What does HackerNews think of easy-rsa?

easy-rsa - Simple shell based CA utility

Language: Shell

Running one’s own root Certificate Authority in 2023 | Sep 2023
Easy-rsa to the rescue. Been using it for a while, works great and makes life easier :)

Link: https://github.com/OpenVPN/easy-rsa

Summary from that page:

easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

Ask HN: Where do you get CA validated “Client Certificates”? | Jan 2019
Depending on the criticity of your protected service, you could probably just be your own Certificate Authority, and publish the root certificate internally. How many machines are we talking about?

A local PKI is probably overkill. Do you intend to give every single coworker a certificate on their own smartcard? If not, PKI is most probably not needed.

https://github.com/OpenVPN/easy-rsa + two USB thumb drives in a safe (primary + backup) + one off-site in another safe.

Client certificates are kind of hard to ask a global PKI for, because you usually use some internal names, not public FQDNs...

Show HN: I made a script to generate self-signed SSL certs for local development | Oct 2018
Personally, I tend to use the easy-rsa set of scripts https://github.com/OpenVPN/easy-rsa.

Initially they used to come as a goodies with OpenVPN, but they are now provided as a standalone project.

There are already packaged and available in most distributions (easy-rsa package under Debian for example).

There are probably a little bit more complex to use, but it's far from horrible, and it's quite battle tested.

Chrome will mark all HTTP sites as ‘not secure’ starting in July | Jul 2018
You can also use the good old EASY-RSA: https://github.com/OpenVPN/easy-rsa
How to Protect Yourself from NSA Attacks on 1024-bit DH | Oct 2015
Expand Context ↕
Easy-rsa[1] (OpenVPN's key/cert generation/signing tool) version 3 will generate a 2048 bit diffie hellman key by default. Previous versions of easy-rsa used 1024 bit as default.

Here is a comment written in the vars configuration file for easy-rsa 2.2.2:

    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=1024
So if you used easy-rsa version 2.2.2 or previous to generate your diffie hellman key for the server, and didn't increase the default size in the vars file before doing so, your server uses a 1024 bit diffie hellman key.

[1]https://github.com/OpenVPN/easy-rsa
TinyCert – Become Your Own PKI/CA Authority in a Matter of Minutes | Sep 2015
While not the only one out there[1], I've been hacking a cli tool written in bash[2] to streamline the OpenSSL commands geared toward a PKI/CA workflow. I started it mainly for my overall learning of OpenSSL from nothing and for my small scale needs with my CoreOS servers.

What I learned from this exercise, is that it's not the complexity of the commands that is the issue with OpenSSL, it's:

1) The importance of consistent naming schemes (for the humans) and PKI hierarchy design (the nuances of keyUsage, basicConstraints, and extendedKeyUsage)

2) consistent execution of commands; typos are more likely the more you have to put in the CLI manually

3) good configuration files aren't utilized enough in most of the tutorials I found. They can streamline use, archive procedure, and prevent typos as in point #2.

4) The importing of certs and keys in an automatic way is a sort of dark corner of the tutorial world. But permissions are super important! I came up with an import strategy that I think works pretty well.[3] Please examine and break it!

[1]https://github.com/OpenVPN/easy-rsa

[2]https://github.com/brianclements/pkictl

[3]https://github.com/brianclements/pkictl#import

Logjam TLS attack | May 2015
From the TLS sysadmin deployment guide(https://weakdh.org/sysadmin.html):

> Generate a Strong, Unique Diffie Hellman Group. A few fixed groups are used by millions of servers, which makes them an optimal target for precomputation, and potential eavesdropping. Administrators should generate unique, 2048-bit or stronger Diffie-Hellman groups using "safe" primes for each website or server.

Is this why with the easy-rsa package (https://github.com/OpenVPN/easy-rsa) one should always build a dh pair first? People are using pre-seeded ones when they do not use this tool first!? That is scary.

Be your own VPN provider with OpenBSD | Jan 2015
Cool guide, makes me want to learn more about BSD and pf. I've been doing this but with a Linux VPS, iptables and EasyRSA3[0][1].

[0]https://github.com/OpenVPN/easy-rsa

[1]https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-....