied to the peer, it is not used in the same config as the cert and key. - Server configuration file:
<peer-fingerprint> # Peer-Client client01 1D:72:07:57:5B:E1:0C:90:01:63:D3:96:88:90:7C:F9:B5:A7:4D:AE:84:EE:A8:80:89:94:DD:EA:1E:4D:F2:C8 # Peer-Client client02 CC:74:E3:40:B6:DF:6F:32:BD:38:20:19:5C:56:01:1C:C5:A6:E6:F3:C1:BA:E4:57:BB:0B:64:B8:43:FB:1B:F5 </peer-fingerprint>
- Client configuration file:
<peer-fingerprint> # Peer-Server server01 9B:2C:CA:27:4E:18:B7:81:9F:8C:3F:7F:B0:82:B2:AE:E1:B6:87:68:B9:65:51:0D:3C:F4:D7:19:06:CF:C3:96 </peer-fingerprint>
- Use Easy-TLS interactive script menu:
./easytls script
and follow the instructions.
- Not all Easy-TLS functions work in No-CA mode. I am working on improvements.