Creating a second server cert from existing CA, locally, cmd help.

Support forum for Easy-RSA certificate management suite.
Post Reply
Closed_VPN
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 28, 2018 4:04 pm

Creating a second server cert from existing CA, locally, cmd help.

Post by Closed_VPN » Wed Mar 28, 2018 4:24 pm

Extreme noob here:

I've followed the HOWTO guide page and successfully created a CA, 1 server certificate, and a few client certs. I got my VPN working after many hours. 2 days ago I had no idea what a certificate was. However I did it all in one step, I never closed CMD from start to finish. (init-config, edit vars, vars, then build-key-server server1, the rest of it. All was fine. The tunnel works from the client to server1. :D

I need to setup a second vpn on a totally different server, and I would like to use the same CA (me).

Its the next day, and I need to create a second server cert. I've opened CMD as admin, CD'ed to the bin folder,opened openssl, and now I'm trying to create another server cert, using the command build-key-server server2 for example, but I am getting: 'openssl' is not recognized as an internal or external command

I dont want to do the init-config, vars etc because I am scared it will overwrite my current CA.

I'm guessing I have to somehow load my CA into openssl before I can run the build-key-server command.

I guess this question also applies to the client command as that will be next.

I'm sure its a simple step I've missed, but I don't have a clue what.

Any help would be great.

Sorry just realised I posted this in the wrong board. Mods if you could kindly move or delete.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5319
Joined: Fri Jun 03, 2016 1:17 pm

Re: Creating a second server cert from existing CA, locally, cmd help.

Post by TinCanTech » Wed Mar 28, 2018 5:25 pm

Closed_VPN wrote:
Wed Mar 28, 2018 4:24 pm
I dont want to do the init-config, vars etc because I am scared it will overwrite my current CA
Make a Backup

Do not do init-pki
Do do vars

Also, you may find it easier to use https://github.com/OpenVPN/easy-rsa/releases [Easyrsa3] in future.
I have never tried to find out if it is backward compatible .. you can try that if you like ;)

Closed_VPN
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 28, 2018 4:04 pm

Re: Creating a second server cert from existing CA, locally, cmd help.

Post by Closed_VPN » Tue Apr 03, 2018 2:46 pm

TinCanTech wrote:
Wed Mar 28, 2018 5:25 pm
Closed_VPN wrote:
Wed Mar 28, 2018 4:24 pm
I dont want to do the init-config, vars etc because I am scared it will overwrite my current CA
Make a Backup

Do not do init-pki
Do do vars

Also, you may find it easier to use https://github.com/OpenVPN/easy-rsa/releases [Easyrsa3] in future.
I have never tried to find out if it is backward compatible .. you can try that if you like ;)
Thanks so much, just what I needed, I did a build-key-server server2 and created a server2.
Last edited by Closed_VPN on Tue Apr 03, 2018 5:02 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5319
Joined: Fri Jun 03, 2016 1:17 pm

Re: Creating a second server cert from existing CA, locally, cmd help.

Post by TinCanTech » Tue Apr 03, 2018 3:53 pm

You have not provided enough information to explain what you have done .. so I don't know ..

But judging from what you have posted, it sounds like you have created a new CA and server
so the old clients will not be able to connect to that with their certificate .. if that is what you have done ..

Like I said, I don't know if easyrsa3 is backward compatible with easyrsa2 and I don't think you have tried
to use your old PKI ..

Closed_VPN
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 28, 2018 4:04 pm

Re: Creating a second server cert from existing CA, locally, cmd help.

Post by Closed_VPN » Tue Apr 03, 2018 5:04 pm

TinCanTech wrote:
Tue Apr 03, 2018 3:53 pm
You have not provided enough information to explain what you have done .. so I don't know ..

But judging from what you have posted, it sounds like you have created a new CA and server
so the old clients will not be able to connect to that with their certificate .. if that is what you have done ..

Like I said, I don't know if easyrsa3 is backward compatible with easyrsa2 and I don't think you have tried
to use your old PKI ..
Edit, Ignore that last post, I have sorted the issue (user error :mrgreen: ) and edited the comment. Feel free to delete this and your comment to avoid confusion for others. Thanks again for your help.

Post Reply