How to Install Easy-RSA on OpenBSD

In this tutorial, we will learn how to install the Easy-RSA package on OpenBSD to manage our OpenVPN certificate authority.

Easy-RSA is a small utility that allows us to easily set up and manage our own certificate authority (CA) for use with OpenVPN. We will be using the latest version of Easy-RSA from the official GitHub repository.

Here are the steps to follow:

Prerequisites

  • A server running OpenBSD
  • A user account with sudo or root privileges

Step 1: Install Git and OpenSSL

First, we need to install Git and OpenSSL packages using the OpenBSD package manager, pkg_add. Run the following command to install the required packages:

sudo pkg_add git openssl

Step 2: Clone the Easy-RSA Repository

Now, we need to clone the latest version of the Easy-RSA repository from GitHub. Here’s how:

git clone https://github.com/OpenVPN/easy-rsa.git

This will create a new directory called “easy-rsa” in your current directory.

Step 3: Set up the Easy-RSA Environment

Now, we need to set up the Easy-RSA environment variables. Move to the Easy-RSA directory and create a new file called vars that contains the following variables:

export EASY_RSA="$(pwd)"
export OPENSSL=/usr/bin/openssl
export PKCS11TOOL=/usr/bin/pkcs11-tool
export GREP=/usr/bin/grep
export KEY_CONFIG="$(pwd)/openssl-1.0.cnf"
export KEY_DIR="$EASY_RSA/keys"
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]

You can modify the variables according to your requirements. Save the file and exit.

Step 4: Generate the Certificate Authority (CA)

Now we’re ready to generate the certificate authority. First, run the following command to initialize the PKI (public key infrastructure):

./easyrsa init-pki

This command initializes the public key infrastructure and generates the required directories inside the keys folder.

Next, we need to generate the root CA. Run the following command to generate the CA:

./easyrsa build-ca

This will generate a root certificate in the keys directory.

Conclusion

That’s it! You have now successfully set up the Easy-RSA certificate authority on OpenBSD. You can now use the certificates generated by Easy-RSA to secure your OpenVPN connections.