Adding Extra Client Certificates

Scripts to manage certificates or generate config files
Post Reply
Dr-D
OpenVpn Newbie
Posts: 5
Joined: Wed Jan 06, 2021 10:06 pm

Adding Extra Client Certificates

Post by Dr-D » Tue Jun 15, 2021 6:28 pm

Can I add extra client certificates to existing ones without starting all over? Here are the steps I used to setup the server originally (Windows Server 2016).
1. Run init-config
2. Edit vars.bat with relevant info
3. Run vars.bat
4. Run clean-all.bat
5. Run build-dh.bat
6. Run build-ca.bat
7. Run build-key-server ServerVPN
8. Run build-key Client01VPN
9. Run openvpn --genkey --secret keys/ta.key

I originally created 15 client certificates Client01VPN to Client15VPN and now I need to add Client16VPN to Client30VPN. Can I just run step 8 and distribute the 15 new client keys to the new clients or do I need start at step 1 and create everything new for all 30 clients?

Thank you for taking the time to read and answer.

User avatar
TinCanTech
Forum Team
Posts: 9408
Joined: Fri Jun 03, 2016 1:17 pm

Re: Adding Extra Client Certificates

Post by TinCanTech » Tue Jun 15, 2021 6:34 pm

You don't want to start all over again because then you would have to create all your clients again.

What you really need is to install a new version of Openvpn, which comes with Easy-RSA v3.

Then upgrade your current PKI to be compatible with Easy-RSA v3 and never look back.

Dr-D
OpenVpn Newbie
Posts: 5
Joined: Wed Jan 06, 2021 10:06 pm

Re: Adding Extra Client Certificates

Post by Dr-D » Wed Jun 16, 2021 2:45 am

What I want do do is have all the Windows clients use the same .ovpn file with the certificate built in and use a username and password to connect to the Windows server. I have a QNAP server setup with the QVPN OpenVPN app and that's how it works. I install OpenVPN on the client machine, copy the same .ovpn config file that the QNAP machine generated to all the client machines into the config directory and when I run the OpenVPN GUI on the client machines it asks for a username and password and connects (each user has their own username and password). There is only one .ovpn config file for all the clients. With the QNAP machine it only takes a few mouse clicks and it creates all the required server files in the background so I don't get to see what is actually happening.

I've installed the latest OpenVPN on a test machine and it seems that I still have to make separate keys for each client so obviously I don't know how to accomplish this on a Windows server. Here are the steps I use with OpenVPN 2.5.2:

1. Run ./easyrsa init-pki
2. Run ./easyrsa gen-dh
3. Run ./easyrsa build-ca
4. Run ./easyrsa build-server-full Server-01 nopass
5. Run ./easyrsa build-client-full Client-01 nopass (repeat this for each client)
6. Run ./easytls init-tls
7. Run ./easytls build-tls-auth
8. Run ./easytls build-tls-crypt
9. Run ./easytls build-tls-crypt-v2-server Server-01
10. Run ./easytls build-tls-crypt-v2-client Server-01 Client-01
11. Run ./easytls inline-tls-auth Server-01

When I run the last line I get this error:
Easy-TLS version: 2.1/0
ERROR: key-direction is required! Server=0, client=1.

I can't seem to find instructions that show me how to accomplish what I want to do.

Thanks again for your time.

User avatar
TinCanTech
Forum Team
Posts: 9408
Joined: Fri Jun 03, 2016 1:17 pm

Re: Adding Extra Client Certificates

Post by TinCanTech » Wed Jun 16, 2021 9:59 am

Run ./easytls inline - The inter-active menu.

Code: Select all

$ ./easytls help inline-tls-auth

  inline-tls-auth <filename_base> <key_direction> [ cmd-opts ]
      Create a complete OpenVPN node package from Easy-RSA and Easy-TLS files
      for VPN node <filename_base> using the Easy-TLS TLS auth file
      <key_direction> '0' or '1' (key-direction is mandatory)

      cmd-opts is an optional set of command options from this list:

        no-key  - do not require an x509 key (default: key is required)
        add-dh  - inline Diffie-Hellman parameters file (Server only)
                  Default file is easyrsa3/pki/dh.pem
                  To specify an alternative file use the --dh option
It's not rocket science .....

Dr-D
OpenVpn Newbie
Posts: 5
Joined: Wed Jan 06, 2021 10:06 pm

Re: Adding Extra Client Certificates

Post by Dr-D » Wed Jun 16, 2021 8:31 pm

This is my first crack at RSA3 so it might as well be rocket science. There's a YouTube video that shows how to setup and configure OpenVPN on Windows, server and client, from start to finish including the server and client .ovpn files and it's an excellent video for anyone who is trying to setup OpenVPN for the first time which was the case for me. It's for RSA2 though and tutorials for RSA3 seem to be non existent, at least I can't seem to find any after many attempts searching for one. This is the video link that I used to setup OpenVPN originally a couple of years ago that uses RSA2.
https://www.youtube.com/watch?v=hKfHwQgAsUo&t=71s

I ran the interactive menu and created my .inline files but now what? I don't know where to go from here on the client or server side. It's like walking into an operating room and being handed a scalpel and told to repair a heart valve. Sure I can cut things open but the end result isn't going to be pretty or successful. I'm surprised I can't find an OpenVPN video showing how to do this with RSA3, there's tons of tutorials for OpenVPN using RSA2.

Thank you for your time and patience.

User avatar
TinCanTech
Forum Team
Posts: 9408
Joined: Fri Jun 03, 2016 1:17 pm

Re: Adding Extra Client Certificates

Post by TinCanTech » Wed Jun 16, 2021 10:51 pm

Maybe if you were to pay somebody then they could teach you what you want to learn ..

Or you can pray that some damn fool posts a video on the tube-s.ite where you can worship.

People, these days, think they are smart because they know how-to watch a video ..

You don't get smart by watching videos.

User avatar
TinCanTech
Forum Team
Posts: 9408
Joined: Fri Jun 03, 2016 1:17 pm

Re: Adding Extra Client Certificates

Post by TinCanTech » Wed Jun 16, 2021 11:03 pm

Dr-D wrote:
Wed Jun 16, 2021 8:31 pm
I ran the interactive menu and created my .inline files
That works then 8-)
Dr-D wrote:
Wed Jun 16, 2021 8:31 pm
but now what? I don't know where to go from here on the client or server side. It's like walking into an operating room and being handed a scalpel and told to repair a heart valve.
You should probably study how-to use a scalpel .. first.

Dr-D wrote:
Wed Jun 16, 2021 8:31 pm
Sure I can cut things open but the end result isn't going to be pretty or successful. I'm surprised I can't find an OpenVPN video showing how to do this with RSA3, there's tons of tutorials for OpenVPN using RSA2.
Try this:

Code: Select all

./easyrsa help
./easytls help
If you still need to be spoon-fed then I am available for Nanny-Duty also.

Post Reply