[EasyRSA 3] help generating certificates & keys clients

Support forum for Easy-RSA certificate management suite.
Post Reply
xlepws
OpenVPN User
Posts: 12
Joined: Sun Oct 25, 2015 2:53 pm

[EasyRSA 3] help generating certificates & keys clients

Post by xlepws » Sun Jan 24, 2016 3:40 pm

Hello, I'm setting up a VPN server on a Win10 host.
In the past, I had always followed these instructions: https://openvpn.net/index.php/open-sour ... ml#install

But now it seems I can't do server+clients certificates generation on the same machine, e.g. with command build-key client1?

Code: Select all

1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca

2. On the system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that the init-pki is used only when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step as well.
./easyrsa init-pki
./easyrsa gen-req EntityName

3. Transport the request (.req file) to the CA system and import it. The name given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName

4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName

5. Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert (ca.crt) unless it had a prior copy.

The entity now has its own keypair, and signed cert, and the CA.
I find this process more tricky! :? The end-user (client) is supposed to just receive the necessary files and connect to my server (without having to start shells on its system to create req files)..how can this be done now?

Thanks!

xlepws
OpenVPN User
Posts: 12
Joined: Sun Oct 25, 2015 2:53 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by xlepws » Sun Jan 24, 2016 4:12 pm

silly me :)

using the

Code: Select all

./easyrsa build-client-full server
and

Code: Select all

./easyrsa build-client-full client_1
...
./easyrsa build-client-full client_n
did the trick :)

But I could not find a single place on the internet where a Win OpenVPN server installation using EasyRSA3 is explained from the beginning to the end :| ..do you know of any such resource?

wamiduku
OpenVpn Newbie
Posts: 6
Joined: Tue Oct 09, 2012 10:56 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by wamiduku » Tue Feb 23, 2016 4:30 pm

Where did you find the doc for "build-client-full" and "build-server-full"? I've searched all doc files, but I can't find any mention of either.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: [EasyRSA 3] help generating certificates & keys clients

Post by Traffic » Tue Feb 23, 2016 5:43 pm

Those scripts are part of EasyRSA v3x ..
topic19629.html

wamiduku
OpenVpn Newbie
Posts: 6
Joined: Tue Oct 09, 2012 10:56 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by wamiduku » Wed Feb 24, 2016 1:24 am

Traffic wrote:Those scripts are part of EasyRSA v3x ..
topic19629.html
Actually they're not scripts, but arguments to the "easy_rsa" script. I've searched everything in https://github.com/OpenVPN/easy-rsa/tree/master/doc, but I can't find any mention of them.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: [EasyRSA 3] help generating certificates & keys clients

Post by Traffic » Wed Feb 24, 2016 1:54 am

wamiduku wrote:Actually they're not scripts, but arguments
If you want to split hairs .. this would be the right place ..

Just download EasyRSA3xx and get on with it .. start with the README and read vars.

wamiduku
OpenVpn Newbie
Posts: 6
Joined: Tue Oct 09, 2012 10:56 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by wamiduku » Wed Feb 24, 2016 2:38 am

So, I won't need to use build-xxx-full arguments then, since the they're not used in the readme? It seems that the OP needed them for some reason.

I find the EasyRSA section in https://openvpn.net/index.php/open-sour ... html#quick much more complete than the new readme, but unfortunately that link is for an older version.

wamiduku
OpenVpn Newbie
Posts: 6
Joined: Tue Oct 09, 2012 10:56 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by wamiduku » Wed Feb 24, 2016 2:47 am

Never mind, I found a useful EasyRSA tutorial here: http://www.hydrogen18.com/blog/your-own ... olang.html

xlepws
OpenVPN User
Posts: 12
Joined: Sun Oct 25, 2015 2:53 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by xlepws » Mon Mar 14, 2016 8:53 pm

wamiduku wrote:Where did you find the doc for "build-client-full" and "build-server-full"? I've searched all doc files, but I can't find any mention of either.
I just run ./easyrsa at the command prompt in the EasyRSA 3 Shell, I saw those commands in the list shown :)

xlepws
OpenVPN User
Posts: 12
Joined: Sun Oct 25, 2015 2:53 pm

Re: [EasyRSA 3] help generating certificates & keys clients

Post by xlepws » Tue Mar 15, 2016 1:27 am

of corse here
xlepws wrote:using the

Code: Select all

./easyrsa build-client-full server
there's a mistake, it should be
./easyrsa build-server-full server

Post Reply