Help with Easy-rsa
Posted: Sun Sep 23, 2012 3:16 pm
I used OpenVPN about 2-3 years ago and I stopped using it when I had trouble with my server.
When I did it I had windows xp
Now I am using Windows 7
I am having trouble starting out generating my certs using easy-rsa.
I do remember when i did this last time I had some tweeks.
So this is setup:
Win 7 pro
Open VPN 2.2.2
Default Directory is c:/program files (x86)/OpenVPN
Easy RSA is c:/program files (x86)/OpenVPN/easy-rsa
So far I have edited vars.bat file. Besides setting a few of the Default Keys I have had to change the Home Variable to reflect my install directory
Changed the line to:
set HOME=%ProgramFiles(x86)%\OpenVPN\easy-rsa
Now the following is my Build-ca bat file:
******start******
@echo off
cd %HOME%
rem build a cert authority valid for ten years, starting now
openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
******end******
I run build-ca
This is what I get: (I have Asterisked out personal info)
******start screen copy******
C:\Program Files (x86)\OpenVPN\easy-rsa>build-ca
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......++++++
......................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MD ]:
Locality Name (eg, city) [******]:
Organization Name (eg, company) [******]:
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:CA-Server
Name [changeme]:
Email Address [******@*******l.com]:
C:\Program Files (x86)\OpenVPN\easy-rsa>
******End Screen Copy******
After I run this it looks like I have two new Key files in my Keys directory. ca.cert and ca.key
The problem is why do I get: WARNING: can't open config file: c:/openssl/ssl/openssl.cnf when I run build-ca.bat?
I then run the build-key-server.bat file:
******start******
@echo off
cd %HOME%
rem build a request for a cert that will be valid for ten years
openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
rem delete any .old files created in this process, to avoid future file creation errors
del /q %KEY_DIR%\*.old
******end******
This is the output I get: (I have Asterisked out personal info)
******Start Screen Copy******
C:\Program Files (x86)\OpenVPN\easy-rsa>build-key-server
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......++++++
.......++++++
writing new private key to 'keys\.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MD ]:
Locality Name (eg, city) [*******]:
Organization Name (eg, company) [******]:
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:IT
Name [changeme]:
Email Address [********@********.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**********
An optional company name []:
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
RINTABLE:'US'
stateOrProvinceNameRINTABLE:'MD '
localityNameRINTABLE:'*******'
organizationNameRINTABLE:'******'
organizationalUnitName:PRINTABLE:'IT'
commonNameRINTABLE:'IT'
nameRINTABLE:'changeme'
emailAddress :IA5STRING:'********@*******.com'
Certificate is to be certified until Sep 21 14:53:47 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files (x86)\OpenVPN\easy-rsa>
******End Screen Copy******
This creates the following files:
.key
.csr
serial
index.txt.attr
index.txt
01.pem
.crt
Now as you can see I also get the warning:
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
But right after I get:
Using configuration from openssl-1.0.0.cnf
So I am trying to figure out these warnings.
When I look at the files created by both bat files they look good. the certificate opens as a cert and the keys look like hex keys
Why am I getting these warnings.
Is the bat trying to use an installed version of OpenSSL then falling back and using the openssl-1.0.0.cnf in the easy-rsa directory and the warnings are not expressive enough and I just need to ignore them or am I missing something.
I tried installing both OpenSSL version 1.01c light and 1.0.0g. First of the directory structure on both don't match the warnings. They both allowed me to name the home directory to OpenSSL but the subdirectory defaults to bin where easyssl.cfg is located. I tried both the default and renaming bin to ssl and I still get errors.
Any Help?
Also not sure if this is the right forum so if mods can move or point me to the right forum that would be great.
In the meantime I am going to continue on and see if he generated files work in my setup.
Thank You
When I did it I had windows xp
Now I am using Windows 7
I am having trouble starting out generating my certs using easy-rsa.
I do remember when i did this last time I had some tweeks.
So this is setup:
Win 7 pro
Open VPN 2.2.2
Default Directory is c:/program files (x86)/OpenVPN
Easy RSA is c:/program files (x86)/OpenVPN/easy-rsa
So far I have edited vars.bat file. Besides setting a few of the Default Keys I have had to change the Home Variable to reflect my install directory
Changed the line to:
set HOME=%ProgramFiles(x86)%\OpenVPN\easy-rsa
Now the following is my Build-ca bat file:
******start******
@echo off
cd %HOME%
rem build a cert authority valid for ten years, starting now
openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
******end******
I run build-ca
This is what I get: (I have Asterisked out personal info)
******start screen copy******
C:\Program Files (x86)\OpenVPN\easy-rsa>build-ca
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......++++++
......................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MD ]:
Locality Name (eg, city) [******]:
Organization Name (eg, company) [******]:
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:CA-Server
Name [changeme]:
Email Address [******@*******l.com]:
C:\Program Files (x86)\OpenVPN\easy-rsa>
******End Screen Copy******
After I run this it looks like I have two new Key files in my Keys directory. ca.cert and ca.key
The problem is why do I get: WARNING: can't open config file: c:/openssl/ssl/openssl.cnf when I run build-ca.bat?
I then run the build-key-server.bat file:
******start******
@echo off
cd %HOME%
rem build a request for a cert that will be valid for ten years
openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
rem delete any .old files created in this process, to avoid future file creation errors
del /q %KEY_DIR%\*.old
******end******
This is the output I get: (I have Asterisked out personal info)
******Start Screen Copy******
C:\Program Files (x86)\OpenVPN\easy-rsa>build-key-server
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......++++++
.......++++++
writing new private key to 'keys\.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MD ]:
Locality Name (eg, city) [*******]:
Organization Name (eg, company) [******]:
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:IT
Name [changeme]:
Email Address [********@********.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**********
An optional company name []:
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
RINTABLE:'US'stateOrProvinceName
RINTABLE:'MD 'localityName
RINTABLE:'*******'organizationName
RINTABLE:'******'organizationalUnitName:PRINTABLE:'IT'
commonName
RINTABLE:'IT'name
RINTABLE:'changeme'emailAddress :IA5STRING:'********@*******.com'
Certificate is to be certified until Sep 21 14:53:47 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files (x86)\OpenVPN\easy-rsa>
******End Screen Copy******
This creates the following files:
.key
.csr
serial
index.txt.attr
index.txt
01.pem
.crt
Now as you can see I also get the warning:
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
But right after I get:
Using configuration from openssl-1.0.0.cnf
So I am trying to figure out these warnings.
When I look at the files created by both bat files they look good. the certificate opens as a cert and the keys look like hex keys
Why am I getting these warnings.
Is the bat trying to use an installed version of OpenSSL then falling back and using the openssl-1.0.0.cnf in the easy-rsa directory and the warnings are not expressive enough and I just need to ignore them or am I missing something.
I tried installing both OpenSSL version 1.01c light and 1.0.0g. First of the directory structure on both don't match the warnings. They both allowed me to name the home directory to OpenSSL but the subdirectory defaults to bin where easyssl.cfg is located. I tried both the default and renaming bin to ssl and I still get errors.
Any Help?
Also not sure if this is the right forum so if mods can move or point me to the right forum that would be great.
In the meantime I am going to continue on and see if he generated files work in my setup.
Thank You