25

I am using OpenVPN and whilst I can generate certificates using easyrsa just fine I don't really understand the settings in the easyrsa vars file:

export KEY_COUNTRY=""
export KEY_PROVINCE=""
export KEY_CITY=""
export KEY_ORG
export KEY_EMAIL=""
export KEY_EMAIL=
export KEY_CN=
export KEY_NAME=
export KEY_OU=
export PKCS11_MODULE_PATH=
export PKCS11_PIN=1234

Can anyone explain these settings?

vvvvv
  • 175
  • 8
ilium007
  • 383
  • 1
  • 4
  • 7

1 Answers1

17

These are the settings for the certificate (certificate is a public key + (this) info signed by a Certificate authority).

So in your case, these are you country (where you live, where your company is), province (same), city (same), organization name, email, common name (unique for this CA), name, and organizational unit - in this order.

The last two lines are a path and a pin for PKCS11 (usually for smartcards).

I guess you're using easy-rsa; if you don't set this variables, it asks you for them, when you run the tool to generate a certificate.

mulaz
  • 10,472
  • 1
  • 30
  • 37
  • 3
    Thanks - what I also wanted to know was how do I come up with values for KEY_CN KEY_NAME and KEY_OU and do I keep these the same across the build_ca script and build-key-server and build-key scripts ? – ilium007 Dec 16 '12 at 01:02
  • 1
    Only CN has to be uniqe, so consider using users usernames or something simmilar. OU can be anything you wish (marketing, engineering, or even empty). – mulaz Dec 16 '12 at 01:23
  • 1
    It seems that it's better to leave the CN unset, because otherwise you have to override it each time with: `KEY_CN=foobar ./pkitool foobar` when creating a key. – isaaclw Jul 03 '13 at 02:33
  • Additional info why KEY_CN is important: in case the KEY_CN is not unique then OpenVPN starts disconnecting clients with same common name, unless `duplicate-cn` setting is enabled (by default it is disabled). – Roland Pihlakas Oct 19 '17 at 02:09
  • 1
    More info, and links, in Wikipedia: https://en.wikipedia.org/wiki/Certificate_signing_request – MikeW Jun 05 '19 at 09:16