Help Center/ Virtual Private Network/ Administrator Guide/ P2C VPN/ Using Easy-RSA to Issue Certificates (Server and Client Sharing a CA Certificate)
Updated on 2024-10-11 GMT+08:00

Using Easy-RSA to Issue Certificates (Server and Client Sharing a CA Certificate)

Scenario

Easy-RSA is an open-source certificate management tool used to generate and manage digital certificates.

This example describes how to use Easy-RSA to issue certificates on the Windows operating system in the scenario where the server and client share a CA certificate. In this example, Easy-RSA 3.1.7 is used. For other software versions, visit the official website for the corresponding operation guide.

Procedure

  1. Download an Easy-RSA installation package to the D:\ directory based on your Windows operating system.

    In this example, EasyRSA-3.1.7-win64 is downloaded.

  2. Decompress EasyRSA-3.1.7-win64.zip to a specified directory, for example, D:\EasyRSA-3.1.7.
  3. Go to the D:\EasyRSA-3.1.7 directory.
  4. Enter cmd in the address bar and press Enter to open the CLI.
  5. Run the .\EasyRSA-Start.bat command to start Easy-RSA.

    Information similar to the following is displayed:

    Welcome to the EasyRSA 3 Shell for Windows.
    Easy-RSA 3 is available under a GNU GPLv2 license.
    
    Invoke './easyrsa' to call the program. Without commands, help is displayed.
    
    EasyRSA Shell
    #
  6. Run the ./easyrsa init-pki command to initialize the PKI environment.
    Information similar to the following is displayed:
    Notice
    ------
    'init-pki' complete; you may now create a CA or requests.
    
    Your newly created PKI dir is:
    * D:/EasyRSA-3.1.7/pki
    
    Using Easy-RSA configuration:
    * undefined
    
    
    EasyRSA Shell
    #

    After the command is executed, the pki folder is automatically generated in the D:\EasyRSA-3.1.7 directory.

  7. Set parameters.
    1. Copy the vars.example file in D:\EasyRSA-3.1.7 to the D:\EasyRSA-3.1.7\pki directory.
    2. Rename vars.example in the D:\EasyRSA-3.1.7\pki directory to vars.

      By default, the vars file uses the same parameter settings as the vars.example file. You can also set parameters in the vars file as required.

  8. Run the ./easyrsa build-ca nopass command to generate a CA certificate.

    Information similar to the following is displayed:

    Using Easy-RSA 'vars' configuration:
    * D:/EasyRSA-3.1.7/pki/vars
    
    Using SSL:
    * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
    .....+..+.............+......+........+...+...+....+++++++++++++++++++++++++++++++++++++++*.+.+.....+..........+............+...+++++++++++++++++++++++++++++++++++++++*............+.....+......+...+....+..+..........+.....+....+...............+..+.........+.............+......+..+...+....+..+.+.........+.....+.........+....+............+...+...+.....+........................+...+.+.....+....+...+.........+...+...+...+.....+......+........................++++++
    .+++++++++++++++++++++++++++++++++++++++*.........+..........+++++++++++++++++++++++++++++++++++++++*.+......++++++
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Common Name (eg: your user, host, or server name) [Easy-RSA CA]:p2cvpn.com    //Set a name for the CA certificate.
    
    Notice
    ------
    CA creation complete. Your new CA certificate is at:
    * D:/EasyRSA-3.1.7/pki/ca.crt
    
    
    EasyRSA Shell
    #
  9. View the CA certificate and private key.
    • By default, the generated CA certificate is stored in the D:\EasyRSA-3.1.7\pki directory.

      In this example, the certificate ca.crt is generated.

    • By default, the generated CA private key is stored in the D:\EasyRSA-3.1.7\pki\private directory.

      In this example, the private key ca.key is generated.

  10. Run the ./easyrsa build-server-full p2cserver.com nopass command to generate a server certificate and private key.

    In this command, p2cserver.com is the common name (CN) of the server certificate. Replace it with the actual CN. The CN must be in the domain name format; otherwise, the certificate cannot be managed by the Cloud Certificate Manager (CCM).

    Information similar to the following is displayed:

    Using Easy-RSA 'vars' configuration:
    * D:/EasyRSA-3.1.7/pki/vars
    
    Using SSL:
    * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
    .+............+........+............+............+.+...............+.....+....+....................+............+.+..+......+............+....+.........+..+.........+.+.........+..............+.........+++++++++++++++++++++++++++++++++++++++*...+......+.....+......+...+++++++++++++++++++++++++++++++++++++++*..+...+..........+......+...........+....+......+.....+....+.....+....+........+...+.......+...+..+.......+..+......+.............+..+....+......+...+.....+................+......+..+.............+..+................+.....+......+....+...........+....+.....+.........+.+..+.............+...........+..........+......+........+............+...+....+..+......+......................+.....+......+.+...+..+...+.+......+........+...+....+.....+......+....+...+..+................+..+...+.......+..+......+..........+.........+...+..+.........+......+......++++++
    ........+.+......+...+......+.....+...+.+.....+.+........+......+++++++++++++++++++++++++++++++++++++++*...+.....+...+.+.........+......+........+++++++++++++++++++++++++++++++++++++++*......+........+.+...+.....+.+..............+.+.....+.+...+...+.....+.......+.................+.+............+..+......+...+....+...+..+.+.....+.....................+.+..+.+...................................+....+........+.............+.....+....+.....+...+..........+........+.+.....+...+.............+........+....+......+.....+.......+..+............+.........+.+......+...+...............+......+...........+............+.......+...........+.......+...............+......+.................+...+.+...+..+...+.+..........................+.+.........+......+............+..+....+..+....+........+.......+........+...+...+.+...+...+..+...............+...+..........+..+.......+.........+.....+.........+................+......+...+......+.....+.......+...+..............+.+.....+.+...+...........+.+...+...+...+............+..+.......+...........+.......+...+...+...........+.....................+...+....+...........+............+...+......+..........+........+.+.....+....+.....+.+..+..........+..............+...+......+.+...+...........+.+......+...++++++
    -----
    
    Notice
    ------
    Private-Key and Public-Certificate-Request files created.
    Your files are:
    * req: D:/EasyRSA-3.1.7/pki/reqs/p2cserver.com.req
    * key: D:/EasyRSA-3.1.7/pki/private/p2cserver.com.key
    
    You are about to sign the following certificate:
    Request subject, to be signed as a server certificate
    for '825' days:
    
    subject=
        commonName                = p2cserver.com
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm request details: yes    //Enter yes to continue.
    
    Using configuration from D:/EasyRSA-3.1.7/pki/openssl-easyrsa.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'p2cserver.com'
    Certificate is to be certified until Sep 22 09:56:54 2026 GMT (825 days)
    
    Write out database with 1 new entries
    Database updated
    
    Notice
    ------
    Certificate created at:
    * D:/EasyRSA-3.1.7/pki/issued/p2cserver.com.crt
    
    Notice
    ------
    Inline file created:
    * D:/EasyRSA-3.1.7/pki/inline/p2cserver.com.inline
    
    
    EasyRSA Shell
    #
  11. View the server certificate and private key.
    • By default, the generated server certificate is stored in the D:\EasyRSA-3.1.7\pki\issued directory.

      In this example, the server certificate p2cserver.com.crt is generated.

    • By default, the generated server private key is stored in the D:\EasyRSA-3.1.7\pki\private directory.

      In this example, the server private key p2cserver.com.key is generated.

  12. Run the ./easyrsa build-client-full p2cclient.com nopass command to generate a client certificate and private key.

    In this command, the client certificate name (for example, p2cclient.com) must be different from the server certificate name (for example, p2cserver.com).

    Information similar to the following is displayed:

    Using Easy-RSA 'vars' configuration:
    * D:/EasyRSA-3.1.7/pki/vars
    
    Using SSL:
    * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
    .......+++++++++++++++++++++++++++++++++++++++*...+...+...+.....+...+....+......+......+........+.+.....+............+++++++++++++++++++++++++++++++++++++++*.+.....+.+.....+.........+.......+..+...+.......+...+..+......+.+......+........+....+...+...+..+.......+......+.....+..........+...........+....+......+.....+.........+......+.+..+...+..........+........+......+....+......+...........+.......+.....+.............+..+.+...........+..........+...+..+.........+......+.+........+.........+.+...............+..+..........+...+............+...+.....+.+...........+....+.....+.........+....+.......................+....+...+..+....+..+.......+...+............+.....+............+.+........+.......+.....+....+.........+..+............+..........+..+.............+...+...+..++++++
    ..+.....+.......+.....+.........+....+++++++++++++++++++++++++++++++++++++++*.....+......+..+++++++++++++++++++++++++++++++++++++++*.......+.+.....+....+.........+...+.....+.........+...+...............+...+....+.....+.+...+......+......+...+.........+..+...+...+....+.........+..+...+...................+......+.....+.+...+...+.........+.....+..................+...+...+......+.+..+......+.+......+.....+...+..........+..+............+.......+.........+.....+......+.+..+............+................+..+...+....+......+.....+...+....+..+......+.........+.........++++++
    -----
    
    Notice
    ------
    Private-Key and Public-Certificate-Request files created.
    Your files are:
    * req: D:/EasyRSA-3.1.7/pki/reqs/p2cclient.com.req
    * key: D:/EasyRSA-3.1.7/pki/private/p2cclient.com.key
    
    You are about to sign the following certificate:
    Request subject, to be signed as a client certificate
    for '825' days:
    
    subject=
        commonName                = p2cclient.com
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm request details: yes    //Enter yes to continue.
    
    Using configuration from D:/EasyRSA-3.1.7/pki/openssl-easyrsa.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'p2cclient.com'
    Certificate is to be certified until Sep 22 09:58:26 2026 GMT (825 days)
    
    Write out database with 1 new entries
    Database updated
    
    Notice
    ------
    Certificate created at:
    * D:/EasyRSA-3.1.7/pki/issued/p2cclient.com.crt
    
    Notice
    ------
    Inline file created:
    * D:/EasyRSA-3.1.7/pki/inline/p2cclient.com.inline
    
    
    EasyRSA Shell
    #
  13. View the client certificate and private key.
    • By default, the generated client certificate is stored in the D:\EasyRSA-3.1.7\pki\issued directory.

      In this example, the client certificate p2cclient.com.crt is generated.

    • By default, the generated client private key is stored in the D:\EasyRSA-3.1.7\pki\private directory.

      In this example, the client private key p2cclient.com.key is generated.