Migrating easy-rsa, from v2 to v3

Scripts to manage certificates or generate config files
Post Reply
mbitsa12
OpenVpn Newbie
Posts: 8
Joined: Tue Dec 01, 2015 2:15 pm

Migrating easy-rsa, from v2 to v3

Post by mbitsa12 » Wed Mar 30, 2016 3:37 pm

I'm currently managing a CA using easy-rsa v2.2.0 but I would like to migrate the actual 'keys' dir content to a new system running easy-rsa v3.
Can that be achieved? Thank you for any advice.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Migrating easy-rsa, from v2 to v3

Post by Traffic » Wed Mar 30, 2016 5:25 pm

The CA/cert/key files are all compatible but the "database" (text files) will probably cause many issues.

What ever you do make sure you have a backup !

Personally, I started a new PKI with Easyrsa-v3 ..

I presume you have read this:
topic19629.html

mbitsa12
OpenVpn Newbie
Posts: 8
Joined: Tue Dec 01, 2015 2:15 pm

Re: Migrating easy-rsa, from v2 to v3

Post by mbitsa12 » Thu Mar 31, 2016 8:49 am

The original need stems from a move from OpenBSD 5.8 to 5.9. In fact OpenBSD 5.9 packages EasyRSA as v3.
I see the problems, however, recreating a whole set of certificates from scratch sounds unreasonable, just because of a version upgrade, IMHO.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Migrating easy-rsa, from v2 to v3

Post by Traffic » Thu Mar 31, 2016 10:45 am

Easyrsa 2x is still available here .. you do not have to upgrade.

Although there is no official upgrade path, a quick test proves that it is possible to transpose your v2 PKI to a v3 structure without pain .. which is a pleasant surprise !

jaileleu
OpenVpn Newbie
Posts: 1
Joined: Fri Aug 30, 2019 1:29 pm

Re: Migrating easy-rsa, from v2 to v3

Post by jaileleu » Fri Aug 30, 2019 2:02 pm

Hello, I answer this old thread to give the method I followed to do the migration, as here is were I ended when I looked for some info on how to migrate.
I just tried it on my server and everything seems to work fine (I replaced my former client certificate with a new generated one without touching the server conf and it worked).

So here are the steps:
  • be sure to have installed easyrsa 3 :)
  • create a new my_ca folder

Code: Select all

# as root
$ cd /home/openvpn/my_ca
$ cd ..
$ mv my_ca my_ca_v2
$ make-cadir my_ca_v3
  • instanciate the v3 files normally to see where should go the files

Code: Select all

# as root
$ cd /home/openvpn/my_ca_v3
$ vi vars 
# copy the values from my_ca_v2/vars needed, like your organisation description
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-dh
$ ./easyrsa build-server-full dummy_server
$ find .
  • copy all generated files from my_ca_v2

Code: Select all

# as root
$ cd /home/openvpn/my_ca_v3/pki
$ old=/home/openvpn/my_ca_v2/keys
$ cp $old/*crt ./issued/  
$ cp $old/*key ./private/
$ cp $old/ca.crt ./ca.crt 
$ cp $old/*csr ./reqs/
$ cp $old/??.pem certs_by_serial/
# all my pem files were following a 01 02 03 serie
$ cp $old/dh2048.pem ./dh.pem
$ cp $old/index.txt ./index.txt
  • generate new client certificate

Code: Select all

# as root
$ cd /home/openvpn/my_ca_v3
$ ./easyrsa build-client-full jai_2 nopass
$ cd pki
$ mkdir -p /tmp/jai_2/
$ cp ./issued/jai_2.crt ./private/jai_2.key ./reqs/jai_2.req /tmp/jai_2/
# then normal scp and configuration of my client

Post Reply