How to Install & Configure Easy-RSA

We use Easy-RSA version 3, a wrapper over complex openssl commands. Easy-RSA is available on GitHub and licensed under GPLv2.

Step 1: Install Easy-RSA Dependencies

The only dependency for Easy-RSA v3 is openssl, which is available from the openssl package on Ubuntu and other Debian-based operating systems, i.e. you can install it using:

sudo apt-get update

sudo apt-get install openssl

Step 2: Install Easy-RSA

Make sure you’re in the directory where you want Easy-RSA to live, then download it and extract it within that directory:


tar xzvf 3.0.1.tar.gz

rm 3.0.1.tar.gz

There should now be a directory named easy-rsa-3.0.1 in your current directory.

Step 3: Customize the Easy-RSA Configuration

We now create a config file named vars by copying the existing vars.example file and then editing it. You should change the country, province, city, org and email to the correct values for your organisation. (Note: The country, province, city, org and email are part of the Distinguished Name (DN).) The comments in the file explain what each of the variables mean.

cd easy-rsa-3.0.1/easyrsa3

cp vars.example vars

echo 'set_var EASYRSA_DN "org"' >> vars
echo 'set_var EASYRSA_KEY_SIZE 4096' >> vars

echo 'set_var EASYRSA_REQ_COUNTRY "DE"' >> vars
echo 'set_var EASYRSA_REQ_PROVINCE "Berlin"' >> vars
echo 'set_var EASYRSA_REQ_CITY "Berlin"' >> vars
echo 'set_var EASYRSA_REQ_ORG "BigchainDB GmbH"' >> vars
echo 'set_var EASYRSA_REQ_OU "IT"' >> vars
echo 'set_var EASYRSA_REQ_EMAIL ""' >> vars

Note: Later, when building a CA or generating a certificate signing request, you will be prompted to enter a value for the OU (or to accept the default). You should change the default OU from IT to one of the following, as appropriate: ROOT-CA, MongoDB-Instance, BigchainDB-Instance, MongoDB-Mon-Instance or MongoDB-Backup-Instance. To understand why, see the MongoDB Manual. There are reminders to do this in the relevant docs.

Step 4: Maybe Edit x509-types/server


Only do this step if you are setting up a self-signed CA.

Edit the file x509-types/server and change extendedKeyUsage = serverAuth to extendedKeyUsage = serverAuth,clientAuth. See the MongoDB documentation about x.509 authentication to understand why.