easy-rsa pki

Scripts to manage certificates or generate config files
Post Reply
OpenVPN Power User
Posts: 52
Joined: Sun Jun 05, 2011 7:50 pm

easy-rsa pki

Post by lolex » Mon Dec 05, 2011 12:26 pm

Hello everyone,

i'm using openvpn for quite a long time now with absolutely no problems.
I have set up a pki with easy-rsa and signed certificates for a few clients, my openvpn server and an apache webserver.
I used this constellation to authenticate clients on both of the servers.

now my needs have changed a bit and i want to set up a somehow "deeper" strukture for my pki.
But my problem is that i dont know how to do this with easy-rsa.
I have found the inherit-inter (https://community.openvpn.net/openvpn/b ... erit-inter) script shipped with easy-rsa but i dont know how this works.

here is a small diagram how i want the setup to look like.

Code: Select all

    + sub-CA 1
            + SSL server certificate
            + SSL client certificate(s)
    + sub-CA 2
            + SSL server certificate
            + SSL client certificate(s)
    + sub-CA n
can someone help me to archive this with easy-rsa? or do i need to use openssl by hand?

thanks in advance for any reply.

User avatar
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam

Re: easy-rsa pki

Post by janjust » Mon Dec 05, 2011 3:41 pm

this is explained in my book, page 120 :D

the basic idea is

Code: Select all

./buid-inter IntermediateCA
<create new vars file pointing to new directory>
<go to new dir>
./inherit-inter <full path to old dir> IntermediateCA.crt/code]

Post Reply