OpenVPN Support Forum

Easy-RSA 3 Windows README

Easy-RSA 3 runs POSIX shell code, so use on Windows has some additional
requirements: an OpenSSL installation, and a usable shell environment.

Contents of this file:
1. OpenSSL
2. shell environment
3. Windows paths
4. Appendix:
4.1: reference links
4.2: license of included components

1. Obtaining OpenSSL for use with Easy-RSA

There are a couple of ways to do this:

(A) If you are using OpenVPN, the easiest solution is to install the OpenSSL
program components and add openvpn to the system PATH; this is offered as an
installation option as part of OpenVPN.

(B) Optionally, install an OpenSSL package, such as from the openssl.org
website (see appendix.) In this case it will be required to do one of the
following:

(1) Add the location of openssl.exe to the system PATH

(2) Define the OPENSSL env-var to reference the full path to openssl.exe

(3) Edit the vars file (copy vars.example as a starting point) as instructed
in the comments

Install OpenSSL on a windows machine

You can use OpenSSL on a Windows machine to to proceed some cryptographic operations (generation of a private key, of a CSR, certificate conversion...).

Access the official website: http://www.openssl.org/
Then download the "binary" program for Windows: > related > Binaries :
http://www.openssl.org/related/binaries.html

For cryptographic standard operations linked to certificates, the "Lite" version is sufficient. For certains versions of Windows (Windows 2000, windows XP...) you will have to install "Visual C++ 2008 Redistributables" as well.
Use OpenSSL on a Windows machine

The standard installation of OpenSSL under Windows is made on "C:\OpenSSL-Win32" and the executable is stored in the sub-repertory "bin". To execute the programm via the Windows xommand Prompt, provide the full path:
>C:\OpenSSL-Win32\bin\openssl ...

The version 1.0 of OpenSSL needs a "openssl.cnf" configuration file. The repertory /usr/local/openssl not being present on Windows machines, precise with the parameter -config a path to this configuration file. We provide standard files on the bottom of this page. For example:
>C:\OpenSSL-Win32\bin\openssl -config "C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf"
If you still encounter the error:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
openssl:Error: '-config' is an invalid command.

Execute the following command first:
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cnf
Concerning the version "OpenSSL v0.9.8t Light", no need for the opens.cnf file, a default configuration will be taken into account.
To get (or renew or reissue) a certificate for Apache under Windows for example, you'll have to generate a CSR and its private key. To do so, we advise the use of our online wizard to execute the OpenSSL command with the adequate parameters.

Issues encountered on Windows while generating a CSR via one command

According to the version of OpenSSL you installed or to the the installation method on Windows, you may encounter error messages such as:

config or req is not recognized as an internal or external command
Check the syntax and the quotes when executing your command.

Unable to load config info from /usr/local/ssl/openssl.cnf
OpenSSL relies here on a Linux default arborescence.
Troubleshooting: execute simplified commands:

Reminder:
- To launch the command prompt, go to the start menu and execute "cmd".
- To paste the following command lines in dos command prompt, right click and select paste.
- To go to the repertory in which is installed OpenSSL, execute:
cd c:\
cd OpenSSL (or cd OpenSSL-Win32)
cd bin

The private key is generated with the following command. Define a file name that suits you:
C:\OpenSSL\bin\openssl.exe genrsa 2048 > site-file.key

then use this command to generate the CSR:
C:\OpenSSL\bin\openssl.exe req -new -key site-file.key > site-file.csr

or this one:
C:\OpenSSL\bin\openssl.exe req -new -key site-file.key -config "C:\OpenSSL\openssl.cnf" -out site-file.csr
On some platforms, the openssl.cnf file that OpenSSL reads by default to create the CSR is not the right one or does not exist. In that case download ours and store it in C:\OpenSSL\openssl.cnf:

For Symantec or Thawte server certificates: openssl-dem-server-cert-thvs.cnf
For TBS X509 or Comodo server certificates: openssl-dem-server-cert.cnf
You'll be asked by the system to fill-in fileds ; Fill them in and respect the instructions (more information on Obtain a server certificate)


Country Name (2 letter code) []: (FR for example)
State or Province Name (full name) [Some-State]: (the name of your state in full letters)
Locality Name (eg, city) []: (the name of your city)
Organization Name (eg, company) []: (the name of your organization)
Organizational Unit Name (eg, section) []: (let blank - advised - or provide a generic term such as "IT department")
Common Name (eg, YOUR name) []: (the name of the site to be secured)
Email Address []: (let blank)

Let the other fields blank, they are optional.
You'll get 2 files: site-file.key and site-file.csr. Keep the private key file safe (site-file.key) and copy/paste the content of the site-file.csr file in the order form.
Warning: Do not ever give us or any other third part the private key file. It would then be compromised and the security of your site would be as well.