easy-rsa building CA takes a short time

mirek_adept · 05-12-2019, 07:03 PM

To build PKI and vpn on my linux home server I use OpenVpn and easy-rsa packages.
I start with easyrsa init-pki.
Then I use easyrsa build-ca. This step takes a short time /up to one second/. One of next step is easyrsa gen-dh. It takes about 3 minutes. I think it is OK, but why easyrsa build-ca is so fast operation? It must make time-consuming calculations (generate two huge primary numbers etc). My home /laboratory/ server is based on simple desktop computer with cheap Intel Core processor. Each generated files looks quite good.

adept

ntubski · 05-14-2019, 10:26 PM

Quote:

Originally Posted by mirek_adept

Then I use easyrsa build-ca. This step takes a short time /up to one second/. One of next step is easyrsa gen-dh. It takes about 3 minutes. I think it is OK, but why easyrsa build-ca is so fast operation?

For RSA of size 2048 bit (for example), you just need two random primes of size 1024. For DH of size 2048, you need a random prime of size 2048 and a corresponding generator with a prime order. So for DH you need to generate larger primes, and you might need to throw away some primes that don't have the right properties.

Although really, for DH you can just use pre-generated standard domains, e.g., https://tools.ietf.org/html/rfc3526.