[Slackbuilds-users] Easy-rsa package (from OpenVPN) on SBo

Rob McGee rob0 at slackbuilds.org
Wed Nov 2 15:47:07 UTC 2016

On Wed, Nov 02, 2016 at 01:38:16PM +0000, Sebastian Arcus wrote:
> OpenVPN used to include scripts to manage certificate authorities, 
> keys and certificates. These were bundled under the easy-rsa 
> scripts, in /usr/share/docs/openvpn/easy-rsa - if I remember 
> correctly, in Slackware.
> At some point in time, the OpenVPN maintainers decided to spin them 
> off separately (https://github.com/OpenVPN/easy-rsa) - and from 
> that moment on, they disappeared from Slackware. As this is only 
> (relatively) easy way I'm aware of generating a CA for Openvpn, 
> together with corresponding server and client certificates and 
> keys, ...

The idea of generating a key anywhere other than on the client who 
would be using it was part of the "easy" in easy-rsa, but it is 
incorrect from a security perspective.  Users should generate their 
own key and CSR (certificate signing request), and send the CA only 
the CSR.  The key should be securely maintained and not sent via 
insecure means.

> I've asked several times on LQ if they could be included back 
> in Slackware - without success.

Did you try emailing Pat directly?  He might not see some things 
posted on LQ.

> I'm thinking of making an easy-rsa package for SBo, to make it easy 
> to add them back to Slackware. What do people think? Good idea, bad 

When you install such a thing to a location writable only by root, 
people get the bad idea to run it as root.  Worse, they often run it 
on the OpenVPN server itself.  Then some others get the harebrained 
idea to put easy-rsa on a VM ... uh, no!  Cryptography requires 
entropy (random data), and a VM has no means of getting entropy.

None of these caveats say that SBo should not have a build for 
easy-rsa; just perhaps that a good stern README should be added 
(maybe the upstream one covers all this?)

I have run my CA in a dedicated user account on a physical machine 
which is not a VPN client nor server.  (No, I am not suggesting we 
should add a UID/GID for easy-rsa, but rather that this is one of 
several ways to DTRT.)

> idea? Maybe they are redundant and there are other tools in place 
> already doing this job? 

They are just scripts which wrap around openssl commands.  It's 
possible (albeit not easy, BTDT) to read them and figure out what 
they're doing.
    Rob McGee - /dev/rob0 - rob0 at slackbuilds.org

More information about the SlackBuilds-users mailing list