Generate certificates & keys for clients

[arturk]

Hi there,
I followed instructions at http://openvpn.net/index.php/open-sourc ... o.html#pki
and successful generated all needed certificates and keys. After few days I realized that I need two more client certificates. I tried to build them using 'build-key clientX' but I get an error. It's probably associated with lost variable values. How to manage it and not to rewrite generated certs and keys?

[maikcat]

if you have ca.key index.txt etc you must run first vars script THEN create your client certs.

Michael.

[arturk]

if you have ca.key index.txt etc you must run first vars script THEN create your client certs.

Michael.

I've done it this way. Still doesn't work :-/

[maikcat]

please post the exact commands used and the output you get.

Michael.

[arturk]

Code: Select all

C:\Program Files\OpenVPN\easy-rsa>build-key wiewiora
WARNING: can't open config file: /etc/ssl/openssl.cnf
error on line 99 of openssl-1.0.0.cnf
1672:error:0E065068:configuration file routines:STR_COPY:variable has no value:c
onf_def.c:618:line 99
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
error on line 99 of config file 'openssl-1.0.0.cnf'
4024:error:0E065068:configuration file routines:STR_COPY:variable has no value:c
onf_def.c:618:line 99
Nie można odnaleźć C:\Program Files\OpenVPN\easy-rsa\keys\*.old.

C:\Program Files\OpenVPN\easy-rsa>

[maikcat]

did you run vars.bat?

Michael.

[arturk]

did you run vars.bat?
Michael.

Yep

[maikcat]

can you post the contents of build-key.bat file?

Michael.

[arturk]

can you post the contents of build-key.bat file?

Michael.

build-key.bat

Code: Select all

@echo off
cd %HOME%
rem build a request for a cert that will be valid for ten years
openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem delete any .old files created in this process, to avoid future file creation errors
del /q %KEY_DIR%\*.old

[maikcat]

can you check and see what are the content of openssl-1.0.0.cnf at line 99?

because in my pc this line is empty...

can you check if there is a tab there?

Michael.

[arturk]

can you check and see what are the content of openssl-1.0.0.cnf at line 99?
Michael.

line 99:
localityName_default = $ENV::KEY_CITY

[maikcat]

just curious,

because easy-rsa is not part of openvpn anymore,where did you get it?

Michael.

[arturk]

just curious,

I know... anyway I recreated all certificates, so I'm done for now. Thanks for your effort.

because easy-rsa is not part of openvpn anymore,where did you get it?
Michael.

From github, exactly from here AFIR -> https://github.com/OpenVPN/easy-rsa/blo ... -1.0.0.cnf

[maikcat]

localityName_default appears in line 127 not in 99....

since you solved your problem its ok..

regards,

Michael.