Skip to content

cheatSheet

Jump to bottom Edit New page
TinCanTech edited this page Dec 31, 2021 · 43 revisions

This page describes the fastest way to use Easy-TLS.

Required: download-and-install

TLS-Crypt-v2 Client GROUP Keys

Easy-TLS v2.6 introduced TLS-Crypt-V2 Server/Client GROUP Keys.

Note: easytls is required. Versions prior to v2.7.0 do not create keys with the correct names.

Note: All Server TLS-Crypt-V2 keys are Group keys, by default.

Editorial: Using a GROUP key has the side effect of being able to arbitrarily classify clients.

How TLS-Crypt-V2 GROUP Keys differ from normal Client Keys:

  • GROUP keys can be used by multiple clients.
  • Normal keys can be used by multiple clients but Easy-TLS expects each X509 client to have it's own key.
    Possibly, multiple client keys via option --subkey-name.

Put simply, use easytls to create a Server GROUP key.
eg. Organisation-Unit
Note: If you already have a TLS-Crypt-V2 key for your Server then you can (and should) use that key to generate Client keys from. You do not require a new Server Group key.

Then create as many Client GROUP keys as are desired.
eg. Accounts, Sales, UK-Sales or Family and Friends

Create GROUP keys

Server:

  • Note: If you already have a TLS-Crypt-V2 Server key then you do not need a new one, skip this single step.

    ./easytls build-tls-crypt-v2-group-server \
    <SERVER_GROUP_NAME>

  • <SERVER_GROUP_NAME> is a top level personal/professional domain.
    I use one single TLS-Crypt-V2 Server key, named tincantech-s01 for all my personal servers. (Three servers ;-)

  • Abbreviation: bc2gs

Client:

  • Note: You can not skip this step.

    ./easytls build-tls-crypt-v2-group-client \
    <SERVER_KEY_NAME> <CLIENT_GROUP_NAME> <HWADDR> <HWADDR> <IP-RANGE> <IP-RANGE>

  • <CLIENT_GROUP_NAME> is completely arbitrary.
    family,friends, planets or departments. The choice is yours.

  • Abbreviation: bc2gc

  • Note: If you already have a TLS-Crypt-V2 Server key then use that name for <SERVER_KEY_NAME>

It is possible to add Hardware and/or IP-Address lock-down to client Group keys but it is unlikely to be of value.

  • HWADDR (MAC-Address) eg: 01:23:45:67:89:0A
  • IP-RANGE (CIDR) as: network/bits. eg. 1.2.3.0/24, 2000:1:2:3::/64 (IPv4/6)

Inline GROUP keys

Server:

./easytls inline-tls-crypt-v2-server \
    <SERVER_X509_COMMON_NAME> <SERVER_GROUP_NAME>
  • Abbreviation: ic2s
  • Note: All Server TLS-Crypt-V2 keys are suitable as Group keys, by default.

Client:

./easytls inline-tls-crypt-v2-group-client \
    <CLIENT_X509_COMMON_NAME> <CLIENT_GROUP_NAME>
  • Abbreviation: ic2gc

Migrating from Old TLS Keys

TODO

Needs updating

Add a custom sidebar

Clone this wiki locally