How to Install & Configure Easy-RSA¶
We use
Easy-RSA version 3, a
wrapper over complex openssl
commands.
Easy-RSA is available on GitHub and licensed under GPLv2.
Step 1: Install Easy-RSA Dependencies¶
The only dependency for Easy-RSA v3 is openssl
,
which is available from the openssl
package on Ubuntu and other
Debian-based operating systems, i.e. you can install it using:
sudo apt-get update
sudo apt-get install openssl
Step 2: Install Easy-RSA¶
Make sure you’re in the directory where you want Easy-RSA to live, then download it and extract it within that directory:
wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz
tar xzvf 3.0.1.tar.gz
rm 3.0.1.tar.gz
There should now be a directory named easy-rsa-3.0.1
in your current directory.
Step 3: Customize the Easy-RSA Configuration¶
We now create a config file named vars
by copying the existing vars.example
file
and then editing it.
You should change the
country, province, city, org and email
to the correct values for your organisation.
(Note: The country, province, city, org and email are part of
the Distinguished Name (DN).)
The comments in the file explain what each of the variables mean.
cd easy-rsa-3.0.1/easyrsa3
cp vars.example vars
echo 'set_var EASYRSA_DN "org"' >> vars
echo 'set_var EASYRSA_KEY_SIZE 4096' >> vars
echo 'set_var EASYRSA_REQ_COUNTRY "DE"' >> vars
echo 'set_var EASYRSA_REQ_PROVINCE "Berlin"' >> vars
echo 'set_var EASYRSA_REQ_CITY "Berlin"' >> vars
echo 'set_var EASYRSA_REQ_ORG "BigchainDB GmbH"' >> vars
echo 'set_var EASYRSA_REQ_OU "IT"' >> vars
echo 'set_var EASYRSA_REQ_EMAIL "dev@bigchaindb.com"' >> vars
Note: Later, when building a CA or generating a certificate signing request, you will be prompted to enter a value for the OU (or to accept the default). You should change the default OU from IT
to one of the following, as appropriate:
ROOT-CA
,
MongoDB-Instance
, BigchainDB-Instance
, MongoDB-Mon-Instance
or
MongoDB-Backup-Instance
.
To understand why, see the MongoDB Manual.
There are reminders to do this in the relevant docs.
Step 4: Maybe Edit x509-types/server¶
Warning
Only do this step if you are setting up a self-signed CA.
Edit the file x509-types/server
and change
extendedKeyUsage = serverAuth
to
extendedKeyUsage = serverAuth,clientAuth
.
See the MongoDB documentation about x.509 authentication to understand why.