Extended usage of the CA and keys
The button "Generate Root/Host certificates"
leads you to the section where you can generate all necessary certificates (certification authority) but also all required keys to operate an OpenVPN. To get going generating the PKI, some specific data must be still given.
The Diffie-Hellman Parameter
| Note! |
|---|
| As of Core 172 the Diffie-Hellman parameter is automatically configured to use a defined secure version of 4,096 bits and standardised in line with RFC7919, Section A3 |
In case all has been done correctly, the browser jumps to the default OpenVPN page again and shows all new generated certificates and keys over the "Certificate Authorities and -Keys" chart.
Since Core 79 a new OpenVPN directive called --tls-auth is available. The required 2048 bit key will be generated with the build of the PKI, but also the activation of this option over the web interface will generate this key if not present.
Upload PKCS#12 file
IPFire can also be configured as a client, therefor a PKCS#12 file (optionally saved with an password) can be uploaded.
The server operation are disabled in that way cause beneath others, the index.txt or e.g. Diffie-Hellman key won't be generated. Likewise an appropriate configuration file needs to be integrated manually for the from now on working IPFire client.
| Note! |
|---|
| With Core 79 the RSA key bit lengths but also the Signature Algorithms of all certificates and keys has been changed. The Root certificate operates on >= Core 79 with a key length of 4096 bit and a SHA2 signature algorithm with 512 bit, the host certificate with 2048 bit and also a SHA2 signature algorithm but here with 256 bit (same with the CRL) while a new generation. The RSA key for the control channel has been enlarged to 2048 bit. To use this improvements it is important to generate the whole PKI again with >= Core 79 |
Extended usage of the CA and keys