Nasim Kabi

My Personal Website and Blog

Generating VPN required certifications and keys

Install certool CLI command

Debian

$ sudo apt-get install gnutls-bin

CentOS

$ sudo yum install

Generate CA Certs and Keys

Generate CA Template

$ cat << _EOF_ >ca.template
#Certificate Authority Certificates

# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "YourOrg"

# The organizational unit of the subject.
unit = "YourDepartment"

# The state of the certificate owner.
state = "YourState"

# The country of the subject. Two letter code.
country = YourCountry

# The common name of the certificate owner.
cn = "YourCommonName"

# The serial number of the certificate. Should be incremented each time a new certificate is generated.
serial = 001

# In how many days, counting from today, this certificate will expire.
expiration_days = 3650

# Whether this is a CA certificate or not
ca

# Whether this key will be used to sign other certificates.
cert_signing_key

# Whether this key will be used to sign CRLs.
crl_signing_key
_EOF_

Generate CA Private Key

$ certtool --generate-privkey --outfile ca-key.pem

Generate CA Self Signed Certificate

$ certtool --generate-self-signed --load-privkey ca-key.pem --template ca.template --outfile ca-cert.pem

Generating Server Certs and Keys

Generate Server Template

$ cat << _EOF_ >server.template
cn = "VPN server"
dns_name = "<your-host-name>"
#ip_address = "<your-host-ip>" # optional
organization = "YourOrg"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

Generate Server Private Key

$ certtool --generate-privkey --outfile server-key.pem

Generate Server Certificate

$ certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.template --outfile server-cert.pem

Generating Client Certificates

Generate Client Template

$ cat << _EOF_ >user1.template
cn = "user1"
unit = "admins"
expiration_days = 365
signing_key
tls_www_client
_EOF_

Generate Client Private Key

$ certtool --generate-privkey --outfile user1-key.pem

Generate Client Certificate

$ certtool --generate-certificate --load-privkey user1.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template user1.template --outfile user1.pem

Generate Client P12

$ certtool --to-p12 --load-privkey user1.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate user1.pem \
--outfile user1.p12 --outder

You Missed

Programming Tutorial

Started My Java Tutorial

Programming Tutorial

Started writing a C++ tutorial

Programming Tutorial

Started Learning Go

Uncategorized

Started a New Website