Lost original easy-rsa folder. How to create more client keys?

Use this forum to share your VPN or network disasters. Show diagrams, traffic graphs, or whatever else you need (a video of you letting the 'smoke' out of our network gear).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Mon Oct 17, 2022 10:05 pm

Someone misplaced or deleted the original easy-rsa folder that was used to generate certificates and keys for clients. Luckily I have the ca.crt and ca.key.

I don't know how to proceed to build the client keys now. There are already hundreds of clients deployed and if I generate new CA and CA key, it would be a problem. I want to generate client keys with existing ca.crt and ca.key using easy-rsa. Any suggestions?

More details here but no solution yet: https://serverfault.com/questions/11131 ... ave-ca-crt

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Lost original easy-rsa folder. How to create more client keys?

Post by TinCanTech » Mon Oct 17, 2022 11:31 pm

I assume that you have no backup ..

rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Mon Oct 17, 2022 11:50 pm

Backup of easy-rsa folder? No I don't have that. I have back up of the original ca.crt that was built and the ca.key that was used to sign csr and keys. I don’t have the easy-rsa folder itself.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Lost original easy-rsa folder. How to create more client keys?

Post by TinCanTech » Tue Oct 18, 2022 10:59 am

Then you have destroyed your PKI.

Fixing this is way beyond the scope of EasyRSA.

If you are determined to pursue your current approach then you can contact my privately for support. Fees will apply.

rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Tue Oct 18, 2022 12:50 pm

I am sorry I am not paying strangers.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Lost original easy-rsa folder. How to create more client keys?

Post by TinCanTech » Tue Oct 18, 2022 2:03 pm

With hundreds of clients, as you claim, If you understood the scale of your error,
you would probably choose to get to know me.

But it's your job, you fix it however you see fit.

rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Tue Oct 18, 2022 2:14 pm

Wow. What kind of rules are enforced here on this forums ? People asking money for help. There so many security implications for paying and sharing private information. If anyone has any solutions please post. No soliciting for money please.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Lost original easy-rsa folder. How to create more client keys?

Post by TinCanTech » Tue Oct 18, 2022 3:45 pm

You are the victim of your own incompetence.

You provide a paid service to your clients.
You do not have a backup.
Your server is not in a secure location.

Why should anybody help you for free ?

rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Tue Oct 18, 2022 3:53 pm

Because stackoverflow and this forum is not a paid one. People volunteer. I am not asking you to for help. If anyone wants to volunteer then please do so. Why are you even posting here ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Lost original easy-rsa folder. How to create more client keys?

Post by TinCanTech » Tue Oct 18, 2022 4:31 pm

If your question was regarding using EasyRSA then I would help.

But your question is about how to recover from a disaster.

I can help ..

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Lost original easy-rsa folder. How to create more client keys?

Post by TinCanTech » Tue Oct 18, 2022 4:48 pm

I have already freely given enough of my time to Easy-RSA: https://github.com/OpenVPN/easy-rsa/graphs/contributors

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by openvpn_inc » Tue Oct 18, 2022 7:18 pm

Hello rocketman11,

It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.

If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.

Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;

- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert

Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.

On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.

Best of luck to you,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Tue Oct 18, 2022 8:39 pm

TinCanTech wrote:
Tue Oct 18, 2022 4:48 pm
I have already freely given enough of my time to Easy-RSA: https://github.com/OpenVPN/easy-rsa/graphs/contributors
I really don’t care. Asking for money on this forum shouldn’t be allowed.

rocketman11
OpenVpn Newbie
Posts: 9
Joined: Thu Jun 30, 2022 12:23 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by rocketman11 » Tue Nov 15, 2022 5:32 pm

openvpn_inc wrote:
Tue Oct 18, 2022 7:18 pm
Hello rocketman11,

It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.

If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.

Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;

- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert

Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.

On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.

Best of luck to you,
Johan
Thanks, that solved my problem. Used Easy-rsa, init-pki, replace the new ca.crt and ca.key with old ones and then build-full server and client.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Lost original easy-rsa folder. How to create more client keys?

Post by openvpn_inc » Tue Nov 15, 2022 5:39 pm

Hi rocketman11,

Glad to hear that worked. Thanks for reporting back on your success. It may be helpful to others in the future.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply