[EasyRSA 3] help generating certificates & keys clients

[xlepws]

Hello, I'm setting up a VPN server on a Win10 host.
In the past, I had always followed these instructions: https://openvpn.net/index.php/open-sour ... ml#install

But now it seems I can't do server+clients certificates generation on the same machine, e.g. with command build-key client1?

Code: Select all

1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca

2. On the system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that the init-pki is used only when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step as well.
./easyrsa init-pki
./easyrsa gen-req EntityName

3. Transport the request (.req file) to the CA system and import it. The name given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName

4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName

5. Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert (ca.crt) unless it had a prior copy.

The entity now has its own keypair, and signed cert, and the CA.

I find this process more tricky! The end-user (client) is supposed to just receive the necessary files and connect to my server (without having to start shells on its system to create req files)..how can this be done now?

Thanks!

[xlepws]

silly me

using the

Code: Select all

./easyrsa build-client-full server

and

Code: Select all

./easyrsa build-client-full client_1
...
./easyrsa build-client-full client_n

did the trick

But I could not find a single place on the internet where a Win OpenVPN server installation using EasyRSA3 is explained from the beginning to the end ..do you know of any such resource?

[wamiduku]

Where did you find the doc for "build-client-full" and "build-server-full"? I've searched all doc files, but I can't find any mention of either.

[Traffic]

Those scripts are part of EasyRSA v3x ..
topic19629.html

[wamiduku]

Those scripts are part of EasyRSA v3x ..
topic19629.html

Actually they're not scripts, but arguments to the "easy_rsa" script. I've searched everything in https://github.com/OpenVPN/easy-rsa/tree/master/doc, but I can't find any mention of them.

[Traffic]

Actually they're not scripts, but arguments

If you want to split hairs .. this would be the right place ..

Just download EasyRSA3xx and get on with it .. start with the README and read vars.

[wamiduku]

So, I won't need to use build-xxx-full arguments then, since the they're not used in the readme? It seems that the OP needed them for some reason.

I find the EasyRSA section in https://openvpn.net/index.php/open-sour ... html#quick much more complete than the new readme, but unfortunately that link is for an older version.

[wamiduku]

Never mind, I found a useful EasyRSA tutorial here: http://www.hydrogen18.com/blog/your-own ... olang.html

[xlepws]

Where did you find the doc for "build-client-full" and "build-server-full"? I've searched all doc files, but I can't find any mention of either.

I just run ./easyrsa at the command prompt in the EasyRSA 3 Shell, I saw those commands in the list shown

[xlepws]

of corse here

using the

Code: Select all

./easyrsa build-client-full server

there's a mistake, it should be

./easyrsa build-server-full server