I am trying to have the following scenario : A server and a CA are created.
I want a new client to be able to connect to the server, and I have two options :
- I create the certificate/key and copy them through a (supposed) secured channel
- I make the client create its private key and a CSR, then ask the CA to sign it and return its crt.
I am trying to make the second option as I read on the HowTo :
I copy the ca.crt onto the client, then on the client :Shouldn't it be possible to set up the PKI without a pre-existing secure channel?
The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated.
Code: Select all
. vars
./build-key --csr client
scp keys/client.csr user@ca:/tmp
Code: Select all
./build-key --sign /tmp/client
Using configuration from /home/jm/openvpn_install/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : *************
[...]
emailAddress : **************
Certificate is to be certified until Jul 18 12:39:41 2033 GMT (7300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
chmod: cannot access `/tmp/client.key': No such file or directory
What did I miss ?
Thanks !