We were deploying a solution for our customer, Pizza Hut/KFC Malaysia which deploy pfSense as a VPN gateway and firewall to a little under 300 outlets in Malaysia.
Each outlet has a unique “storeID” which is then required to run OpenVPN daemon at the background and fires a connection whenever a layer 2 link is established.
To create under 300 certificates using OpenVPN’s (v2.x.x) easyrsa scripts on a CentOS clients isn’t funny. So being a lazy ass, i wrote a simple way to help to create these files fast!
Assuming you’ve got the whole works with OpenVPN and pfSense sorted. If not read this great document here. Once you’ve got the server side done on pfSense, you will need to generate more keys for (in this case, Pizza Hut’s) 300 branches peer certificates.
Snail factor
- Build-key prompts amongst other things the commonName or server name each time a certificate is to be generated
What is needed?
- To create store certificates that automatically creates the certificates without prompt and also using a $variable$ to “insert” the commonName value. This means, a certificate will be created with the storeID.key and storeID.crt and the storeID.csr
How - Conceptually?
- Automate the build-key file to disable prompts
- Fire a variable into the system to pickup the $variable$ which then will be the filename and the commonName
How – Technically
(Assumptions – easyrsa is in /etc/openvpn/easyrsa and keys are in /etc/openvpn/easyrsa/keys. In /easyrsa, you have all the scripts like build-ca, build-key)
Create a file called build_batch into /etc/openvpn/easyrsa with the following lines. Make the file executable chmod +x build_batch
| #!/bin/sh if test $# -ne 1; then
echo "usage: batch-build <name>";
exit 1
else
export KEY_CNAME=$1
./build-key $1
fi |
Now, edit (nano/vi) the openssl.cnf file in the /etc/openvpn/easyrsa look for the following lines
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64 |
Add a new line like below and save the file.
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64 # Add this line below
commonName_default = $ENV::KEY_CNAME |
Now, edit (nano/vi) the build-key in that same directory. At the end of the openssl –req and openssl ca statements, add the –batch argument.
This is how part of the original file look like
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ |
We modify to add –batch at some part of the line like below and save the file
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -batch -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -batch -config $KEY_CONFIG && \ |
Now you’re ready to run in batch. But before that, please feed the vars in the environment like below in /etc/openvpn/easyrsa
Run a sample like below
This will build the test01.crt, test01.csr and test01.key automatically in /etc/openvpn/easyrsa/keys with the commonName test01 also :)
Done.
Now, if you want to do lots of these, use this Excel below
Exceleasy-rsa-linemaker.xls
Use the Excel file (build-cert sheet) to generate script lines (see the excel sample) so you can copy and paste into a SSH remote session in the appropriate directory.
Copy in batch up to 50 lines (within buffer) from the copypaster column and paste via a SSH session into the /etc/openvpn/easyrsa and it will generate without prompting anything. Quick and easy.
To remove/revoke certs, do the same but use the Excel’s revoke-cert sheet.
<Ignore CRL/STR_COPY issues, i don’t have CRLs defined>
If things mess up a lot, just run. Warning, this will remove your CA, server and dh information which you then need to repopulate inside pfSense.
After clean-all you must recreate all below
./build-ca
./build-key-server
./build-dh |
Then re run the above stuff.
