{"id":482,"date":"2013-05-21T11:17:09","date_gmt":"2013-05-21T09:17:09","guid":{"rendered":"http:\/\/songoku.homelinux.com\/wordpress\/?p=482"},"modified":"2013-05-21T11:17:09","modified_gmt":"2013-05-21T09:17:09","slug":"easyrsa-for-pfsense-1-2-3","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=482","title":{"rendered":"Easyrsa for pfSense 1.2.3"},"content":{"rendered":"<p>\n\tYou can use easy-rsa on pfSense to generate your OpenVPN keys.\n<\/p>\n<p>\n\tWARNING: This may not be the ideal situation for deploying your PKI. If your OpenVPN server is compromised, your entire PKI will be compromised. This is typically of very little concern, as access to the firewall is highly restricted, and in most networks it&#39;s likely the most secure and least accessible device on the network.\n<\/p>\n<h3>\n\tInstall<br \/>\n<\/h3>\n<p>\n\tJust run the following from a SSH session:\n<\/p>\n<p>\n\t<em># fetch -o &#8211;&nbsp;<a href=\"http:\/\/files.pfsense.org\/misc\/easyrsa-setup.txt\" rel=\"nofollow\">http:\/\/files.pfsense.org\/misc\/easyrsa-setup.txt<\/a>&nbsp;| \/bin\/sh<\/em>\n<\/p>\n<p>\n\tThis will download the files, extract them, and remove the downloaded file. After doing this, you will be prompted to run the next step manually. Copy and paste the last line displayed to generate your certificates (NOTE: If you have gone through this process previously, repeating this will wipe out all your existing certificates!)\n<\/p>\n<p>\n\t<em># cd \/root\/easyrsa4pfsense &amp;&amp; .\/PFSENSE_RUN_ME_FIRST<\/em>\n<\/p>\n<p>\n\tThis will first prompt you for your location and organization information, to be used when generating the certificate authority and initial certificates, and as defaults when creating additional certificates in the future. It will then create your certificate authority, a server certificate, and one client certificate. These files can be found in the \/root\/easyrsa4pfsense\/keys\/ directory.\n<\/p>\n<p>\n\tIf you are prompted for a challenge password, you most likely will want to leave it blank. Press enter at the challenge password prompt, and again on the confirm prompt.\n<\/p>\n<h3>\n\tCreating a client key<br \/>\n<\/h3>\n<p>\n\tTo create a new client key, SSH into the firewall, choose option 8 and run:\n<\/p>\n<p>\n\t<em># cd \/root\/easyrsa4pfsense<br \/>\n\t#&nbsp;<span style=\"line-height: 1.6em;\">source vars<br \/>\n\t#&nbsp;<\/span><span style=\"line-height: 1.6em;\">.\/build-key clientXXXX<\/span><\/em>\n<\/p>\n<p>\n\t<span style=\"line-height: 1.6em;\">Where clientXXXX is the name of the client.<\/span>\n<\/p>\n<p>\n\tYou&#39;ll then find the client&#39;s keys in \/root\/easyrsa4pfsense\/keys\/\n<\/p>\n<h3>\n\tRevoke a client key<br \/>\n<\/h3>\n<p>\n\tTo revoke the key for client1:\n<\/p>\n<p>\n\t<em># cd \/root\/easyrsa4pfsense\/<br \/>\n\t<span style=\"line-height: 1.6em;\"># source vars<\/span><br \/>\n\t<span style=\"line-height: 1.6em;\"># .\/revoke-full client1<\/span><\/em>\n<\/p>\n<p>\n\tWhich will update the crl.pem file, the contents of which need to go into the pfSense OpenVPN GUI in the CRL field.\n<\/p>\n<p>\n\tsource: <a href=\"http:\/\/doc.pfsense.org\/index.php\/Easyrsa_for_pfSense\" target=\"_blank\">PFSense Docs<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can use easy-rsa on pfSense to generate your OpenVPN keys. WARNING: This may not be the ideal situation for deploying your PKI. If your OpenVPN server is compromised, your entire PKI will be compromised. This is typically of very little concern, as access to the firewall is highly restricted, and in most networks it&#39;s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,7],"tags":[],"class_list":["post-482","post","type-post","status-publish","format-standard","hentry","category-linuxunix","category-servers"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=482"}],"version-history":[{"count":0,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/482\/revisions"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}