Creating 2048 Self-Signed Keys for OpenVPN Access Server

[bmather9]

I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.

I've built a new root CA (CA.crt and CA.key) using easy rsa (also tried without using the script).

Then I build and sign server.crt and server.key using the CA root to self-sign the cert.

No matter what I do when I restart OpenVPN after changing these certificates, I get "Invalid Server Certificate" in my web browser when trying to go to the admin OpenVP_AS.

I've tried numerous slightly different methods of generating these root CA and server.key + server.crt and nothing works. I first put the CA, certificate and key all in the ../web-ssl/ folder and I've also tried uploading the new certs and such using the web browser.

To get back to working self-signed keys (but only 1024 bits), I have the use the scripts at the bottom of this page: http://docs.openvpn.net/how-to-tutorial ... ss-server/

So how do i change OpenVPN access self-signed server keys to be 2048 bits?

I'd also like to know, when I download a user config files from the access server web interface, does that config include a user's key to login to the server? Or is the actual VPN authentication done with username/password? What is the size of the rsa key in the config file?

I understand that 1024 keys are probably secure enough, but would rather be safer with 2048 for both the web server and the VPN connection.

[JoshC]

I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.

You've posted an "Access Server" question in the community forums; AS is not a community-designed product, and the instructions you reference are maintained and supported by the commercial arm of "OpenVPN Technologies Inc." and not the GPL (open-source) community. If this was AS-specific you might be better off re-posting in the commercial support side of the forums, or contacting support directly.

On the other hand, the Easy-RSA 2 (current official release) development project on github has recent patch I authored that increases the default key size to 2048 bits, and changes from md5 to sha256 for signature hashing. You can download the Easy-RSA "git master" package as a .zip (or .tar.gz for Unix-alikes) and update the changed files (or perform a full rebuild of openvpn to "get them during install", but this is very non-trivial.)

FWIW, the Easy-RSA 2 batch scripts for Windows are really an after-thought and quite crude. I'm hacking at an updated "Easy-RSA 3" project (here on github,) but it's still in a bit of development flux until it reaches a first stable release; the current beta releases (and mainline development) is subject to change a bit until then. If you'd like to try out my code, feel free. I'll see about getting a forum thread going under the 'Easy-RSA' sub-forum here if you'd like to comment on the code (or start one yourself if you'd like.)

[bmather9]

I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.

You've posted an "Access Server" question in the community forums; AS is not a community-designed product, and the instructions you reference are maintained and supported by the commercial arm of "OpenVPN Technologies Inc." and not the GPL (open-source) community. If this was AS-specific you might be better off re-posting in the commercial support side of the forums, or contacting support directly.

On the other hand, the Easy-RSA 2 (current official release) development project on github has recent patch I authored that increases the default key size to 2048 bits, and changes from md5 to sha256 for signature hashing. You can download the Easy-RSA "git master" package as a .zip (or .tar.gz for Unix-alikes) and update the changed files (or perform a full rebuild of openvpn to "get them during install", but this is very non-trivial.)

FWIW, the Easy-RSA 2 batch scripts for Windows are really an after-thought and quite crude. I'm hacking at an updated "Easy-RSA 3" project (here on github,) but it's still in a bit of development flux until it reaches a first stable release; the current beta releases (and mainline development) is subject to change a bit until then. If you'd like to try out my code, feel free. I'll see about getting a forum thread going under the 'Easy-RSA' sub-forum here if you'd like to comment on the code (or start one yourself if you'd like.)

Thanks for the info, I was actually able to solve my problem using some scripts that come with the access server. For some reason any keys that I create and self-sign don't work with access server. I don't believe it is an Easy RSA problem, but somehow the config doesn't properly work in Access Server. Here are the scripts I used to create 2048 bit keys for the access web-server.

cd /usr/local/openvpn_as/scripts && ./certool -d /usr/local/openvpn_as/etc/web-ssl -k 2048 --type ca --unique --cn “OpenVPN Web CA” && ./certool -d /usr/local/openvpn_as/etc/web-ssl -k 2048 --type server --remove_csr --sn_off --serial 1 --name server --cn servername.server.com && ./sacli start

cd /usr/local/openvpn_as/scripts && ./sacli -s 2048 -k cs.priv_key ConfigDel && ./sacli -s 2048 -k cs.ca_bundle ConfigDel && ./sacli -s 2048 -k cs.cert ConfigDel && ./sacli start

My next step will be to attempt changing the actual OpenVPN user keys and certs to 2048 bits (the ones that get passed in the user config files). I assume this is still an access server specific issue, I'll look elsewhere to post questions. I am curious however, is the free version of access server only for trial use? Or would I technically be allowed to use it on my personal home server?

[JoshC]

I assume this is still an access server specific issue, I'll look elsewhere to post questions.

Yes, please do. "Access Server" questions are off-topic in this forum.

I am curious however, is the free version of access server only for trial use? Or would I technically be allowed to use it on my personal home server?

Please consult the EULA for the commercial product you are using. I neither use AS, nor am a lawyer able to offer you legal advice about its implications.

What I can tell you is that the GPLv2 OpenVPN product is free for use by anyone as long as its license is respected.