It is a good idea to setup your own certificate authority for example to issue certificates for VPN/WiFi clients. Best way to do it is to use Easy RSA. Lets start by installing easy-rsa package:

# poldek -ivh easy-rsa

Create directory for your CA, here we will keep it in /root/CA, but any path will do:

# mkdir /root/CA

Copy Easy RSA to your directory, go to it and rename vars.example:

# cp -r /usr/share/easy-rsa/* /root/CA/
# cd /root/CA/
# mv vars.example vars

Now we need to configure this CA. Edit vars file and uncomment/change options to fit your needs. We advice to change at least two of them:

set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_DIGEST "sha512"

This will set default key size to 4096 bytes and set crypto digest to sha512.

We are ready to initialize PKI directory and build our CA:

# ./easyrsa init-pki
# ./easyrsa build-ca

Now enter password for CA key and name of your CA. Thats all. Your own CA is ready to use. Lets create your first certificate request:

# ./easyrsa gen-req your.server.com

Enter password for certificate key and fill in certificate data. When done sign this request creating 'server' certificate:

# ./easyrsa sign-req server your.server.com

Follow on screen instructions and thats it.

And here is example command to create wildcard certificate for your server:

# ./easyrsa --batch --req-cn=example.org gen-req example.org nopass
# ./easyrsa --batch --subject-alt-name='DNS:*.example.org,DNS:example.org' sign-req server example.org
© TLD Linux