[Slackbuilds-users] Best place to install the EasyRSA scripts?

Thomas Szteliga ts at websafe.pl
Sat Nov 5 01:43:14 UTC 2016

On 11/05/2016 01:56 AM, Rob McGee wrote:
> At least 3 problems I see with that as it implies:
>   1. that you have your CA on an openvpn server or client;
>   2. that you will be running these scripts as root;
>   3. that your CA is limited to use for openvpn.
> #1 is the big one, because that promotes insecure user practices; 
> Slackbuilds.org MUST NOT do that.

I'm aware. I have a separated isolated VM just for generating
CA's, keys and testing configs for multiple servers/clients.

> Admittedly I have never been in the position of having to support 
> multiple servers, but I'd still only maintain a single CA for all of 
> them in any given organization.  If you need to restrict access on 
> any given server, use a --client-config-dir and --ccd-exclusive 
> (touch a file in the CCD for any permitted client's commonName on 
> that server instance.)

I have individual CA's for each server, even when in a single
organization and of course if clients of a single server
need individual settings ccd's are used.

> Hehe, actually I don't have any strong feelings against this 
> suggestion.  It's as good as any.

I think /usr/doc/easy-rsa is way better than /usr/doc/easy-rsa-<VERSION>
/usr/libexec somehow feels really wrong.

CentOS: /usr/share/easy-rsa/
Archlinux: /etc/easy-rsa
FreeBSD: /usr/local/share/easy-rsa

>> and users will have to copy the contents of /usr/share/easyrsa
>> to a writable location like /etc/openvpn/server/server1/easyrsa
> Eeek!  How about /home/ca/<name-of-CA> ?

Oh no, really, a user for each CA? ;-)

And just another fun-fact ;-)

If you are using Linux, BSD, or a unix-like OS, open a shell and cd to
the easy-rsa subdirectory. If you installed OpenVPN from an RPM or DEB
file, the easy-rsa directory can usually be found in
/usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it's best to
copy this directory to another location such as /etc/openvpn, before any
edits, so that future OpenVPN package upgrades won't overwrite your
modifications). If you installed from a .tar.gz file, the easy-rsa
directory will be in the top level directory of the expanded source tree.


"it's best to copy this directory to another location such as
/etc/openvpn" :-))))

It's from the official howto:

Thomas Szteliga

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3719 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20161105/ece00f11/attachment.p7s>

More information about the SlackBuilds-users mailing list