Page 1 of 1
[EasyRSA 3] help generating certificates & keys clients
Posted: Sun Jan 24, 2016 3:40 pm
by xlepws
Hello, I'm setting up a VPN server on a Win10 host.
In the past, I had always followed these instructions:
https://openvpn.net/index.php/open-sour ... ml#install
But now it seems I can't do server+clients certificates generation on the same machine, e.g. with command
build-key client1?
Code: Select all
1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca
2. On the system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that the init-pki is used only when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step as well.
./easyrsa init-pki
./easyrsa gen-req EntityName
3. Transport the request (.req file) to the CA system and import it. The name given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName
4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
5. Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert (ca.crt) unless it had a prior copy.
The entity now has its own keypair, and signed cert, and the CA.
I find this process more tricky!
The end-user (client) is supposed to just receive the necessary files and connect to my server (without having to start shells on its system to create req files)..how can this be done now?
Thanks!
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Sun Jan 24, 2016 4:12 pm
by xlepws
silly me
using the
Code: Select all
./easyrsa build-client-full server
and
Code: Select all
./easyrsa build-client-full client_1
...
./easyrsa build-client-full client_n
did the trick
But I could not find a single place on the internet where a Win OpenVPN server installation using EasyRSA3 is explained from the beginning to the end
..do you know of any such resource?
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Tue Feb 23, 2016 4:30 pm
by wamiduku
Where did you find the doc for "build-client-full" and "build-server-full"? I've searched all doc files, but I can't find any mention of either.
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Tue Feb 23, 2016 5:43 pm
by Traffic
Those scripts are part of EasyRSA v3x ..
topic19629.html
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Wed Feb 24, 2016 1:24 am
by wamiduku
Actually they're not scripts, but arguments to the "easy_rsa" script. I've searched everything in
https://github.com/OpenVPN/easy-rsa/tree/master/doc, but I can't find any mention of them.
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Wed Feb 24, 2016 1:54 am
by Traffic
wamiduku wrote:Actually they're not scripts, but arguments
If you want to
split hairs .. this would be the right place ..
Just download EasyRSA3xx and get on with it .. start with the README and read vars.
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Wed Feb 24, 2016 2:38 am
by wamiduku
So, I won't need to use build-xxx-full arguments then, since the they're not used in the readme? It seems that the OP needed them for some reason.
I find the EasyRSA section in
https://openvpn.net/index.php/open-sour ... html#quick much more complete than the new readme, but unfortunately that link is for an older version.
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Wed Feb 24, 2016 2:47 am
by wamiduku
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Mon Mar 14, 2016 8:53 pm
by xlepws
wamiduku wrote:Where did you find the doc for "build-client-full" and "build-server-full"? I've searched all doc files, but I can't find any mention of either.
I just run
./easyrsa at the command prompt in the EasyRSA 3 Shell, I saw those commands in the list shown
Re: [EasyRSA 3] help generating certificates & keys clients
Posted: Tue Mar 15, 2016 1:27 am
by xlepws
of corse here
xlepws wrote:using the
Code: Select all
./easyrsa build-client-full server
there's a mistake, it should be
./easyrsa build-server-full server