Creating a secure BMS system for your customers: Part 4, Cryptographic Keys

Before we can start the OpenVPN server we need to create the cryptographic keys that secure communications. Ideally you should do this on a computer that is completely offline, here you would generate the keys for all of your servers and only take the particular keys off that server that you need to run OpenVPN. When not in use that machine would be off and stored somewhere safe. A raspberry Pi 3b+ might be a good fit here, inexpensive and easy to store. Alternately you could have a key server on every OpenVPN server. I think this is a little less secure but in the even of anything getting breached it’s just that server at risk that needs to be rebuilt, It’s a tradeoff. If using windows the easiest way to accomplish this is to install OpenVPN checking the EasyRSA box. These instructions are largely taken from the OpenVPN “HOW TO” article.

Start out with a command prompt at C:\Program Files\OpenVPN\easy-rsa

init-config

Now edit your vars.bat file to set up some initial parameters and reminders on what to do at certain questions. Look for this section below and make your changes as I suggest here.

set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=YourCompanyName
set KEY_EMAIL=it@example.com
set KEY_CN=changeme
set KEY_NAME=changeme
set KEY_OU=server#

Also set your key size. As I mentioned earlier with the tiny amount of traffic we have it doesn’t hinder CPU usage in the EdgeRouter at all. It will however take a long time to generate the Diffie-Hellman key at 4096, maybe a good fifteen minutes on a high end i7 or 24 HOURS on a raspberry pi 2. Several hours on a Pi 3b+ isn’t too bad and makes a nice device you could store offline.

set DH_KEY_SIZE=4096

Finally initialize your public key infrastructure. The last command will ask a series of questions. Most of these we want to answer as default except for:

  • KEY_CN; call this the “OpenVPN-CA”
vars
clean-all
build-ca

Now you can build the Diffie-Helman key. As I mentioned this can take a long time.

build-dh

For our TLS key we need to step down one more directory as it creates this key where the command is run, unlike all the above and below. C:\Program Files\OpenVPN\easy-rsa\keys.

openvpn --genkey --secret ta.key

Once this is complete you should not repeat any of the above for new servers if you are using one machine to generate and manage your keys all in one session. On windows if you do start a new session you need to set environment variables again by running only the vars.bat.

Remember to go back up a directory level to run the commands below. C:\Program Files\OpenVPN\easy-rsa\. Next generate a key for your first server. Most of these questions we want to answer as default except for:

  • KEY_CN; call this the “server1”
build-key-server server

Now you may generate client keys, again most of the questions being asked are default except for the CN below. I chose to have these match the file name.

  • KEY_CN; call this the “client1-1”
build-key client1-1

Continue generating keys for additional clients. Personally I go ahead and generate keys for about ten clients even if I know we will only use one or two, just in case.