Page 1 of 1
Migrating easy-rsa, from v2 to v3
Posted: Wed Mar 30, 2016 3:37 pm
by mbitsa12
I'm currently managing a CA using easy-rsa v2.2.0 but I would like to migrate the actual 'keys' dir content to a new system running easy-rsa v3.
Can that be achieved? Thank you for any advice.
Re: Migrating easy-rsa, from v2 to v3
Posted: Wed Mar 30, 2016 5:25 pm
by Traffic
The CA/cert/key files are all compatible but the "database" (text files) will probably cause many issues.
What ever you do
make sure you have a backup !
Personally, I started a new PKI with Easyrsa-v3 ..
I presume you have read this:
topic19629.html
Re: Migrating easy-rsa, from v2 to v3
Posted: Thu Mar 31, 2016 8:49 am
by mbitsa12
The original need stems from a move from OpenBSD 5.8 to 5.9. In fact OpenBSD 5.9 packages EasyRSA as v3.
I see the problems, however, recreating a whole set of certificates from scratch sounds unreasonable, just because of a version upgrade, IMHO.
Re: Migrating easy-rsa, from v2 to v3
Posted: Thu Mar 31, 2016 10:45 am
by Traffic
Easyrsa 2x is still available
here .. you do not have to upgrade.
Although there is no official upgrade path, a quick test proves that it is possible to transpose your v2 PKI to a v3 structure without pain .. which is a pleasant surprise !
Re: Migrating easy-rsa, from v2 to v3
Posted: Fri Aug 30, 2019 2:02 pm
by jaileleu
Hello, I answer this old thread to give the method I followed to do the migration, as here is were I ended when I looked for some info on how to migrate.
I just tried it on my server and everything seems to work fine (I replaced my former client certificate with a new generated one without touching the server conf and it worked).
So here are the steps:
- be sure to have installed easyrsa 3
- create a new my_ca folder
Code: Select all
# as root
$ cd /home/openvpn/my_ca
$ cd ..
$ mv my_ca my_ca_v2
$ make-cadir my_ca_v3
- instanciate the v3 files normally to see where should go the files
Code: Select all
# as root
$ cd /home/openvpn/my_ca_v3
$ vi vars
# copy the values from my_ca_v2/vars needed, like your organisation description
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-dh
$ ./easyrsa build-server-full dummy_server
$ find .
- copy all generated files from my_ca_v2
Code: Select all
# as root
$ cd /home/openvpn/my_ca_v3/pki
$ old=/home/openvpn/my_ca_v2/keys
$ cp $old/*crt ./issued/
$ cp $old/*key ./private/
$ cp $old/ca.crt ./ca.crt
$ cp $old/*csr ./reqs/
$ cp $old/??.pem certs_by_serial/
# all my pem files were following a 01 02 03 serie
$ cp $old/dh2048.pem ./dh.pem
$ cp $old/index.txt ./index.txt
- generate new client certificate
Code: Select all
# as root
$ cd /home/openvpn/my_ca_v3
$ ./easyrsa build-client-full jai_2 nopass
$ cd pki
$ mkdir -p /tmp/jai_2/
$ cp ./issued/jai_2.crt ./private/jai_2.key ./reqs/jai_2.req /tmp/jai_2/
# then normal scp and configuration of my client
Re: Migrating easy-rsa, from v2 to v3
Posted: Thu Jan 27, 2022 1:21 am
by vazhnov