Hello,
I installed OpenVPN on a Ubuntu machine, and generated certificates to allow another Linux client to connect. Verified it's working, and the client is forced to use the VPN tunnel.
In the example I followed, the server certs (including the DH pem file) were moved to /etc/openvpn. Client certs were moved elsewhere.
Now that it's working I'd like to generate certificates to allow me to add additional clients. I tried this by going to /etc/openvpn/easy-rsa and running 'build-key clientname'. I received a message about needing to source vars and .clean-all first. So I ran these commands (knowing that the certificates in the keys folder had already been moved out). Then I tried to generate the client certs again. This time I received a message about missing the CA certs and the private key. I then moved ca.* & dh1024.pem back over to the keys folder and tried again. Now I get a message "Unable to load CA Private Key 140431349081752:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
Keys are still generating, but I'm guessing they're not valid. In order to generate additional client keys, do I need to re-generate server cert, CAs, and DH Keys? Or am I missing something else?
Thank you!
-bk
Generating certificates for new clients
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Aug 22, 2016 3:12 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Generating certificates for new clients
You must find your original ./easyrsa/pki directory with the original ca.crt & ca.key to generate new certificates for your PKI.
What ever you do, take a backup first !
What ever you do, take a backup first !
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Aug 22, 2016 3:12 pm
Re: Generating certificates for new clients
Hi TinCanTech,
Really appreciate your quick response. I've never seen a reference to the directory you specified, and I don't have a PKI directory underneath easy-rsa. Should I, or is that the same as the 'keys' folder I created and am using? My keys folder does contain the original ca.crt & ca.key (although I had to copy them back over, after I ran the clean-all script). Yes I do understand the importance of backups!
Am I misunderstanding your advice...or am I on the right track? Still not clear on what I need to do in order to generate new certificates.
Thanks again!
Really appreciate your quick response. I've never seen a reference to the directory you specified, and I don't have a PKI directory underneath easy-rsa. Should I, or is that the same as the 'keys' folder I created and am using? My keys folder does contain the original ca.crt & ca.key (although I had to copy them back over, after I ran the clean-all script). Yes I do understand the importance of backups!
Am I misunderstanding your advice...or am I on the right track? Still not clear on what I need to do in order to generate new certificates.
Thanks again!
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Generating certificates for new clients
I cannot recover you from a ./clean-all .. you will find this much easier to start a new PKI from scratch.bk6662 wrote: My keys folder does contain the original ca.crt & ca.key (although I had to copy them back over, after I ran the clean-all script).
And keep a Full backup in future.bk6662 wrote: Yes I do understand the importance of backups!
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Aug 22, 2016 3:12 pm
Re: Generating certificates for new clients
Ok so you're saying I should have not run that command then right? I do have backups of all the files before I ran a clean-all. You're saying those are not useful?
Is there any possibility you can tell me what I *should* have done, in generating additional client certificates? I admit I'm new to this. But I'm surprised to hear that my efforts to back up files weren't sufficient, and that I'll need to start from scratch. I have a working VPN and 1 client is able to connect. But I haven't been able to find any documentation showing the proper way to add clients.
Or can I possibly just share the same client files to my new client machines? Honestly a small setup so I'm not concerned about reusing keys if that's a viable alternative.
Thanks.
Is there any possibility you can tell me what I *should* have done, in generating additional client certificates? I admit I'm new to this. But I'm surprised to hear that my efforts to back up files weren't sufficient, and that I'll need to start from scratch. I have a working VPN and 1 client is able to connect. But I haven't been able to find any documentation showing the proper way to add clients.
Or can I possibly just share the same client files to my new client machines? Honestly a small setup so I'm not concerned about reusing keys if that's a viable alternative.
Thanks.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Generating certificates for new clients
That ought to be suitable.bk6662 wrote: I do have backups of all the files before I ran a clean-all
Well, presuming you have easyrsa-222 that would be ./build-key common_name ..bk6662 wrote:Is there any possibility you can tell me what I *should* have done, in generating additional client certificates?
You should read the help in ./varsbk6662 wrote:so you're saying I should have not run that command then right?
EG:
Code: Select all
# WARNING: clean-all will do
# a rm -rf on this directory