Client Certificate generation
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Client Certificate generation
Hi everyone.
I'm learning, so please be kind... hard to teach old dogs new tricks.
I setup OpenVPN on my tomato router so that I can reach my house to support the family while traveling. I have one client certificate, and it works fine. FYI I followed this guide: https://learntomato.flashrouters.com/se ... rtificate/
Now I need to get a second client connected, and reading through the instructions I don't see a clearly delineated "create another client" process. Just hoping that someone here might be kind enough to help me learn the exact steps I have to take to get a new laptop to connect using a separate cert. so they can both be used at the same time.
Very many thanks in advance! Here's to learning something new every day!
John
I'm learning, so please be kind... hard to teach old dogs new tricks.
I setup OpenVPN on my tomato router so that I can reach my house to support the family while traveling. I have one client certificate, and it works fine. FYI I followed this guide: https://learntomato.flashrouters.com/se ... rtificate/
Now I need to get a second client connected, and reading through the instructions I don't see a clearly delineated "create another client" process. Just hoping that someone here might be kind enough to help me learn the exact steps I have to take to get a new laptop to connect using a separate cert. so they can both be used at the same time.
Very many thanks in advance! Here's to learning something new every day!
John
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
So with OpenVPN installed on my first pc - from the instructions on the site in my original post- I did this step, and installed it on the router -TinCanTech wrote: ↑Thu May 27, 2021 8:45 pmType: build-key client-bob
You may like to try https://github.com/OpenVPN/easy-rsa
"The ‘build-ca’ command will output two very important files; a CA certificate and key"
So with that installed on the router, and the CA key on my OpenVPN installation, can I just follow the "create client" steps and have a key that will work?? That's what I'm not certain of. all my 'certificate' knowlege to date has been around the creation of stuff for webservers so I can purchase certificates....
Thanks!
John
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
Any help guys? Thanks much in advance...
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Client Certificate generation
If you need help understanding tomato then ask tomato.
If you need help with easy-rsa then I already gave you the link.
If you need help with easy-rsa then I already gave you the link.
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
Hi TinCanTech!
I think I have the Tomato bits down; I have one client connecting to the router now.
My question is around creating additional certificates that the server will allow to connect.
Thanks!
I think I have the Tomato bits down; I have one client connecting to the router now.
My question is around creating additional certificates that the server will allow to connect.
Thanks!
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
So my question is do I need to install something on the server for each client? or is the CA cert that I installed, and have on my primary PC, used when I run the client create to create a certificate that will automatically be recognized?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
Hi Guys -
I'm back...
I updated to easy-rsa3.
Is there a step by step document to migrate my existing CA and all that (existing easy-rsa 2 PKI) into the new PKI so I don't have to generate a new server cert and DH? i would have thought this would be in the upgrade notes, but no luck for me there
John
I'm back...
I updated to easy-rsa3.
Is there a step by step document to migrate my existing CA and all that (existing easy-rsa 2 PKI) into the new PKI so I don't have to generate a new server cert and DH? i would have thought this would be in the upgrade notes, but no luck for me there
John
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Client Certificate generation
Did you read the help ... ?
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
Thanks I did - but I did not see "how to upgrade your old PKI"
Which is odd as hell.
You'd think that's on the first page.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Client Certificate generation
Which version of Easy-RSA do you have ? 3.0.?
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
Started with 2.0 - which has just a folder for certs, no "PKI directory structure"
Now I have 3.0, and I understand the steps to go from zero to 60 there... but I don't want to recreate the CA or the server certificates / DH params if I don't have to.
Thanks!!
Now I have 3.0, and I understand the steps to go from zero to 60 there... but I don't want to recreate the CA or the server certificates / DH params if I don't have to.
Thanks!!
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Client Certificate generation
Please read the question again ..
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
Easy-RSA 3 ChangeLog
3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
The above is from the chanagelog - so 3.0.8 is the current version of EASY-RSA.
Previously it was 2.x which had no "PKI" directory structure.
Trying to figure out how to upgrade without creating new certs for server/dh params, etc.
3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
The above is from the chanagelog - so 3.0.8 is the current version of EASY-RSA.
Previously it was 2.x which had no "PKI" directory structure.
Trying to figure out how to upgrade without creating new certs for server/dh params, etc.
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: Client Certificate generation
If you can copy CA crt and CA key from router tamato to your pc i can help you create new client from old CA so you can use old ca and everything . We will use windows app to create so dont need to use easy-rsa at all . We need old CA key to sign new client certificate . That is all we need to make it work. Using windows will create faster and quich to learn . Forget about easy-rsa .
One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
Last edited by 300000 on Wed Aug 11, 2021 7:50 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Client Certificate generation
So: 3.0.8
Code: Select all
tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p8 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /home/tct/easy-rsa/EasyRSA-3.0.8
PKI: /home/tct/easy-rsa/EasyRSA-3.0.8/pki
Code: Select all
tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa help upgrade
upgrade <type>
Upgrade EasyRSA PKI and/or CA. <type> must be one of:
pki - Upgrade EasyRSA v2.x PKI to EasyRSA v3.x PKI (includes CA below)
ca - Upgrade EasyRSA v3.0.5 CA or older to EasyRSA v3.0.6 CA or later.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Client Certificate generation
In your current directory, where the Easy-RSA 2 scripts live and the 'keys' subdirectory, unzip the easyrsa3 install file here.
Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.
Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
I kept a copy of the CA cert and Key on this machine.300000 wrote: ↑Wed Aug 11, 2021 7:00 pmIf you can copy CA crt and CA key from router tamato to your pc i can help you create new client from old CA so you can use old ca and everything . We will use windows app to create so dont need to use easy-rsa at all . We need old CA key to sign new client certificate . That is all we need to make it work. Using windows will create faster and quich to learn . Forget about easy-rsa .
One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
Thank you for your assistance!
John
-
- OpenVpn Newbie
- Posts: 19
- Joined: Thu May 27, 2021 8:15 pm
Re: Client Certificate generation
When I upgraded open VPN it did just that - put EasyRSA3 into the default easyRSA folder.TinCanTech wrote: ↑Wed Aug 11, 2021 7:31 pmIn your current directory, where the Easy-RSA 2 scripts live and the 'keys' subdirectory, unzip the easyrsa3 install file here.
Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.
Removed all the scripts for easyrsa2, but did not disturb the keys directory.
Thanks