Help Center/
Virtual Private Network/
Administrator Guide/
Enterprise Edition P2C VPN/
Using Easy-RSA to Issue Certificates (Server and Client Using Different CA Certificates)
Updated on 2024-07-25 GMT+08:00
Using Easy-RSA to Issue Certificates (Server and Client Using Different CA Certificates)
Scenario
Easy-RSA is an open-source certificate management tool used to generate and manage digital certificates.
This example describes how to use Easy-RSA to issue certificates on the Windows operating system in the scenario where the server and client use different CA certificates. In this example, Easy-RSA 3.1.7 is used. For other software versions, visit the official website for the corresponding operation guide.
Procedure
- Download an Easy-RSA installation package to the D:\ directory based on your Windows operating system.
- 32-bit Windows operating system: Download EasyRSA-3.1.7-win32.zip.
- 64-bit Windows operating system: Download EasyRSA-3.1.7-win64.zip.
In this example, EasyRSA-3.1.7-win64 is downloaded.
- Decompress EasyRSA-3.1.7-win64.zip to a specified directory, for example, D:\EasyRSA-3.1.7.
- Go to the D:\EasyRSA-3.1.7 directory.
- Enter cmd in the address bar and press Enter to open the CLI.
- Run the .\EasyRSA-Start.bat command to start Easy-RSA.
Information similar to the following is displayed:
Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke './easyrsa' to call the program. Without commands, help is displayed. EasyRSA Shell #
- Run the ./easyrsa init-pki command to initialize the PKI environment.
Information similar to the following is displayed:
Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * D:/EasyRSA-3.1.7/pki Using Easy-RSA configuration: * undefined EasyRSA Shell #
After the command is executed, the pki folder is automatically generated in the D:\EasyRSA-3.1.7 directory.
- Set parameters.
- Copy the vars.example file in D:\EasyRSA-3.1.7 to the D:\EasyRSA-3.1.7\pki directory.
- Rename vars.example in the D:\EasyRSA-3.1.7\pki directory to vars.
By default, the vars file uses the same parameter settings as the vars.example file. You can also set parameters in the vars file as required.
- Generate a server CA certificate and private key.
- Copy the decompressed EasyRSA-3.1.7 folder to the D:\ directory, and rename the folder, for example, EasyRSA-3.1.7 - server.
- Go to the D:\EasyRSA-3.1.7 - server directory.
- In the address bar of the D:\EasyRSA-3.1.7 - server folder, enter cmd and press Enter to open the CLI.
- Run the .\EasyRSA-Start.bat command to start Easy-RSA.
Information similar to the following is displayed:
Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke './easyrsa' to call the program. Without commands, help is displayed. EasyRSA Shell #
- Run the ./easyrsa build-ca nopass command to generate a CA certificate.
When this command is run, set [Easy-RSA CA] to the name of the server CA certificate as prompted, for example, p2cvpn_server.com.
Information similar to the following is displayed:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - server/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) ..+.....+...+..........+..+.......+..+..........+...+...+..+......+.......+...+++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++*..........+...........+...+......++++++ .......+.......+...+......+...+.....+...+...+++++++++++++++++++++++++++++++++++++++*......+.....+....+..+....+......+...+......+...+......+.....+.+++++++++++++++++++++++++++++++++++++++*.......+......+.......+..............+.+...+.....+....+........+.........+....+..+............+.+.....+....+...+...+...........+.+..+.+.........+.....+...+..................+.......+..+.......+.....+..........+......+..+.+.....+.+.....+....+.....+.......+...+.........+..+......+...+.......+...+.........+......+......+...........+....+......+...+..+...+......+...+.+.....+.......+..+.......+...+...+..+.............+........+.........+.+.........+........+....+.........+.....+.........+................+.....+.+........+.......+.....+.+........+....+..+...+..........+..+......+...+.........+................+......+.....+....+......+......+............+..+......+...+.......+.................+.+......+......+..+.+...........+.........+.........+.+......++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:p2cvpn_server.com //Set a name for the server CA certificate. Notice ------ CA creation complete. Your new CA certificate is at: * D:/EasyRSA-3.1.7 - server/pki/ca.crt EasyRSA Shell #
- View the server CA certificate and private key.
- By default, the generated CA certificate is stored in the D:\EasyRSA-3.1.7 - server\pki directory.
In this example, the certificate ca.crt is generated.
- By default, the generated CA private key is stored in the D:\EasyRSA-3.1.7 - server\pki\private directory.
In this example, the private key ca.key is generated.
- By default, the generated CA certificate is stored in the D:\EasyRSA-3.1.7 - server\pki directory.
- Run the ./easyrsa build-server-full p2cserver.com nopass command to generate a server certificate and private key.
In this command, p2cserver.com is the common name (CN) of the server certificate. Replace it with the actual CN. The CN must be in the domain name format; otherwise, the certificate cannot be managed by the Cloud Certificate Manager (CCM).
Information similar to the following is displayed:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - server/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) .+.+......+...+.....+......+...+.......+.....+.+...+..+...+....+.....+......+++++++++++++++++++++++++++++++++++++++*....+..+....+++++++++++++++++++++++++++++++++++++++*................+.......+..+.+..+...+......+.............+...+...+.........+........+.........+...+......+.+...+...+........+....+.....+.+............+.....+...+....+...........+....+..+......+.............+.........+........+...+.+......+.....+.......+......+.....+.+.....+....+.........+...+..+............+.+........+.........+.+..+.........+......+...+....+......+.....+....+......+.....+......+.............+...+........+.+.....+.+....................+.......+.....+.+..+.......+...++++++ ......+.....+...+.+.........+..+.+..+...+++++++++++++++++++++++++++++++++++++++*.......+...+........+....+...+..+...+++++++++++++++++++++++++++++++++++++++*..+.........+...+.......+......+.................+...+...+............+...+....+........+.........+..........+......+...+...........+.+..+............+.+........+....+...........+....+...........+......+.............+......+.....++++++ ----- Notice ------ Private-Key and Public-Certificate-Request files created. Your files are: * req: D:/EasyRSA-3.1.7 - server/pki/reqs/p2cserver.com.req * key: D:/EasyRSA-3.1.7 - server/pki/private/p2cserver.com.key You are about to sign the following certificate: Request subject, to be signed as a server certificate for '825' days: subject= commonName = p2cserver.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes //Enter yes to continue. Using configuration from D:/EasyRSA-3.1.7 - server/pki/openssl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'p2cserver.com' Certificate is to be certified until Oct 6 03:28:14 2026 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * D:/EasyRSA-3.1.7 - server/pki/issued/p2cserver.com.crt Notice ------ Inline file created: * D:/EasyRSA-3.1.7 - server/pki/inline/p2cserver.com.inline EasyRSA Shell # - View the server certificate and private key.
- By default, the generated server certificate is stored in the D:\EasyRSA-3.1.7 - server\pki\issued directory.
In this example, the certificate p2cserver.com.crt is generated.
- By default, the generated server private key is stored in the D:\EasyRSA-3.1.7 - server\pki\private directory.
In this example, the private key p2cserver.com.key is generated.
- By default, the generated server certificate is stored in the D:\EasyRSA-3.1.7 - server\pki\issued directory.
- Generate a client CA certificate and private key.
- Copy the decompressed EasyRSA-3.1.7 folder to the D:\ directory, and rename the folder, for example, EasyRSA-3.1.7 - client.
- Go to the EasyRSA-3.1.7 - client directory.
- In the address bar of the EasyRSA-3.1.7 - client folder, enter cmd and press Enter to open the CLI.
- Run the .\EasyRSA-Start.bat command to start Easy-RSA.
Information similar to the following is displayed:
Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke './easyrsa' to call the program. Without commands, help is displayed. EasyRSA Shell #
- Run the ./easyrsa build-ca nopass command to generate a CA certificate.
Information similar to the following is displayed:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - client/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) .+++++++++++++++++++++++++++++++++++++++*.....+.+..+...+....+.....................+..+...+....+.........+.....+......+.+.....+....+++++++++++++++++++++++++++++++++++++++*....+...+...+...+............+.........++++++ .+.........+.........+.+......+...........+....+.....+.........+....+..+...+.+.........+......+......+...+.....+......+......+..........+++++++++++++++++++++++++++++++++++++++*.+.........+......+.+++++++++++++++++++++++++++++++++++++++*...........+................+..............+.........+.+...+.....................+..+....+.....+..........+...+...+..+.++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:p2cvpn_client.com //Set a name for the client CA certificate. Notice ------ CA creation complete. Your new CA certificate is at: * D:/EasyRSA-3.1.7 - client/pki/ca.crt EasyRSA Shell #
- View the client CA certificate and private key.
- By default, the generated CA certificate is stored in the D:\EasyRSA-3.1.7 - client\pki directory.
In this example, the certificate ca.crt is generated.
- By default, the generated CA private key is stored in the D:\EasyRSA-3.1.7 - client\pki\private directory.
In this example, the private key ca.key is generated.
- By default, the generated CA certificate is stored in the D:\EasyRSA-3.1.7 - client\pki directory.
- Run the ./easyrsa build-client-full p2cclient.com nopass command to generate a client certificate and private key.
In this command, the client certificate name (for example, p2cclient.com) must be different from the server certificate name (for example, p2cserver.com).
Information similar to the following is displayed:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - client/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) .+++++++++++++++++++++++++++++++++++++++*.........+.....+...+.+........+.+.....+.........+.+......+.....+++++++++++++++++++++++++++++++++++++++*..........+...+...+..+.......+...+..+.+.........+.....+.+..+.+....................+......+...............+.............+......+..+....+...+......+..+....+.....+.........+................+...+...+.....+....+.........++++++ .+..+..........+.........+++++++++++++++++++++++++++++++++++++++*...+..+++++++++++++++++++++++++++++++++++++++*.......+...............+......+.........+..............+....+.....+...+..................+....+...+........+....+.....+.+.....+...............++++++ ----- Notice ------ Private-Key and Public-Certificate-Request files created. Your files are: * req: D:/EasyRSA-3.1.7 - client/pki/reqs/p2cclient.com.req * key: D:/EasyRSA-3.1.7 - client/pki/private/p2cclient.com.key You are about to sign the following certificate: Request subject, to be signed as a client certificate for '825' days: subject= commonName = p2cclient.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from D:/EasyRSA-3.1.7 - client/pki/openssl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'p2cclient.com' Certificate is to be certified until Oct 7 11:19:52 2026 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * D:/EasyRSA-3.1.7 - client/pki/issued/p2cclient.com.crt Notice ------ Inline file created: * D:/EasyRSA-3.1.7 - client/pki/inline/p2cclient.com.inline EasyRSA Shell # - View the client certificate and private key.
- By default, the generated client certificate is stored in the D:\EasyRSA-3.1.7 - client\pki\issued directory.
In this example, the certificate p2cclient.com.crt is generated.
- By default, the generated client private key is stored in the D:\EasyRSA-3.1.7 - client\pki\private directory.
In this example, the private key p2cclient.com.key is generated.
- By default, the generated client certificate is stored in the D:\EasyRSA-3.1.7 - client\pki\issued directory.
Parent topic: Enterprise Edition P2C VPN
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
