Page 1 of 1

Problem Creating Keys

Posted: Thu Oct 01, 2009 2:54 am
by Wasser
Hi! This must be a noob question, but here it goes:

I configured OpenVPN correctly and created 2 different certificates / keys for clients using the build-key.bat batch script.

My problem is the following:
Right Now, if i try to create a different certificate (a third one), because i want to add another user, every time I try to run the build-key <client name> script it just gives me a lot of commands with options i can try to use with the batch file. Even though that was the way i created the keys the first time. I try running it without the <client name> parameter, but still the same.

OpenVPN status: VPN working correctly for the 2 keys created. Can't create more.

If anyone can help me, please.

Re: Problem Creating Keys

Posted: Fri Oct 02, 2009 12:50 pm
by ecrist
Can you paste the command and the errors you're getting to this forum?

Re: Problem Creating Keys

Posted: Fri Oct 02, 2009 5:58 pm
by Wasser

Code: Select all

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\OpenVPN\easy-rsa>build-key Extra
C:\Program Files (x86)\OpenVPN\easy-rsa
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file;file;...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)
 -config file   request template file.
 -subj arg      set or modify request subject
 -multivalue-rdn enable support for multivalued RDNs
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config
 -reqexts ..    specify request extension section (override value in config file
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options

unknown option -config
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
Could Not Find C:\*.old

C:\Program Files (x86)\OpenVPN\easy-rsa>
This is the output trying from a Windows 7 x64 pc (openvpn server).
Exactly the same happens in a Windows Server 2008 (also another openvpn server)
That's the way I did it when I created the server and it worked. After the server was up and running, I can't create them anymore like that.

Re: Problem Creating Keys

Posted: Wed Nov 11, 2009 11:43 pm
by bretticus
I found this post looking around the Web for an answer. I'm am very new to configuring openvpn, but this simple step worked for me today:

I simply ran the vars.bat file again. That's it.

Code: Select all

C:\Program Files (x86)\OpenVPN\easy-rsa>vars
C:\Program Files (x86)\OpenVPN\easy-rsa>build-key Extra
It appears that vars.bat simply sets up the environment variables that you used previously (which makes sense.)