Lost original easy-rsa folder. How to create more client keys?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Lost original easy-rsa folder. How to create more client keys?
Someone misplaced or deleted the original easy-rsa folder that was used to generate certificates and keys for clients. Luckily I have the ca.crt and ca.key.
I don't know how to proceed to build the client keys now. There are already hundreds of clients deployed and if I generate new CA and CA key, it would be a problem. I want to generate client keys with existing ca.crt and ca.key using easy-rsa. Any suggestions?
More details here but no solution yet: https://serverfault.com/questions/11131 ... ave-ca-crt
I don't know how to proceed to build the client keys now. There are already hundreds of clients deployed and if I generate new CA and CA key, it would be a problem. I want to generate client keys with existing ca.crt and ca.key using easy-rsa. Any suggestions?
More details here but no solution yet: https://serverfault.com/questions/11131 ... ave-ca-crt
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Lost original easy-rsa folder. How to create more client keys?
I assume that you have no backup ..
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Re: Lost original easy-rsa folder. How to create more client keys?
Backup of easy-rsa folder? No I don't have that. I have back up of the original ca.crt that was built and the ca.key that was used to sign csr and keys. I don’t have the easy-rsa folder itself.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Lost original easy-rsa folder. How to create more client keys?
Then you have destroyed your PKI.
Fixing this is way beyond the scope of EasyRSA.
If you are determined to pursue your current approach then you can contact my privately for support. Fees will apply.
Fixing this is way beyond the scope of EasyRSA.
If you are determined to pursue your current approach then you can contact my privately for support. Fees will apply.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Re: Lost original easy-rsa folder. How to create more client keys?
I am sorry I am not paying strangers.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Lost original easy-rsa folder. How to create more client keys?
With hundreds of clients, as you claim, If you understood the scale of your error,
you would probably choose to get to know me.
But it's your job, you fix it however you see fit.
you would probably choose to get to know me.
But it's your job, you fix it however you see fit.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Re: Lost original easy-rsa folder. How to create more client keys?
Wow. What kind of rules are enforced here on this forums ? People asking money for help. There so many security implications for paying and sharing private information. If anyone has any solutions please post. No soliciting for money please.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Lost original easy-rsa folder. How to create more client keys?
You are the victim of your own incompetence.
You provide a paid service to your clients.
You do not have a backup.
Your server is not in a secure location.
Why should anybody help you for free ?
You provide a paid service to your clients.
You do not have a backup.
Your server is not in a secure location.
Why should anybody help you for free ?
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Re: Lost original easy-rsa folder. How to create more client keys?
Because stackoverflow and this forum is not a paid one. People volunteer. I am not asking you to for help. If anyone wants to volunteer then please do so. Why are you even posting here ?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Lost original easy-rsa folder. How to create more client keys?
If your question was regarding using EasyRSA then I would help.
But your question is about how to recover from a disaster.
I can help ..
But your question is about how to recover from a disaster.
I can help ..
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Lost original easy-rsa folder. How to create more client keys?
I have already freely given enough of my time to Easy-RSA: https://github.com/OpenVPN/easy-rsa/graphs/contributors
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Lost original easy-rsa folder. How to create more client keys?
Hello rocketman11,
It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.
If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.
Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;
- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert
Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.
On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.
Best of luck to you,
Johan
It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.
If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.
Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;
- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert
Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.
On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.
Best of luck to you,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Re: Lost original easy-rsa folder. How to create more client keys?
I really don’t care. Asking for money on this forum shouldn’t be allowed.TinCanTech wrote: ↑Tue Oct 18, 2022 4:48 pmI have already freely given enough of my time to Easy-RSA: https://github.com/OpenVPN/easy-rsa/graphs/contributors
-
- OpenVpn Newbie
- Posts: 9
- Joined: Thu Jun 30, 2022 12:23 am
Re: Lost original easy-rsa folder. How to create more client keys?
Thanks, that solved my problem. Used Easy-rsa, init-pki, replace the new ca.crt and ca.key with old ones and then build-full server and client.openvpn_inc wrote: ↑Tue Oct 18, 2022 7:18 pmHello rocketman11,
It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.
If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.
Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;
- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert
Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.
On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.
Best of luck to you,
Johan
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Lost original easy-rsa folder. How to create more client keys?
Hi rocketman11,
Glad to hear that worked. Thanks for reporting back on your success. It may be helpful to others in the future.
Kind regards,
Johan
Glad to hear that worked. Thanks for reporting back on your success. It may be helpful to others in the future.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support