Client Certificate generation

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Fri Aug 13, 2021 2:41 pm

TinCanTech wrote:
Wed Aug 11, 2021 7:21 pm
Bigjohn wrote:
Wed Aug 11, 2021 6:51 pm
Easy-RSA 3 ChangeLog

3.0.8 (2020-09-09)
So: 3.0.8

Code: Select all

tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa 

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-pki
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <filename_base> [ cmd-opts ]
  sign-req <type> <filename_base>
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  revoke <filename_base> [cmd-opts]
  renew <filename_base> [cmd-opts]
  build-serverClient-full <filename_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  import-req <request_file_path> <short_basename>
  export-p7 <filename_base> [ cmd-opts ]
  export-p8 <filename_base> [ cmd-opts ]
  export-p12 <filename_base> [ cmd-opts ]
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]
  upgrade <type>

DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: /home/tct/easy-rsa/EasyRSA-3.0.8
      PKI: /home/tct/easy-rsa/EasyRSA-3.0.8/pki
:roll: upgrade <type>

Code: Select all

tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa help upgrade

  upgrade <type>
      Upgrade EasyRSA PKI and/or CA. <type> must be one of:
        pki - Upgrade EasyRSA v2.x PKI to EasyRSA v3.x PKI (includes CA below)
        ca  - Upgrade EasyRSA v3.0.5 CA or older to EasyRSA v3.0.6 CA or later.
It takes a backup and runs a simulation before making any changes. And if anything goes wrong then it does a roll-back.

This is what happens on my computer.

Code: Select all

EasyRSA Shell
# ./easyrsa upgrade ca
./easyrsa: C:/Program Files/OpenVPN/easy-rsa/pki/vars[1]: @echo: not found
./easyrsa: C:/Program Files/OpenVPN/easy-rsa/pki/vars[2]: rem: not found
./easyrsa: C:/Program Files/OpenVPN/easy-rsa/pki/vars[3]: rem: not found
./easyrsa: C:/Program Files/OpenVPN/easy-rsa/pki/vars[4]: rem: not found
./easyrsa: C:/Program Files/OpenVPN/easy-rsa/pki/vars[6]: rem: not found
./easyrsa: C:/Program Files/OpenVPN/easy-rsa/pki/vars[7]: syntax error: '(' unexpected

Note: using Easy-RSA configuration from: C:/Program Files/OpenVPN/easy-rsa/pki/vars

Easy-RSA error:

echo
./easyrsa[2577]: vars file not found: bad number

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Fri Aug 13, 2021 3:15 pm

There is a bug.

Open easyrsa in a text editor (notepad++) and go to line 2232, look for:

Code: Select all

	if [ $EASYRSA_FOUND_VARS -ne 1 ];
	then
		die echo "vars file not found"
	fi
Remove the 'echo' between 'die' and '"vars'

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Mon Aug 16, 2021 3:28 pm

For the version 2 easy RSA the vars file was 'vars.bat' - do I keep that naming convention? or rename just 'vars'?

Thanks

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Mon Aug 16, 2021 3:44 pm

The upgrade process should move vars.bat out of the way. Only vars is used by EasyRSA 3

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Tue Aug 17, 2021 2:23 pm

TinCanTech wrote:
Mon Aug 16, 2021 3:44 pm
The upgrade process should move vars.bat out of the way. Only vars is used by EasyRSA 3
but I need MY vars for the old/CA / cert, right?
sorry for all the questions but i'm close to having this resolved I think!
John

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Tue Aug 17, 2021 2:30 pm

The upgrade process builds a vars file for EasyRSA-3 from your old vars.bat file for EasyRSA-2

EasyRSA-3 does not ever use vars.bat for anything other than the above.

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Thu Aug 19, 2021 8:17 pm

TinCanTech wrote:
Fri Aug 13, 2021 3:15 pm
There is a bug.

Open easyrsa in a text editor (notepad++) and go to line 2232, look for:

Code: Select all

	if [ $EASYRSA_FOUND_VARS -ne 1 ];
	then
		die echo "vars file not found"
	fi
Remove the 'echo' between 'die' and '"vars'
I don't see a way to do this?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Thu Aug 19, 2021 9:01 pm

In your own words: hard to teach old dogs new tricks

Motivate me Financially ..

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Tue Aug 31, 2021 8:07 pm

TinCanTech wrote:
Thu Aug 19, 2021 9:01 pm
In your own words: hard to teach old dogs new tricks

Motivate me Financially ..
PM me your venmo? :)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Tue Aug 31, 2021 10:29 pm

If you wish to contact me then there are obvious ways to do so here:
https://github.com/TinCanTech/easy-tls

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client Certificate generation

Post by 300000 » Wed Sep 01, 2021 11:52 am

as I promise with you to help how to create certificate as you have hard time to make it work . you need to follow as picture or it will not work and here is the tutorial to help you

Create a folder to hold all file inside so it more quick to find what you want. Copy two importan CA certificate key with crt and key extensions.

first we need download free software from internet . just type on google XCA to go to their website and install on your computer. you can run this software on linux, window, mac so it is the same .

After install software create new profile and save in the the folder you create and we need import two CA file into that , open profile and client private tab then import CA key Image

mote to certificate and import public key of CA certificate as
Image

Next we are going to create a Certificare singning requests
Image
the click new requests and chose source and enter as picture

Image

Move to Subject then fill out
Image

client Generate key then leave it as

Image

Move to Extensions and fill out all infor

Image

move to key usage as picture then client ok
Image

Image

first part we have finished Certificate signing requested and we need sign it with Certificate CA

chose Certificate signing requested and then chose sign

Image

Fill out all infor, Use this certificate for signing is your certificate name

Image

Move to extensions and enter all infor and you need click apply

Image

move to key usage and choose as before the click ok after that you got new client certificate to use
Image

Image

Click certificate and export your new certificate to use

Image

then choose private to export your client private key to with so you got new client and two file to use

make sure you must export CA public certificate too so it will have three key to create new openvpn client

Image

you need to follow as picture and if you got and error just post in here I can help you free of charge and this is will work 100 %

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Sep 01, 2021 1:36 pm

@300000 -
Thanks for that - but did you mean to post pictures? they did not make it.

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client Certificate generation

Post by 300000 » Wed Sep 01, 2021 1:41 pm

yes i did post with picture , can you see picture or not?

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Sep 08, 2021 3:08 pm

300000 wrote:
Wed Sep 01, 2021 1:41 pm
yes i did post with picture , can you see picture or not?
No - i simply see the word IMAGE where I imagine you had a picture.

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Sep 08, 2021 3:10 pm

@300000 - if you can DM me, please do?

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client Certificate generation

Post by 300000 » Wed Sep 08, 2021 4:19 pm

Somehow they remove picture but when I check on my phone there are picture on that . You know this is how this forum work but I will help you now I am going to post all picture on google drive you can download all pictures start number 1 and so on . just follow pictures you check Back here and if something wrong I can help you, If you cant do it I can make a video screen to help you out . this is very simple task and only 10 minutes do to.


https://drive.google.com/drive/folders/ ... sp=sharing

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Wed Sep 08, 2021 5:22 pm

I can also see the pictures on the forum .. I have no idea why they work only sometimes.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Client Certificate generation

Post by Pippin » Wed Sep 08, 2021 6:40 pm

Could be browser/DNS filter.
They are working here too.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Fri Sep 10, 2021 1:56 am

It's probably my \TinCan hat :mrgreen:

Post Reply