Create a TLS certification authority with Easy-RSA

Easy-RSA is a command line tool that significantly facilitates the establishment of a certification authority (CA or Certificate Authority) and the management of certificates. We will need it to set up a secure connection within a local network.

In CentOS, Easy-RSA theoretically exists as a package provided by the EPEL repository, but it is slightly obsolete and assumes that you are working as root. I will rather follow the recommendations of the Easy-RSA project and work as a single user. I place myself in my user directory to start the download of Easy-RSA.

Share Post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on skype
Share on pinterest
Share on email
Share on whatsapp

$ links

On the project page, I follow the Latest Release> v3.0.7> Download ZIP links and I leave Links.

I unzip the downloaded archive and do some cleaning.

$ unzip
$ rm

I place myself in the newly created tree and launch the initialization of a Public Key Infrastructure.

$ cd easy-rsa-3.0.7 / easyrsa3 /
$ ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/microlinux/easy-rsa-3.0.7/easyrsa3/pki

I create my CA certificate (Certificate Authority) by entering the fully qualified host name of my machine.

$ ./easyrsa build-ca

Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017

Enter New CA Key Passphrase: ********
Re-Enter New CA Key Passphrase: ********
Generating RSA private key, 2048 bit long modulus
………………… +++
……. +++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, The field will be left blank.
Common Name (your user, host, or server name) [Easy-RSA CA]: amandine.microlinux.lan

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

InfoOur certification authority does not have to be created on the server itself. Security experts even recommend using a separate machine for this installation. Afterwards, nothing prevents you from configuring Easy-RSA on an air-gapped laptop that you keep in a safe stored in a tunnel under the pack ice in Alaska, according to your degree of paranoia.

From there, we can use Easy-RSA to sign our own certificates. This operation will be dealt with in detail in the articles to come.

The writing of this documentation requires time and significant quantities of espresso coffee. Enjoy this blog ? Offer the editor a coffee by clicking on the cup.


Follow Us