I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.
I've built a new root CA (CA.crt and CA.key) using easy rsa (also tried without using the script).
Then I build and sign server.crt and server.key using the CA root to self-sign the cert.
No matter what I do when I restart OpenVPN after changing these certificates, I get "Invalid Server Certificate" in my web browser when trying to go to the admin OpenVP_AS.
I've tried numerous slightly different methods of generating these root CA and server.key + server.crt and nothing works. I first put the CA, certificate and key all in the ../web-ssl/ folder and I've also tried uploading the new certs and such using the web browser.
To get back to working self-signed keys (but only 1024 bits), I have the use the scripts at the bottom of this page: http://docs.openvpn.net/how-to-tutorial ... ss-server/
So how do i change OpenVPN access self-signed server keys to be 2048 bits?
I'd also like to know, when I download a user config files from the access server web interface, does that config include a user's key to login to the server? Or is the actual VPN authentication done with username/password? What is the size of the rsa key in the config file?
I understand that 1024 keys are probably secure enough, but would rather be safer with 2048 for both the web server and the VPN connection.
Creating 2048 Self-Signed Keys for OpenVPN Access Server
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Aug 25, 2013 5:29 am
-
- OpenVPN User
- Posts: 37
- Joined: Sun Jun 23, 2013 3:42 pm
Re: Creating 2048 Self-Signed Keys for OpenVPN Access Server
You've posted an "Access Server" question in the community forums; AS is not a community-designed product, and the instructions you reference are maintained and supported by the commercial arm of "OpenVPN Technologies Inc." and not the GPL (open-source) community. If this was AS-specific you might be better off re-posting in the commercial support side of the forums, or contacting support directly.I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.
On the other hand, the Easy-RSA 2 (current official release) development project on github has recent patch I authored that increases the default key size to 2048 bits, and changes from md5 to sha256 for signature hashing. You can download the Easy-RSA "git master" package as a .zip (or .tar.gz for Unix-alikes) and update the changed files (or perform a full rebuild of openvpn to "get them during install", but this is very non-trivial.)
FWIW, the Easy-RSA 2 batch scripts for Windows are really an after-thought and quite crude. I'm hacking at an updated "Easy-RSA 3" project (here on github,) but it's still in a bit of development flux until it reaches a first stable release; the current beta releases (and mainline development) is subject to change a bit until then. If you'd like to try out my code, feel free. I'll see about getting a forum thread going under the 'Easy-RSA' sub-forum here if you'd like to comment on the code (or start one yourself if you'd like.)
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Aug 25, 2013 5:29 am
Re: Creating 2048 Self-Signed Keys for OpenVPN Access Server
Thanks for the info, I was actually able to solve my problem using some scripts that come with the access server. For some reason any keys that I create and self-sign don't work with access server. I don't believe it is an Easy RSA problem, but somehow the config doesn't properly work in Access Server. Here are the scripts I used to create 2048 bit keys for the access web-server.JoshC wrote:You've posted an "Access Server" question in the community forums; AS is not a community-designed product, and the instructions you reference are maintained and supported by the commercial arm of "OpenVPN Technologies Inc." and not the GPL (open-source) community. If this was AS-specific you might be better off re-posting in the commercial support side of the forums, or contacting support directly.I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.
On the other hand, the Easy-RSA 2 (current official release) development project on github has recent patch I authored that increases the default key size to 2048 bits, and changes from md5 to sha256 for signature hashing. You can download the Easy-RSA "git master" package as a .zip (or .tar.gz for Unix-alikes) and update the changed files (or perform a full rebuild of openvpn to "get them during install", but this is very non-trivial.)
FWIW, the Easy-RSA 2 batch scripts for Windows are really an after-thought and quite crude. I'm hacking at an updated "Easy-RSA 3" project (here on github,) but it's still in a bit of development flux until it reaches a first stable release; the current beta releases (and mainline development) is subject to change a bit until then. If you'd like to try out my code, feel free. I'll see about getting a forum thread going under the 'Easy-RSA' sub-forum here if you'd like to comment on the code (or start one yourself if you'd like.)
cd /usr/local/openvpn_as/scripts && ./certool -d /usr/local/openvpn_as/etc/web-ssl -k 2048 --type ca --unique --cn “OpenVPN Web CA” && ./certool -d /usr/local/openvpn_as/etc/web-ssl -k 2048 --type server --remove_csr --sn_off --serial 1 --name server --cn servername.server.com && ./sacli start
cd /usr/local/openvpn_as/scripts && ./sacli -s 2048 -k cs.priv_key ConfigDel && ./sacli -s 2048 -k cs.ca_bundle ConfigDel && ./sacli -s 2048 -k cs.cert ConfigDel && ./sacli start
My next step will be to attempt changing the actual OpenVPN user keys and certs to 2048 bits (the ones that get passed in the user config files). I assume this is still an access server specific issue, I'll look elsewhere to post questions. I am curious however, is the free version of access server only for trial use? Or would I technically be allowed to use it on my personal home server?
-
- OpenVPN User
- Posts: 37
- Joined: Sun Jun 23, 2013 3:42 pm
Re: Creating 2048 Self-Signed Keys for OpenVPN Access Server
Yes, please do. "Access Server" questions are off-topic in this forum.I assume this is still an access server specific issue, I'll look elsewhere to post questions.
Please consult the EULA for the commercial product you are using. I neither use AS, nor am a lawyer able to offer you legal advice about its implications.I am curious however, is the free version of access server only for trial use? Or would I technically be allowed to use it on my personal home server?
What I can tell you is that the GPLv2 OpenVPN product is free for use by anyone as long as its license is respected.