Failure to generate keys ?

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
NthrnNYker
OpenVpn Newbie
Posts: 3
Joined: Sat Feb 20, 2016 9:17 pm

Failure to generate keys ?

Post by NthrnNYker » Sat Feb 20, 2016 9:36 pm

Hmmm --- What I am attempting to do here is connect 2 Linksys/Cisco routers running on DD-WRT with OpenVPN inherent to the firmware (in bridge configuration).

I am running on the latest version of Windows 10, and a brand-new copy of OpenVPN just downloaded today.

That said, I need to generate the security keys in order to properly configure the routers, and following the guide exactly :

https://openvpn.net/index.php/open-sour ... ml#vpntype

This is what I got:

--------------------------------------------------------------------------------------------------------------------

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-key-server server
WARNING: can't open config file: /etc/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............++++++
.......................................++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [NY]:NY
Locality Name (eg, city) [xxxxxx]:xxxxxx
Organization Name (eg, company) [xxxxxxxxxx]:xxxxxxxxxx
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:MAIN
Name [changeme]:xxxxxxxxxx
Email Address [xxxxxxxx@roadrunner.com]:xxxxxxxx@roadrunner.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'NY'
localityName :PRINTABLE:'xxxxxx'
organizationName :PRINTABLE:'xxxxxxxx'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'MAIN'
name :PRINTABLE:'xxxxxxxxxx'
emailAddress :IA5STRING:'xxxxxxxx@roadrunner.com'
Certificate is to be certified until Feb 17 20:47:21 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-key Client1
WARNING: can't open config file: /etc/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............++++++
..++++++
writing new private key to 'keys\Client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [NY]:NY
Locality Name (eg, city) [Hadley]:xxxxxx
Organization Name (eg, company) [xxxxxxxxxx]:xxxxxxxxxx
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:MAIN
Name [changeme]:xxxxxxxxxx
Email Address [xxxxxxxx@roadrunner.com]:xxxxxxxx@roadrunner.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'NY'
localityName :PRINTABLE:'xxxxxx'
organizationName :PRINTABLE:'xxxxxxxxxx'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'MAIN'
name :PRINTABLE:'xxxxxxxxxx'
emailAddress :IA5STRING:'xxxxxxxx@roadrunner.com'
Certificate is to be certified until Feb 17 20:52:45 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old

C:\Program Files\OpenVPN\easy-rsa>

---------------------------------------------------------------------------------

What am I doing wrong here ?
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Failure to generate keys ?

Post by Traffic » Sat Feb 20, 2016 9:51 pm

What version of easyrsa are you using ?

Try this:
topic19629.html
Top
NthrnNYker
OpenVpn Newbie
Posts: 3
Joined: Sat Feb 20, 2016 9:17 pm

Re: Failure to generate keys ?

Post by NthrnNYker » Sat Feb 20, 2016 10:56 pm

Traffic wrote:What version of easyrsa are you using ?
Well I just downloaded openvpn-install-2.3.10-I602-x86_64 --- and as far as I can see, the included easy-rsa does not specify a version number.

But I will try that other version right now - thank you
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Failure to generate keys ?

Post by Traffic » Sat Feb 20, 2016 11:36 pm

You might like to read vars
Top
NthrnNYker
OpenVpn Newbie
Posts: 3
Joined: Sat Feb 20, 2016 9:17 pm

Re: Failure to generate keys ?

Post by NthrnNYker » Sat Feb 20, 2016 11:56 pm

Traffic wrote:You might like to read vars

The batch file ?

-----------------------------------

@echo off
rem Edit this variable to point to
rem the openssl.cnf file included
rem with easy-rsa.

set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl-1.0.0.cnf

rem Edit this variable to point to
rem your soon-to-be-created key
rem directory.
rem
rem WARNING: clean-all will do
rem a rm -rf on this directory
rem so make sure you define
rem it correctly!
set KEY_DIR=keys

rem Increase this to 2048 if you
rem are paranoid. This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
set KEY_SIZE=1024

rem These are the default values for fields
rem which will be placed in the certificate.
rem Change these to reflect your site.
rem Don't leave any of these parms blank.

set KEY_COUNTRY=US
set KEY_PROVINCE=NY
set KEY_CITY=xxxxxx
set KEY_ORG=xxxxxxxxx
set KEY_EMAIL=xxxxxxxxxx@roadrunner.com
set KEY_CN=changeme
set KEY_NAME=changeme
set KEY_OU=changeme
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234

---------------------------------------------------

the BAT file lists a version for openssl, but I don't see anything referring to a "Easy-RSA" version.
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Failure to generate keys ?

Post by Traffic » Sun Feb 21, 2016 12:37 am

I think you could start from scratch with init-pki

Note: This will delete ALL of your current PKI ..
Top
Post Reply

Return to “Easy-RSA”