Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
github.com/letsconnectvpn/vpn-ca
Summary: Simple CA intended for use with OpenVPN
Description: Simple CA intended for use with OpenVPN written in Go. It is much simpler to use than easy-rsa and can be run concurrently.
License: MIT
Simple CA intended for use with OpenVPN.
We started out using easy-rsa for Let's Connect! / eduVPN. It is a shell script wrapped around the OpenSSL command line. In theory this can be (very) much cross platform, but in practice it was not. Only recent versions fixed some problems on other platforms than Linux.
As part of these fixes they broke backwards compatibility in their 3.x releases, which made "in place" upgrades impossible without (manually) migrating to their new version(s).
We also noticed problems with high volume VPN servers where sometimes the easy-rsa certificate database got corrupted because two threads where running simultaneously.
This was a good moment to think about ditching easy-rsa and come up with something better. Using PHP's OpenSSL binding was out due to its complexity while still lacking basic features.
Go has a rich standard library that has all functionality required for creating a CA, some projects were available doing exactly that as shown above. Using those for inspiration, and some borrowing, stripping everything we didn't need resulted in a tiny CA that does exactly what we need and nothing more with a very simple CLI API. Implementing a PHP extension seemed like overkill, so we simply use the CLI from PHP.
We tested on Linux, OpenBSD, macOS and Windows. It works everywhere!
Use the Makefile
:
$ make
Or manually:
$ go build -o _bin/vpn-ca vpn-ca/main.go
Initialize the CA (valid for 5 years) with an RSA key of 3072 bits:
$ _bin/vpn-ca -init-ca -name "My Root CA"
Generate a server certificate, valid for 1 year:
$ _bin/vpn-ca -server -name vpn.example.org
Generate a client certificate, valid for 1 year:
$ _bin/vpn-ca -client -name 12345678
Generate client certificate and specify explicitly when it expires:
$ _bin/vpn-ca -client -name 12345678 -not-after 2020-12-12T12:12:12+00:00
The -not-after
flag can be used with both -client
and -server
.
If you want to expire a certificate at the exact same time as the CA, you can
use -not-after CA
.
NOTE: if your -not-after
, or the default of 1 year when not specified,
extends beyond the lifetime of the CA an error will be thrown! You should
either reduce the certificate lifetime, or generate a new CA.
There is also the CA_DIR
environment variable you can set if you do not want
to use the current directory from which you run the CA command to store the CA,
server and client certificates, e.g.
$ CA_DIR=/tmp _bin/vpn-ca -init-ca -name "My Root CA"
$ CA_DIR=/tmp _bin/vpn-ca -server -name vpn.example.org
$ CA_DIR=/tmp _bin/vpn-ca -client -name 12345678
The CA supports these key types / signature algorithms:
* `RSA` (3072 bits)
* `ECDSA` (P-256 / prime256v1)
* `EdDSA` (Ed25519)
You can use the environment variable CA_KEY_TYPE
to select the type of key
that will be generated. You can use RSA
, ECDSA
and EdDSA
as values to
CA_KEY_TYPE
. RSA
is the default if you do not specify anything. For example
with ECDSA
:
$ CA_KEY_TYPE=ECDSA _bin/vpn-ca -init-ca -name "My P-256 CA"
$ CA_KEY_TYPE=ECDSA _bin/vpn-ca -server -name "www.example.org"
Or with EdDSA
:
$ CA_KEY_TYPE=EdDSA _bin/vpn-ca -init-ca -name "My Ed25519 CA"
$ CA_KEY_TYPE=EdDSA _bin/vpn-ca -server -name "www.example.org"
If at all possible in your situation, use EdDSA
. It is the most modern,
secure and fast algorithm. However, not all software supported EdDSA
yet.
Modern browsers do NOT support EdDSA
certificates. When using TLS, at least
TLSv1.3 is necessary. With OpenSSL, one needs OpenSSL >= 1.1.1.
OpenVPN, for example supports EdDSA
just fine with TLSv1.3 on modern systems.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
Security News
A Stanford study reveals 9.5% of engineers contribute almost nothing, costing tech $90B annually, with remote work fueling the rise of "ghost engineers."
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.