Simple CA intended for use with OpenVPN.
We started out using easy-rsa for Let's Connect! / eduVPN. It is a shell script wrapped around the OpenSSL command line. In theory this can be (very) much cross platform, but in practice it was not. Only recent versions fixed some problems on other platforms than Linux.
As part of these fixes they broke backwards compatibility in their 3.x releases, which made "in place" upgrades impossible without (manually) migrating to their new version(s).
This was a good moment to think about ditching easy-rsa and come up with something better. Using PHP's OpenSSL binding was out due to its complexity while still lacking basic features.
Go has a rich standard library that has all functionality required for creating a CA, some projects were available doing exactly that as shown above. Using those for inspiration, and some borrowing, stripping everything we didn't need resulted in a tiny CA that does exactly what we need and nothing more with a very simple CLI API. Implementing a PHP extension seemed like overkill, so we simply use the CLI from PHP.
We tested on Linux, OpenBSD, macOS and Windows. It works everywhere!
$ go build -o _bin/vpn-ca vpn-ca/main.go
Initialize the CA (valid for 5 years) with an RSA key of 3072 bits:
$ _bin/vpn-ca -init
Generate a server certificate, valid until the CA expires:
$ _bin/vpn-ca -server vpn.example.org
Generate a client certificate, valid for 90 days:
$ _bin/vpn-ca -client 12345678
Generate client certificate and specify explicitly when it expires:
$ _bin/vpn-ca -client 12345678 -not-after 2019-08-16T14:00:00+00:00
-not-after flag can also be used with
There is also the
-ca-dir option you can use if you do not want to use
the current directory from which you run the CA command to store the CA, server
and client certificates, e.g.
$ _bin/vpn-ca -ca-dir /tmp -init $ _bin/vpn-ca -ca-dir /tmp -server vpn.example.org $ _bin/vpn-ca -ca-dir /tmp -client 12345678
Once you specify the
-ca-dir you MUST also use it for subsequent calls.