Problem Creating Keys

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.
Forum rules
Please visit (and READ) the OpenVPN HowTo prior to asking any questions in here!
Post Reply
OpenVpn Newbie
Posts: 2
Joined: Thu Oct 01, 2009 2:47 am

Problem Creating Keys

Post by Wasser » Thu Oct 01, 2009 2:54 am

Hi! This must be a noob question, but here it goes:

I configured OpenVPN correctly and created 2 different certificates / keys for clients using the build-key.bat batch script.

My problem is the following:
Right Now, if i try to create a different certificate (a third one), because i want to add another user, every time I try to run the build-key <client name> script it just gives me a lot of commands with options i can try to use with the batch file. Even though that was the way i created the keys the first time. I try running it without the <client name> parameter, but still the same.

OpenVPN status: VPN working correctly for the 2 keys created. Can't create more.

If anyone can help me, please.

User avatar
Forum Team
Posts: 231
Joined: Wed Nov 26, 2008 10:33 pm
Location: Minneapolis, MN

Re: Problem Creating Keys

Post by ecrist » Fri Oct 02, 2009 12:50 pm

Can you paste the command and the errors you're getting to this forum?
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel Twitter: @ecrist
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

OpenVpn Newbie
Posts: 2
Joined: Thu Oct 01, 2009 2:47 am

Re: Problem Creating Keys

Post by Wasser » Fri Oct 02, 2009 5:58 pm

Code: Select all

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\OpenVPN\easy-rsa>build-key Extra
C:\Program Files (x86)\OpenVPN\easy-rsa
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file;file;...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)
 -config file   request template file.
 -subj arg      set or modify request subject
 -multivalue-rdn enable support for multivalued RDNs
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config
 -reqexts ..    specify request extension section (override value in config file
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options

unknown option -config
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
Could Not Find C:\*.old

C:\Program Files (x86)\OpenVPN\easy-rsa>
This is the output trying from a Windows 7 x64 pc (openvpn server).
Exactly the same happens in a Windows Server 2008 (also another openvpn server)
That's the way I did it when I created the server and it worked. After the server was up and running, I can't create them anymore like that.

OpenVpn Newbie
Posts: 1
Joined: Wed Nov 11, 2009 11:39 pm

Re: Problem Creating Keys

Post by bretticus » Wed Nov 11, 2009 11:43 pm

I found this post looking around the Web for an answer. I'm am very new to configuring openvpn, but this simple step worked for me today:

I simply ran the vars.bat file again. That's it.

Code: Select all

C:\Program Files (x86)\OpenVPN\easy-rsa>vars
C:\Program Files (x86)\OpenVPN\easy-rsa>build-key Extra
It appears that vars.bat simply sets up the environment variables that you used previously (which makes sense.)

Post Reply