The button "Generate Root/Host certificates"
leads you to the section where you can generate all necessary certificates (certification authority) but also all required keys to operate an OpenVPN. To get going generating the PKI, some specific data must be still given.
|As of Core 123 creating Diffie-Hellman keys with length of 1024 bits is no longer possible because they are considered insecure and not supported by OpenVPN. There are warnings about this and other cryptographic issues on the web user interface|
It is possible to configure the Diffie-Hellman parameter length with 2048, 3072 and 4096 bits.
|Generating Diffie-Hellman parameters can take up long time, particularly 3072 and 4096 bits can take a least several hours.|
In case all has been done correctly, the browser jumps to the default OpenVPN page again and shows all new generated certificates and keys over the "Certificate Authorities and -Keys" chart.
Since Core 79 a new OpenVPN directive which calls --tls-auth is available. The required 2048 bit key will be generated while the build of the PKI, but also the activation of this option over the web interface will generate this key if not present.
IPFire can also be configured as a client, therefor a PKCS#12 file (optionally saved with an password) can be uploaded.
The server operation are disabled in that way cause beneath others, the index.txt or e.g. Diffie-Hellman key won't be generated. Likewise an appropriate configuration file needs to be integrated manually for the from now on working IPFire client.
|With Core 79 the RSA key bit lengths but also the Signature Algorithms of all certificates and keys has been changed. The Root certificate operates on >= Core 79 with a key length of 4096 bit and a SHA2 signature algorithm with 512 bit, the host certificate with 2048 bit and also a SHA2 signature algorithm but here with 256 bit (same with the CRL) while a new generation. The RSA key for the control channel has been enlarged to 2048 bit. To use this improvements it is important to generate the whole PKI again with >= Core 79|