Generating certificates for new clients

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bk6662
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 22, 2016 3:12 pm

Generating certificates for new clients

Post by bk6662 » Mon Aug 22, 2016 3:34 pm

Hello,

I installed OpenVPN on a Ubuntu machine, and generated certificates to allow another Linux client to connect. Verified it's working, and the client is forced to use the VPN tunnel.

In the example I followed, the server certs (including the DH pem file) were moved to /etc/openvpn. Client certs were moved elsewhere.

Now that it's working I'd like to generate certificates to allow me to add additional clients. I tried this by going to /etc/openvpn/easy-rsa and running 'build-key clientname'. I received a message about needing to source vars and .clean-all first. So I ran these commands (knowing that the certificates in the keys folder had already been moved out). Then I tried to generate the client certs again. This time I received a message about missing the CA certs and the private key. I then moved ca.* & dh1024.pem back over to the keys folder and tried again. Now I get a message "Unable to load CA Private Key 140431349081752:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

Keys are still generating, but I'm guessing they're not valid. In order to generate additional client keys, do I need to re-generate server cert, CAs, and DH Keys? Or am I missing something else?

Thank you!
-bk

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Generating certificates for new clients

Post by TinCanTech » Mon Aug 22, 2016 4:13 pm

You must find your original ./easyrsa/pki directory with the original ca.crt & ca.key to generate new certificates for your PKI.

What ever you do, take a backup first !

bk6662
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 22, 2016 3:12 pm

Re: Generating certificates for new clients

Post by bk6662 » Mon Aug 22, 2016 4:29 pm

Hi TinCanTech,

Really appreciate your quick response. I've never seen a reference to the directory you specified, and I don't have a PKI directory underneath easy-rsa. Should I, or is that the same as the 'keys' folder I created and am using? My keys folder does contain the original ca.crt & ca.key (although I had to copy them back over, after I ran the clean-all script). Yes I do understand the importance of backups!

Am I misunderstanding your advice...or am I on the right track? Still not clear on what I need to do in order to generate new certificates.

Thanks again!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Generating certificates for new clients

Post by TinCanTech » Mon Aug 22, 2016 5:20 pm

bk6662 wrote: My keys folder does contain the original ca.crt & ca.key (although I had to copy them back over, after I ran the clean-all script).
I cannot recover you from a ./clean-all .. you will find this much easier to start a new PKI from scratch.
bk6662 wrote: Yes I do understand the importance of backups!
And keep a Full backup in future.

bk6662
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 22, 2016 3:12 pm

Re: Generating certificates for new clients

Post by bk6662 » Mon Aug 22, 2016 5:34 pm

Ok so you're saying I should have not run that command then right? I do have backups of all the files before I ran a clean-all. You're saying those are not useful?

Is there any possibility you can tell me what I *should* have done, in generating additional client certificates? I admit I'm new to this. But I'm surprised to hear that my efforts to back up files weren't sufficient, and that I'll need to start from scratch. I have a working VPN and 1 client is able to connect. But I haven't been able to find any documentation showing the proper way to add clients.

Or can I possibly just share the same client files to my new client machines? Honestly a small setup so I'm not concerned about reusing keys if that's a viable alternative.

Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Generating certificates for new clients

Post by TinCanTech » Mon Aug 22, 2016 6:22 pm

bk6662 wrote: I do have backups of all the files before I ran a clean-all
That ought to be suitable.
bk6662 wrote:Is there any possibility you can tell me what I *should* have done, in generating additional client certificates?
Well, presuming you have easyrsa-222 that would be ./build-key common_name ..
bk6662 wrote:so you're saying I should have not run that command then right?
You should read the help in ./vars

EG:

Code: Select all

# WARNING: clean-all will do
# a rm -rf on this directory
delete everything on this directory ..

Post Reply