So we now have a working server, what we have to do now is create certificates for our users or our selves.
If you want to you can cheat here and create one certificate per user then they can use that everywhere, but as I talked about before, if they device is every lost or stolen you will have to setup all you other devices with the new key. So I have created a separate certificate for each device.
Since I am not the only person potentially going to use my VPiN service and I alone have four or five devices all needing access I’ve gone with a naming scheme USER.DEV. So for my Nexus 5 it’s be stuart.nexus5 and my laptop is stuart.redtop (If you’d ever seen my laptop you’d understand… o what the hell here it is)
To create a device key just type
… and more prompts
Enter PEM pass phrase – Make this something you will remember, depending on the client your running you may be asked to type this ever time you want to connect.
A challenge password? – You still have to leave this blank
Sign the certificate? [y/n] – The answer must be yes. You will be creating a ten year certificate
We now have an RSA key, but RSA keys have not been perfectly implemented everywhere and if you want to connect your Android or iOS device we need a Triple DES key. Triple DES is simple another encryption algorithm that applies its encryption three times for every block of data, making it harder for hackers to break by brute force. We can do this using the openssl command. All we need to do is input the old key and tell it what to produce:
OpenSSL will now prompt you for the password of the rsa/old key, which is just entered, and ask you for a new password for the 3des/new key. I just used the same password for both keys, there is no loss of security as long as it was a good password and no need for two separate password.
And that’s it. You’ve now created your first client side key. You will have to repeat these steps for each device but its simple enough just keep changing your KEYNAME as appropriate.
In the final part of this tutorial we need to put everything together and tell OpenVPN about our configuration.
Run You Own Certificate Authority
July 29 , 2014
I’ve wanted to write an article on how I became my own certificate authority for some time, but while doing some research on it I came across an article by CyberPunk that fill the gap I wanted to fill. So Instead I will just leave this link here.
OpenGPG establishes trust using the web-of-trust. If I trust you and you trust him, I can probably trust them too. This only works if I can trust you though.
Our keys are important and maintaining them is vital, after all they tell the world we said this. Once a key has been made and published that really it, it is now in the world till everything ends. So if you no longer have access to the key you have to let people know to stop using it too, this is call revocation. It’s a special signature you can sign your key with that will make it as revoked. Once a key get revoked no one will encrypt to using it any more. The problem comes from the need to access the secret key in order to generate these and if you have lost the secret key you can no longer revoke it, unless you did as you should have and created these revocation certificates before hand.
Too many people put this off or worse yet forget too, so I have created a small bash script to automate the process. You can download it bellow and see the source as well. Once downloaded you just need to change the KEYS variable to reflect they keys you wish to generate the certificates for. It will also backup your private and public keys – You have to keep these safe!