OpenVPN Support Forum

I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.

I've built a new root CA (CA.crt and CA.key) using easy rsa (also tried without using the script).

Then I build and sign server.crt and server.key using the CA root to self-sign the cert.

No matter what I do when I restart OpenVPN after changing these certificates, I get "Invalid Server Certificate" in my web browser when trying to go to the admin OpenVP_AS.

I've tried numerous slightly different methods of generating these root CA and server.key + server.crt and nothing works. I first put the CA, certificate and key all in the ../web-ssl/ folder and I've also tried uploading the new certs and such using the web browser.

To get back to working self-signed keys (but only 1024 bits), I have the use the scripts at the bottom of this page: http://docs.openvpn.net/how-to-tutorial ... ss-server/

So how do i change OpenVPN access self-signed server keys to be 2048 bits?

I'd also like to know, when I download a user config files from the access server web interface, does that config include a user's key to login to the server? Or is the actual VPN authentication done with username/password? What is the size of the rsa key in the config file?

I understand that 1024 keys are probably secure enough, but would rather be safer with 2048 for both the web server and the VPN connection.

I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.

You've posted an "Access Server" question in the community forums; AS is not a community-designed product, and the instructions you reference are maintained and supported by the commercial arm of "OpenVPN Technologies Inc." and not the GPL (open-source) community. If this was AS-specific you might be better off re-posting in the commercial support side of the forums, or contacting support directly.

On the other hand, the Easy-RSA 2 (current official release) development project on github has recent patch I authored that increases the default key size to 2048 bits, and changes from md5 to sha256 for signature hashing. You can download the Easy-RSA "git master" package as a .zip (or .tar.gz for Unix-alikes) and update the changed files (or perform a full rebuild of openvpn to "get them during install", but this is very non-trivial.)

FWIW, the Easy-RSA 2 batch scripts for Windows are really an after-thought and quite crude. I'm hacking at an updated "Easy-RSA 3" project (here on github,) but it's still in a bit of development flux until it reaches a first stable release; the current beta releases (and mainline development) is subject to change a bit until then. If you'd like to try out my code, feel free. I'll see about getting a forum thread going under the 'Easy-RSA' sub-forum here if you'd like to comment on the code (or start one yourself if you'd like.)

JoshC wrote:

I'm new to using keys and certificates, so I may be missing something crucial. What I'd like to do is use 2048 rsa keys rather than the default 1024.

You've posted an "Access Server" question in the community forums; AS is not a community-designed product, and the instructions you reference are maintained and supported by the commercial arm of "OpenVPN Technologies Inc." and not the GPL (open-source) community. If this was AS-specific you might be better off re-posting in the commercial support side of the forums, or contacting support directly.

On the other hand, the Easy-RSA 2 (current official release) development project on github has recent patch I authored that increases the default key size to 2048 bits, and changes from md5 to sha256 for signature hashing. You can download the Easy-RSA "git master" package as a .zip (or .tar.gz for Unix-alikes) and update the changed files (or perform a full rebuild of openvpn to "get them during install", but this is very non-trivial.)

FWIW, the Easy-RSA 2 batch scripts for Windows are really an after-thought and quite crude. I'm hacking at an updated "Easy-RSA 3" project (here on github,) but it's still in a bit of development flux until it reaches a first stable release; the current beta releases (and mainline development) is subject to change a bit until then. If you'd like to try out my code, feel free. I'll see about getting a forum thread going under the 'Easy-RSA' sub-forum here if you'd like to comment on the code (or start one yourself if you'd like.)

Thanks for the info, I was actually able to solve my problem using some scripts that come with the access server. For some reason any keys that I create and self-sign don't work with access server. I don't believe it is an Easy RSA problem, but somehow the config doesn't properly work in Access Server. Here are the scripts I used to create 2048 bit keys for the access web-server.

cd /usr/local/openvpn_as/scripts && ./certool -d /usr/local/openvpn_as/etc/web-ssl -k 2048 --type ca --unique --cn “OpenVPN Web CA” && ./certool -d /usr/local/openvpn_as/etc/web-ssl -k 2048 --type server --remove_csr --sn_off --serial 1 --name server --cn servername.server.com && ./sacli start

cd /usr/local/openvpn_as/scripts && ./sacli -s 2048 -k cs.priv_key ConfigDel && ./sacli -s 2048 -k cs.ca_bundle ConfigDel && ./sacli -s 2048 -k cs.cert ConfigDel && ./sacli start

My next step will be to attempt changing the actual OpenVPN user keys and certs to 2048 bits (the ones that get passed in the user config files). I assume this is still an access server specific issue, I'll look elsewhere to post questions. I am curious however, is the free version of access server only for trial use? Or would I technically be allowed to use it on my personal home server?

I assume this is still an access server specific issue, I'll look elsewhere to post questions.

Yes, please do. "Access Server" questions are off-topic in this forum.

I am curious however, is the free version of access server only for trial use? Or would I technically be allowed to use it on my personal home server?

Please consult the EULA for the commercial product you are using. I neither use AS, nor am a lawyer able to offer you legal advice about its implications.

What I can tell you is that the GPLv2 OpenVPN product is free for use by anyone as long as its license is respected.