Giving access to a new user
To allow a client to access the VPN server, you just have to create a client certificate following the procedure below; no configuration changes are needed on the server (the server automatically allows client certificates signed with our master certificate).
- Log into vpn.fsfe.org:/root/wrk/vpn/easy-rsa
- Source the ./vars file
- Choose a nickname for the certificate (CERTNAME in the example below); we usually choose the surname of the person requesting the certificate.
- Answer all questions with the default answer, except for:
- - Common Name: if it's a certificate for a host, enter its FQDN; if it's a person, enter his Name and Surname - Email: you can leave the default value, or enter the real email address, if the certificate is for a real person (this field is informational only,
- it has no role in the authentication)
- - Answer "yes" to the last two questions (confirmation of certificate creation and signature)
- In the ./keys directory, you'll find the CERTNAME.crt and CERTNAME.key files.
- Send a GPG-encrypted mail message to the user:
- Use the message template: ./newuser_message.txt
- Attach the certificates: ca, CERTNAME, CERTNAME.key
- Attach the sample configuration files contained in ./conf/client
WARNING: make sure to encrypt the message, since the client certificate and key are sensitive material!!!
- Update the SVN mirror of the server PKI in ./conf/ca
Run the ./conf/ca/getconf.sh script
Creating a server certificate
Use the same procedure to create a client cert, except, run the ./build-key-server script