1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
lastproofread: 1970-01-01
.. include:: /_include/need_improvement.txt
###
PKI
###
VyOS 1.4 changed the way in how encrytions keys/certificates are stored on the
running system. In the pre VyOS 1.4 era, certificates got stored under /config
ans every service referenced a file. That made copying a running configuration
from system A to system B a bit harder, as you had to copy the files and their
permissions by hand.
VyOS 1.4 comes with a new approach where the keys are stored on the CLI and are
simply referenced by their name.
Don't be afraid that you need to re-do your configuration. Key transformation is
handled, as always, by our migration scripts, so this will be a smooth transition
for you!
Key Generation
==============
Certificate Authority (CA)
--------------------------
VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other
keypairs from an easy to access operational level command.
.. opcmd:: generate pki ca
Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and
private key on the console.
.. opcmd:: generate pki ca install <name>
Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and
private key on the console.
.. include:: pki_cli_import_help.txt
.. opcmd:: generate pki ca sign <ca-name>
Create a new subordinate :abbr:`CA (Certificate Authority)` and sign it using
the private key referenced by `ca-name`.
.. opcmd:: generate pki ca sign <name> install
Create a new subordinate :abbr:`CA (Certificate Authority)` and sign it using
the private key referenced by `name`.
.. include:: pki_cli_import_help.txt
Certificates
------------
.. opcmd:: generate pki certificate
Create a new public/private keypair and output the certificate on the console.
.. opcmd:: generate pki certificate install <name>
Create a new public/private keypair and output the certificate on the console.
.. include:: pki_cli_import_help.txt
.. opcmd:: generate pki certificate self-signed
Create a new self-signed certificate. The public/private is then shown on the
console.
.. opcmd:: generate pki certificate self-signed install <name>
Create a new self-signed certificate. The public/private is then shown on the
console.
.. include:: pki_cli_import_help.txt
.. opcmd:: generate pki certificate sign <ca-name>
Create a new public/private keypair which is signed by the CA referenced by
`ca-name`. The signed certificate is then output to the console.
.. opcmd:: generate pki certificate sign <ca-name> install <name>
Create a new public/private keypair which is signed by the CA referenced by
`ca-name`. The signed certificate is then output to the console.
.. include:: pki_cli_import_help.txt
Diffie-Hellman parameters
-------------------------
.. opcmd:: generate pki dh
Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size
is requested by the CLI and defaults to 2048 bit.
The generated parameters are then output to the console.
.. opcmd:: generate pki dh install <name>
Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size
is requested by the CLI and defaults to 2048 bit.
.. include:: pki_cli_import_help.txt
OpenVPN
-------
.. opcmd:: generate pki openvpn shared-secret
Genearate a new OpenVPN shared secret.
Configuration
=============
Operation
=========
VyOS operational mode commands are not only available for generating keys but
also to display them.
.. opcmd:: show pki ca
Show a list of installed :abbr:`CA (Certificate Authority)` certificates.
.. code-block:: none
vyos@vyos:~$ show pki ca
Certificate Authorities:
Name Subject Issuer CN Issued Expiry Private Key Parent
------------------------ ------------------------------------------------------------------------------------------------------- --------------------------------------- ------------------- ------------------- ------------- ------------------------
CAcert_Class_3_Root CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc. 1.2.840.113549.1.9.1=support@cacert.org 2021-04-19 12:18:30 2031-04-17 12:18:30 No CAcert_Signing_Authority
CAcert_Signing_Authority 1.2.840.113549.1.9.1=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA 1.2.840.113549.1.9.1=support@cacert.org 2003-03-30 12:29:49 2033-03-29 12:29:49 No N/A
peer_172_18_254_202 CN=Easy-RSA CA CN=Easy-RSA CA 2021-06-14 19:45:27 2031-06-12 19:45:27 No N/A
.. opcmd:: show pki certificates
Show a list of installed certificates
.. code-block:: none
cpo@LR1.wue3:~$ show pki certificate
Certificates:
Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present
------------------- ------ ------------ -------------- ------------------- ------------------- --------- ------------- -------------------------
peer_172_18_254_202 Server CN=peer1 CN=Easy-RSA CA 2021-06-14 20:04:47 2024-05-29 20:04:47 No Yes Yes (peer_172_18_254_202)
.. opcmd:: show pki crl
Show a list of installed :abbr:`CRLs (Certificate Revocation List)`.
|
