diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/configuration/pki/index.rst | 135 | ||||
-rw-r--r-- | docs/configuration/pki/pki_cli_import_help.txt | 8 |
2 files changed, 143 insertions, 0 deletions
diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 7c0044e1..1b751a90 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -18,3 +18,138 @@ simply referenced by their name. Don't be afraid that you need to re-do your configuration. Key transformation is handled, as always, by our migration scripts, so this will be a smooth transition for you! + +Key Generation +============== + +Certificate Authority (CA) +-------------------------- + +VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other +keypairs from an easy to access operational level command. + +.. opcmd:: generate pki ca + + Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and + private key on the console. + +.. opcmd:: generate pki ca install <name> + + Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and + private key on the console. + + .. include:: pki_cli_import_help.txt + +.. opcmd:: generate pki ca sign <ca-name> + + Create a new subordinate :abbr:`CA (Certificate Authority)` and sign it using + the private key referenced by `ca-name`. + +.. opcmd:: generate pki ca sign <name> install + + Create a new subordinate :abbr:`CA (Certificate Authority)` and sign it using + the private key referenced by `name`. + + .. include:: pki_cli_import_help.txt + +Certificates +------------ + +.. opcmd:: generate pki certificate + + Create a new public/private keypair and output the certificate on the console. + +.. opcmd:: generate pki certificate install <name> + + Create a new public/private keypair and output the certificate on the console. + + .. include:: pki_cli_import_help.txt + +.. opcmd:: generate pki certificate self-signed + + Create a new self-signed certificate. The public/private is then shown on the + console. + +.. opcmd:: generate pki certificate self-signed install <name> + + Create a new self-signed certificate. The public/private is then shown on the + console. + + .. include:: pki_cli_import_help.txt + +.. opcmd:: generate pki certificate sign <ca-name> + + Create a new public/private keypair which is signed by the CA referenced by + `ca-name`. The signed certificate is then output to the console. + +.. opcmd:: generate pki certificate sign <ca-name> install <name> + + Create a new public/private keypair which is signed by the CA referenced by + `ca-name`. The signed certificate is then output to the console. + + .. include:: pki_cli_import_help.txt + +Diffie-Hellman parameters +------------------------- + +.. opcmd:: generate pki dh + + Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size + is requested by the CLI and defaults to 2048 bit. + + The generated parameters are then output to the console. + +.. opcmd:: generate pki dh install <name> + + Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size + is requested by the CLI and defaults to 2048 bit. + + .. include:: pki_cli_import_help.txt + +OpenVPN +------- + +.. opcmd:: generate pki openvpn shared-secret + + Genearate a new OpenVPN shared secret. + + +Configuration +============= + +Operation +========= + +VyOS operational mode commands are not only available for generating keys but +also to display them. + +.. opcmd:: show pki ca + + Show a list of installed :abbr:`CA (Certificate Authority)` certificates. + + .. code-block:: none + + vyos@vyos:~$ show pki ca + Certificate Authorities: + Name Subject Issuer CN Issued Expiry Private Key Parent + ------------------------ ------------------------------------------------------------------------------------------------------- --------------------------------------- ------------------- ------------------- ------------- ------------------------ + CAcert_Class_3_Root CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc. 1.2.840.113549.1.9.1=support@cacert.org 2021-04-19 12:18:30 2031-04-17 12:18:30 No CAcert_Signing_Authority + CAcert_Signing_Authority 1.2.840.113549.1.9.1=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA 1.2.840.113549.1.9.1=support@cacert.org 2003-03-30 12:29:49 2033-03-29 12:29:49 No N/A + peer_172_18_254_202 CN=Easy-RSA CA CN=Easy-RSA CA 2021-06-14 19:45:27 2031-06-12 19:45:27 No N/A + +.. opcmd:: show pki certificates + + Show a list of installed certificates + + .. code-block:: none + + cpo@LR1.wue3:~$ show pki certificate + Certificates: + Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present + ------------------- ------ ------------ -------------- ------------------- ------------------- --------- ------------- ------------------------- + peer_172_18_254_202 Server CN=peer1 CN=Easy-RSA CA 2021-06-14 20:04:47 2024-05-29 20:04:47 No Yes Yes (peer_172_18_254_202) + + +.. opcmd:: show pki crl + + Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. diff --git a/docs/configuration/pki/pki_cli_import_help.txt b/docs/configuration/pki/pki_cli_import_help.txt new file mode 100644 index 00000000..89351903 --- /dev/null +++ b/docs/configuration/pki/pki_cli_import_help.txt @@ -0,0 +1,8 @@ +In addition to the command above, the output is in a format which can be used +to directly import the key into the VyOS CLI by simply copy-pasting the output +from op-mode into configuration mode. + +Name is used for the VyOS CLI command to identify this CA on the running +configuration. + + |