Generating client certificates based on existing config.

[grammy78]

I’m trying to generate a client certificate to be able to use the open VPN app in google play, and connect it to my synology diskstation’s openVPN server. The diskstation’s VPN app has a function to export something (openvpn.zip). That zip file contains 2 files:
=> ca.crt, openvpn.ovpn
So I’ve got a root ca certificate and a openVPN profile, but no user certificate, the openVPN app on android needs a usercertificate.

On my Synology diskstation i’ve got the following 2 locations & files :
Location 1:
/volume1/@appstore/VPNCenter/etc/openvpn/
=>openvpn.conf, radiusplugin.cnf, server.conf
/volume1/@appstore/VPNCenter/etc/openvpn/keys
=>ca.crt (linked from /usr/syno/etc/packages/VPNCenter/openvpn/keys/ca.crt)
=>dh1024.pem, openvpn.ovpn, openvpn.zip
=>server.crt (linked from /usr/syno/etc/packages/VPNCenter/openvpn/keys/server.crt)
=>server.key (linked from /usr/syno/etc/packages/VPNCenter/openvpn/keys/server.key)

Location 2:
/usr/syno/etc/packages/VPNCenter/openvpn
=>openvpn.conf
=>openvpn.conf.user.sample
/usr/syno/etc/packages/VPNCenter/openvpn/keys
=>ca.crt, ca.key, ca.srl, server.crt, server.csr, server.key

Now, I did install a pc, with windows 7 & the latest openvpn build, where I will generate the user certificates.
My question now, can I build user certificates based on the existing files I’ve got on my diskstation?

I’m trying to follow :
http://openvpn.net/index.php/open-sourc ... o.html#pki
“Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients”

This guide creates all files needed but I prefer to keep the files I already got on my diskstation, not sure why really
Anyone can tell me if what I would like to do is possible and how I can start?

[maikcat]

hi there,

the good news is you do have ca.key....
so you can create a new cert and have your CA sign it...

the bad news is you need index.txt file which has the serials of your already created certs..

the good thing is that you can recreate index.txt but if only you have ALL the certs issued..

do you have them?

if yes i will show you how you can recreate index.txt and create new certs

regards

Michael.

[grammy78]

Hello,

I believe by all certs issued you mean client/user certificates.

I dont think any user certificate has been issued, i dont see any user certificate on my diskstation.
There has not been 1 client that has been connected to my openVPN server.

i'm using the default openvpn install of my synology diskstation.

Not sure if we can create that index from scratch then...

[grammy78]

correction, i guess the server's certificate has also been created based on that CA
So that would be the only certificate.
If i'm correct we can recreate index.txt
Does that make sense?

What i dont understand is why there isn't any index.txt on my synology, there is a CA so....

[maikcat]

yes it makes sense ,

if you have created certs youself you also created the ca crt/key pair
the server certificate then client certs...

i think its easier to re-create from start new certs but if you insist on
recreating index.txt on your own , simply run janjust's script below...

Code: Select all

#!/bin/bash

if [ $# -eq 0 ]
then
  echo "Usage: $0 *.pem"
  exit 1
fi

for cert
do

  enddate=`openssl x509 -enddate -noout -in $cert | sed 's/notAfter=//' | awk '\
    { year=$4-2000;
      months="JanFebMarAprMayJunJulAugSepOctNovDec" ;
      month=1+index(months, $1)/3 ;
      day=$2;
      hour=substr($3,1,2) ;
      minutes=substr($3,4,2);
      seconds=substr($3,7,2);
      printf "%02d%02d%02d%02d%02d%02dZ", year, month, day, hour, minutes, seconds}'`

  serial=`openssl x509 -serial -noout -in $cert  |sed 's/serial=//'`
  subject=`openssl x509 -subject -noout -in $cert  |sed 's/subject= //'`

  echo "V       $enddate                $serial unknown $subject"
done

regards,

Michael.

[grammy78]

Thanks alot for the info maikcat
I will try this out

regards