Client Certificate generation

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Client Certificate generation

Post by Bigjohn » Thu May 27, 2021 8:26 pm

Hi everyone.
I'm learning, so please be kind... hard to teach old dogs new tricks.
I setup OpenVPN on my tomato router so that I can reach my house to support the family while traveling. I have one client certificate, and it works fine. FYI I followed this guide: https://learntomato.flashrouters.com/se ... rtificate/

Now I need to get a second client connected, and reading through the instructions I don't see a clearly delineated "create another client" process. Just hoping that someone here might be kind enough to help me learn the exact steps I have to take to get a new laptop to connect using a separate cert. so they can both be used at the same time.

Very many thanks in advance! Here's to learning something new every day!
John

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Thu May 27, 2021 8:45 pm

Type: build-key client-bob

You may like to try https://github.com/OpenVPN/easy-rsa

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Fri May 28, 2021 1:44 pm

TinCanTech wrote:
Thu May 27, 2021 8:45 pm
Type: build-key client-bob

You may like to try https://github.com/OpenVPN/easy-rsa
So with OpenVPN installed on my first pc - from the instructions on the site in my original post- I did this step, and installed it on the router -
"The ‘build-ca’ command will output two very important files; a CA certificate and key"

So with that installed on the router, and the CA key on my OpenVPN installation, can I just follow the "create client" steps and have a key that will work?? That's what I'm not certain of. all my 'certificate' knowlege to date has been around the creation of stuff for webservers so I can purchase certificates....

Thanks!
John

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Jun 02, 2021 7:16 pm

Any help guys? Thanks much in advance...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Wed Jun 02, 2021 7:37 pm

If you need help understanding tomato then ask tomato.

If you need help with easy-rsa then I already gave you the link.

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Thu Jun 10, 2021 7:09 pm

Hi TinCanTech!
I think I have the Tomato bits down; I have one client connecting to the router now.
My question is around creating additional certificates that the server will allow to connect.

Thanks!

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Jun 16, 2021 12:33 pm

So my question is do I need to install something on the server for each client? or is the CA cert that I installed, and have on my primary PC, used when I run the client create to create a certificate that will automatically be recognized?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Thu Jun 17, 2021 11:18 am


Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Tue Aug 10, 2021 4:11 pm

Hi Guys -
I'm back...
I updated to easy-rsa3.

Is there a step by step document to migrate my existing CA and all that (existing easy-rsa 2 PKI) into the new PKI so I don't have to generate a new server cert and DH? i would have thought this would be in the upgrade notes, but no luck for me there :)

John

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Tue Aug 10, 2021 4:23 pm

Did you read the help ... ?

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Aug 11, 2021 4:40 pm

TinCanTech wrote:
Tue Aug 10, 2021 4:23 pm
Did you read the help ... ?
Thanks I did - but I did not see "how to upgrade your old PKI"

Which is odd as hell.

You'd think that's on the first page.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Wed Aug 11, 2021 4:48 pm

Which version of Easy-RSA do you have ? 3.0.?

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Aug 11, 2021 5:04 pm

Started with 2.0 - which has just a folder for certs, no "PKI directory structure"
Now I have 3.0, and I understand the steps to go from zero to 60 there... but I don't want to recreate the CA or the server certificates / DH params if I don't have to.
Thanks!!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Wed Aug 11, 2021 5:25 pm

Please read the question again ..
TinCanTech wrote:
Wed Aug 11, 2021 4:48 pm
3.0.?

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Aug 11, 2021 6:51 pm

Easy-RSA 3 ChangeLog

3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)

The above is from the chanagelog - so 3.0.8 is the current version of EASY-RSA.
Previously it was 2.x which had no "PKI" directory structure.

Trying to figure out how to upgrade without creating new certs for server/dh params, etc.

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client Certificate generation

Post by 300000 » Wed Aug 11, 2021 7:00 pm

If you can copy CA crt and CA key from router tamato to your pc i can help you create new client from old CA so you can use old ca and everything . We will use windows app to create so dont need to use easy-rsa at all . We need old CA key to sign new client certificate . That is all we need to make it work. Using windows will create faster and quich to learn . Forget about easy-rsa .


One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
Last edited by 300000 on Wed Aug 11, 2021 7:50 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Wed Aug 11, 2021 7:21 pm

Bigjohn wrote:
Wed Aug 11, 2021 6:51 pm
Easy-RSA 3 ChangeLog

3.0.8 (2020-09-09)
So: 3.0.8

Code: Select all

tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa 

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-pki
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <filename_base> [ cmd-opts ]
  sign-req <type> <filename_base>
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  revoke <filename_base> [cmd-opts]
  renew <filename_base> [cmd-opts]
  build-serverClient-full <filename_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  import-req <request_file_path> <short_basename>
  export-p7 <filename_base> [ cmd-opts ]
  export-p8 <filename_base> [ cmd-opts ]
  export-p12 <filename_base> [ cmd-opts ]
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]
  upgrade <type>

DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: /home/tct/easy-rsa/EasyRSA-3.0.8
      PKI: /home/tct/easy-rsa/EasyRSA-3.0.8/pki
:roll: upgrade <type>

Code: Select all

tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa help upgrade

  upgrade <type>
      Upgrade EasyRSA PKI and/or CA. <type> must be one of:
        pki - Upgrade EasyRSA v2.x PKI to EasyRSA v3.x PKI (includes CA below)
        ca  - Upgrade EasyRSA v3.0.5 CA or older to EasyRSA v3.0.6 CA or later.
It takes a backup and runs a simulation before making any changes. And if anything goes wrong then it does a roll-back.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Certificate generation

Post by TinCanTech » Wed Aug 11, 2021 7:31 pm

In your current directory, where the Easy-RSA 2 scripts live and the 'keys' subdirectory, unzip the easyrsa3 install file here.

Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Wed Aug 11, 2021 11:42 pm

300000 wrote:
Wed Aug 11, 2021 7:00 pm
If you can copy CA crt and CA key from router tamato to your pc i can help you create new client from old CA so you can use old ca and everything . We will use windows app to create so dont need to use easy-rsa at all . We need old CA key to sign new client certificate . That is all we need to make it work. Using windows will create faster and quich to learn . Forget about easy-rsa .


One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
I kept a copy of the CA cert and Key on this machine.
Thank you for your assistance!

John

Bigjohn
OpenVpn Newbie
Posts: 19
Joined: Thu May 27, 2021 8:15 pm

Re: Client Certificate generation

Post by Bigjohn » Thu Aug 12, 2021 2:46 pm

TinCanTech wrote:
Wed Aug 11, 2021 7:31 pm
In your current directory, where the Easy-RSA 2 scripts live and the 'keys' subdirectory, unzip the easyrsa3 install file here.

Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.
When I upgraded open VPN it did just that - put EasyRSA3 into the default easyRSA folder.
Removed all the scripts for easyrsa2, but did not disturb the keys directory.

Thanks

Post Reply