Problems using the pkitool --batch option when creating keys

[maikcat]

you can always edit build-key script & others & remove the --interactive parameter.

ps: check your time settings please.

Michael.

[chartmann]

Hey everybody!

The subject could also be "How do I create keys by script without the need of user interaction?" (e.g. pressing enter several times just to accept the default values given in vars).

I've got some problems creating keys using the pkitool --batch option. I'm running OpenVPN version 2.2.1-8ubuntu1.1 using easy-rsa v2.0.

The problem:

Code: Select all

root@someserver:/etc/openvpn/easy-rsa2# source ./vars
root@someserver:/etc/openvpn/easy-rsa2# ./pkitool --batch test1
Using Common Name: abc.defghijk.com
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'test1.key'
-----
Using configuration from /etc/openvpn/easy-rsa2/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FOO'
stateOrProvinceName   :PRINTABLE:'BAR'
localityName          :PRINTABLE:'FOOBAR'
organizationName      :PRINTABLE:'Some Company Inc'
organizationalUnitName:PRINTABLE:'IT'
commonName            :PRINTABLE:'abc.defghijk.com'
name                  :PRINTABLE:'abc.defghijk.com-key'
emailAddress          :IA5STRING:'it@defghijk.com'
Certificate is to be certified until Oct  9 08:00:18 2023 GMT (3650 days)
failed to update database
TXT_DB error number 2

Resulting in:

Code: Select all

root@someserver:/etc/openvpn/easy-rsa2# ls -al keys/
..
-rw-r--r-- 1 root root    0 Okt 11 10:00 test1.crt
-rw-r--r-- 1 root root  769 Okt 11 10:00 test1.csr
-rw-r--r-- 1 root root  916 Okt 11 10:00 test1.key
..

First question: What am I doing wrong here? Why does the "TXT_DB error" occur and what does it mean? The key actually gets added to the index.txt file but the crt-file is empty. When executing pkitool using the --interact instead of the --batch option and accepting the default values the key is created correctly.

Second question: How do i get rid of the broken entries like "test1"? Is it save to just delete all test1.* files and remove the entry from index.txt? Revoking the keys using the "revoke-full" command does not work on empty crt-files (as one would expect).

Thanks in advance!

[chartmann]

That's what I did. I copied over the build-key script and removed the --interact parameter:

Code: Select all

#!/bin/sh

# Make a certificate/private key pair using a locally generated
# root certificate.

export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" $*

But that does not seem to work as i always get the same error:

Code: Select all

failed to update database
TXT_DB error number 2

Any ideas on this?

[chartmann]

Gosh! Fixed it myself.

You need to export KEY_CN first. Otherwise it will use the CN from the vars-file. Guess that's a bug in the script as the default behaviour when using --interact is that the CN is set to the given parameter by the user.

E.g.:

...
export KEY_CN=$1
./build-key-batch $1
...

(build-key-batch is a copy of the biuld-key file with the --interact parameter removed.)