Configuring EasyRSA PKI Generation: Understanding vars File Options for OpenVPN Certificate Authority


1 views

When setting up a PKI (Public Key Infrastructure) for OpenVPN using EasyRSA, the vars file serves as the central configuration point. These variables directly influence the X.509 certificate fields and overall PKI behavior.

Here's what each parameter controls in certificate generation:

# Basic certificate subject fields
export KEY_COUNTRY="US"        # Two-letter country code (ISO 3166)
export KEY_PROVINCE="CA"       # State or province name
export KEY_CITY="SanFrancisco" # Locality name
export KEY_ORG="OpenVPN Corp"  # Organization name
export KEY_EMAIL="admin@openvpn.example.com" # Contact email
export KEY_OU="IT Security"    # Organizational Unit

For more specialized deployments:

# Certificate identification
export KEY_CN="vpn-server-01"  # Common Name (hostname)
export KEY_NAME="VPN Server"   # Certificate name (optional)

# PKCS#11 Hardware Security Module
export PKCS11_MODULE_PATH="/usr/lib/pkcs11/libsofthsm2.so"
export PKCS11_PIN="1234"       # HSM PIN

For a production OpenVPN setup, consider this configuration:

#!/bin/bash
# Sample vars file for production VPN
export KEY_COUNTRY="GB"
export KEY_PROVINCE="London"
export KEY_CITY="London"
export KEY_ORG="Acme Ltd"
export KEY_EMAIL="security@acme.com"
export KEY_OU="Network Operations"
export KEY_CN="vpn.acme.com"
export KEY_NAME="Acme VPN Server"

# Initialize PKI with these settings
./easyrsa init-pki
./easyrsa build-ca nopass
  • Always set KEY_CN to match your server's FQDN
  • For production environments, remove the nopass option from CA creation
  • Consider using separate CAs for servers and clients
  • Regularly rotate your PKCS#11 PIN if using HSMs

If you encounter errors during certificate generation:

  1. Verify all required vars are set (KEY_COUNTRY is mandatory)
  2. Check for special characters in values (use quotes)
  3. Ensure proper file permissions on the vars file

The EasyRSA vars file contains critical configuration parameters for Public Key Infrastructure (PKI) generation. Here's a technical breakdown of each variable:

# Geographic and organizational identifiers
export KEY_COUNTRY="US"  # 2-letter country code (ISO 3166)
export KEY_PROVINCE="California"
export KEY_CITY="San Francisco"
export KEY_ORG="YourCompany Inc."  # Organization name

# Cryptographic identity parameters
export KEY_EMAIL="admin@yourcompany.com"  # CA administrator email
export KEY_CN="OpenVPN-CA"  # Common Name for root certificate
export KEY_NAME="OpenVPN-Server"  # Name field for certificates
export KEY_OU="IT Security"  # Organizational Unit

# PKCS#11 token configuration (advanced)
export PKCS11_MODULE_PATH="/usr/lib/pkcs11/libsofthsm2.so"
export PKCS11_PIN="1234"  # Hardware token PIN

For a production OpenVPN setup, you might configure:

# Production-ready vars configuration
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="ACME Corp"
export KEY_EMAIL="security@acme.com"
export KEY_CN="ACME-VPN-CA"
export KEY_NAME="ACME-VPN-Server"
export KEY_OU="Network Security"

These variables directly affect X.509 certificate fields:

  • KEY_COUNTRY: Sets the 'C' field in certificates
  • KEY_ORG: Determines the 'O' (Organization) field
  • KEY_CN: Critical for certificate subject identification
  • KEY_OU: Useful for departmental separation in large orgs
  1. Always set valid geographic information matching your organization
  2. Use consistent naming across your PKI hierarchy
  3. For production systems, avoid using test values
  4. Consider organizational structure when setting OU values

For hardware security modules (HSMs):

# HSM configuration example
export PKCS11_MODULE_PATH="/usr/local/lib/opensc-pkcs11.so"
export PKCS11_PIN="$(cat /etc/pki/pinfile)"  # Secure PIN storage

Remember to source your vars file before certificate operations:

source ./vars
./easyrsa build-ca