Page MenuHomeVyOS Platform

PKI configuration
Closed, ResolvedPublicFEATURE REQUEST


I think VyOS would benefit from having some form of PKI configuration included, also where the certificates and keys are written directly into the config to allow for portability (somewhat like crypto pki in cisco).

I have been experimenting and was thinking of something like:

Conf mode:

set pki ca <ca-name> certificate <cert_data>
set pki ca <ca-name> private key <key_data>
set pki ca <ca-name> private passphrase 'abcdef'
set pki ca <ca-name> private type 'rsa'

set pki certificate [name] ... <same as CA tag node>

Op mode:

generate pki ca <name> [install]  # Generates a CA certificate and private key
generate pki certificate <name> [install] # Generates a private key and certificate request
generate pki certificate <name> self-signed [install] # Generates self-signed certificate
generate pki certificate <name> sign [ca-name] [install] # Generates private key and certificate request, signs with CA at [ca-name]

The install optional setting in op-mode could either output lines to enter in conf-mode, or if appropriate could auto-install the generated certs/keys into the running-config.

The goal of this would be for use across the entire configuration. Like how set vpn rsa-keys and set service https are managing their own certificates/keys, they could instead reference to a central location.

Any thoughts?

Migration checklist:

  • IPSec RSA
  • IPSec X509
  • L2TP
  • LetsEncrypt
  • OpenConnect
  • OpenVPN
  • SSTP
  • Wireguard


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
sarthurdev changed the task status from In progress to Needs testing.Jul 22 2021, 3:49 PM
sarthurdev updated the task description. (Show Details)

Hey everyone,

I tested this feature yesterday with a OpenVPN server.
I have to say that I really like the new way of managing a PKI.

But I have a slight problem:
My PKI is using elliptic curve crypto. VyOS is not able to save the private key,
because it tries to append the wrong PEM headers/footers.

I read in the original post that a:
set pki ca <ca-name> private type 'rsa'
should be supported. I read the implementation and found no trace of it (yet).
So is somebody working on it? Is that even the way to go, or do you prefer another
interface? If nobody is working on it I would try to implement the feature this week.
(I hope that I have enough time for that.)

Have a nice day!
Nicolas Riebesel

I think I found my problem. I haven't known the difference between PKCS#1 and PKCS#8.
If I give the key in PKCS#8 format I can finally commit the changes without problems.

But on the way I found other odd things:

  • I found a check in conf_mode/ that should check that the certificate used for openvpn has no password. For some reason I haven't gotten that error.
  • With the PKCS#8 key OpenVPN is not able to start anymore, because VyOS wants me to delete dh-file, but that in turn requires setting dh none in the OpenVPN config, otherwise it will error on the missing dh parameter. See:

So I think the documentation should be changed to reflect the fact that a PKCS#8 private key is required and that the dh parameter should be fixed.

I have created a PR for the bugs that I found above. I hope that is is acceptable to solve these within this ticket:

c-po closed subtask T3651: Move certbot request to op-mode as Wontfix.
c-po updated the task description. (Show Details)
c-po set Issue type to Unspecified (please specify).