Easy- RSA 3 - CSR on same system as PKI fails

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Furism
OpenVpn Newbie
Posts: 3
Joined: Sat May 03, 2014 7:47 am

Easy- RSA 3 - CSR on same system as PKI fails

Post by Furism » Sat May 03, 2014 7:50 am

Hi,

I’m trying to setup a scenario where I have a CA on a server and I’d like to generate requests and sign them on that same server. I'm using this on Centos 6.5 and using Easy-RSA 3.

I can make this work to init the pki, build the CA, and generate one server certificate, like so:

Code: Select all

./easyrsa init-pki
./easyrsa build-ca nopass

./easyrsa gen-req $HOSTNAME nopass
./easyrsa sign-req server $HOSTNAME
However when I try to more certificates (client in that case), I get an error:

Code: Select all

userName=$1
./easyrsa gen-req $userName nopass # this works
./easyrsa sign-req client $userName # this doesn’t
The sign-req action fails when I execute it:

Code: Select all

[root@vps93298 easyrsa3]# ./easyrsa sign-req client zobi
Using configuration from /home/easyrsa/easy-rsa/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'IDF'
localityName          :PRINTABLE:'Paris'
organizationName      :PRINTABLE:'Something'
organizationalUnitName:PRINTABLE:'Private Signing Authority'
commonName            :PRINTABLE:'vps93298.somedomain.io'
emailAddress          :IA5STRING:'admin@somedomain.io'
Certificate is to be certified until Apr 26 16:46:10 2024 GMT (3650 days)
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)
[root@vps93298 easyrsa3]#
As you can see I run all this as root for the moment.

Is this not supported? I realize that the documentation says that signing requests are done on another system (or anoter pki path I suppose) but it would be very useful to me to get all that to work on just one PKI. Is it possible?

Any help would be appreciated!

Furism
OpenVpn Newbie
Posts: 3
Joined: Sat May 03, 2014 7:47 am

Re: Easy- RSA 3 - CSR on same system as PKI fails

Post by Furism » Sat May 03, 2014 5:09 pm

My problem is that I can't sign more than one certificate apparently - not to setup the PKI. The PKI is generated, as detailed in my post :) I also generated a CSR for a server certificate, and I could sign a certificate using the CA and that CSR. The problem is that after that step, I can't generate client certificates because of an error that is not clear to me.

Post Reply