[EasyRSA 3] help generating certificates & keys clients
Posted: Sun Jan 24, 2016 3:40 pm
Hello, I'm setting up a VPN server on a Win10 host.
In the past, I had always followed these instructions: https://openvpn.net/index.php/open-sour ... ml#install
But now it seems I can't do server+clients certificates generation on the same machine, e.g. with command build-key client1?
I find this process more tricky!
The end-user (client) is supposed to just receive the necessary files and connect to my server (without having to start shells on its system to create req files)..how can this be done now?
Thanks!
In the past, I had always followed these instructions: https://openvpn.net/index.php/open-sour ... ml#install
But now it seems I can't do server+clients certificates generation on the same machine, e.g. with command build-key client1?
Code: Select all
1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca
2. On the system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that the init-pki is used only when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step as well.
./easyrsa init-pki
./easyrsa gen-req EntityName
3. Transport the request (.req file) to the CA system and import it. The name given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName
4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
5. Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert (ca.crt) unless it had a prior copy.
The entity now has its own keypair, and signed cert, and the CA.

Thanks!