Page 1 of 2
Client Certificate generation
Posted: Thu May 27, 2021 8:26 pm
by Bigjohn
Hi everyone.
I'm learning, so please be kind... hard to teach old dogs new tricks.
I setup OpenVPN on my tomato router so that I can reach my house to support the family while traveling. I have one client certificate, and it works fine. FYI I followed this guide:
https://learntomato.flashrouters.com/se ... rtificate/
Now I need to get a second client connected, and reading through the instructions I don't see a clearly delineated "create another client" process. Just hoping that someone here might be kind enough to help me learn the exact steps I have to take to get a new laptop to connect using a separate cert. so they can both be used at the same time.
Very many thanks in advance! Here's to learning something new every day!
John
Re: Client Certificate generation
Posted: Thu May 27, 2021 8:45 pm
by TinCanTech
Type:
build-key client-bob
You may like to try
https://github.com/OpenVPN/easy-rsa
Re: Client Certificate generation
Posted: Fri May 28, 2021 1:44 pm
by Bigjohn
So with OpenVPN installed on my first pc - from the instructions on the site in my original post- I did this step, and installed it on the router -
"The ‘build-ca’ command will output two very important files; a CA certificate and key"
So with that installed on the router, and the CA key on my OpenVPN installation, can I just follow the "create client" steps and have a key that will work?? That's what I'm not certain of. all my 'certificate' knowlege to date has been around the creation of stuff for webservers so I can purchase certificates....
Thanks!
John
Re: Client Certificate generation
Posted: Wed Jun 02, 2021 7:16 pm
by Bigjohn
Any help guys? Thanks much in advance...
Re: Client Certificate generation
Posted: Wed Jun 02, 2021 7:37 pm
by TinCanTech
If you need help understanding tomato then ask tomato.
If you need help with easy-rsa then I already gave you the link.
Re: Client Certificate generation
Posted: Thu Jun 10, 2021 7:09 pm
by Bigjohn
Hi TinCanTech!
I think I have the Tomato bits down; I have one client connecting to the router now.
My question is around creating additional certificates that the server will allow to connect.
Thanks!
Re: Client Certificate generation
Posted: Wed Jun 16, 2021 12:33 pm
by Bigjohn
So my question is do I need to install something on the server for each client? or is the CA cert that I installed, and have on my primary PC, used when I run the client create to create a certificate that will automatically be recognized?
Re: Client Certificate generation
Posted: Thu Jun 17, 2021 11:18 am
by TinCanTech
Re: Client Certificate generation
Posted: Tue Aug 10, 2021 4:11 pm
by Bigjohn
Hi Guys -
I'm back...
I updated to easy-rsa3.
Is there a step by step document to migrate my existing CA and all that (existing easy-rsa 2 PKI) into the new PKI so I don't have to generate a new server cert and DH? i would have thought this would be in the upgrade notes, but no luck for me there
John
Re: Client Certificate generation
Posted: Tue Aug 10, 2021 4:23 pm
by TinCanTech
Did you read the help ... ?
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 4:40 pm
by Bigjohn
TinCanTech wrote: ↑Tue Aug 10, 2021 4:23 pm
Did you read the help ... ?
Thanks I did - but I did not see "how to upgrade your old PKI"
Which is odd as hell.
You'd think that's on the first page.
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 4:48 pm
by TinCanTech
Which version of Easy-RSA do you have ? 3.0.?
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 5:04 pm
by Bigjohn
Started with 2.0 - which has just a folder for certs, no "PKI directory structure"
Now I have 3.0, and I understand the steps to go from zero to 60 there... but I don't want to recreate the CA or the server certificates / DH params if I don't have to.
Thanks!!
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 5:25 pm
by TinCanTech
Please read the question again ..
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 6:51 pm
by Bigjohn
Easy-RSA 3 ChangeLog
3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
The above is from the chanagelog - so 3.0.8 is the current version of EASY-RSA.
Previously it was 2.x which had no "PKI" directory structure.
Trying to figure out how to upgrade without creating new certs for server/dh params, etc.
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 7:00 pm
by 300000
If you can copy CA crt and CA key from router tamato to your pc i can help you create new client from old CA so you can use old ca and everything . We will use windows app to create so dont need to use easy-rsa at all . We need old CA key to sign new client certificate . That is all we need to make it work. Using windows will create faster and quich to learn . Forget about easy-rsa .
One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 7:21 pm
by TinCanTech
Bigjohn wrote: ↑Wed Aug 11, 2021 6:51 pm
Easy-RSA 3 ChangeLog
3.0.8 (2020-09-09)
So: 3.0.8
Code: Select all
tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p8 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /home/tct/easy-rsa/EasyRSA-3.0.8
PKI: /home/tct/easy-rsa/EasyRSA-3.0.8/pki
upgrade <type>
Code: Select all
tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa help upgrade
upgrade <type>
Upgrade EasyRSA PKI and/or CA. <type> must be one of:
pki - Upgrade EasyRSA v2.x PKI to EasyRSA v3.x PKI (includes CA below)
ca - Upgrade EasyRSA v3.0.5 CA or older to EasyRSA v3.0.6 CA or later.
It takes a backup and runs a simulation before making any changes. And if anything goes wrong then it does a roll-back.
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 7:31 pm
by TinCanTech
In your current directory, where the Easy-RSA 2 scripts live and the 'keys' subdirectory, unzip the easyrsa3 install file here.
Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.
Re: Client Certificate generation
Posted: Wed Aug 11, 2021 11:42 pm
by Bigjohn
300000 wrote: ↑Wed Aug 11, 2021 7:00 pm
If you can copy CA crt and CA key from router tamato to your pc i can help you create new client from old CA so you can use old ca and everything . We will use windows app to create so dont need to use easy-rsa at all . We need old CA key to sign new client certificate . That is all we need to make it work. Using windows will create faster and quich to learn . Forget about easy-rsa .
One thing for sure why commercial app making very fast to add new client but free make it hard to use. That is why you can see any true help at all from your questions or only make you drive more trouble .
I kept a copy of the CA cert and Key on this machine.
Thank you for your assistance!
John
Re: Client Certificate generation
Posted: Thu Aug 12, 2021 2:46 pm
by Bigjohn
TinCanTech wrote: ↑Wed Aug 11, 2021 7:31 pm
In your current directory, where the Easy-RSA 2 scripts live and the 'keys' subdirectory, unzip the easyrsa3 install file here.
Or, copy your easyrsa-2 PKI into your easyrsa-3 folder.
When I upgraded open VPN it did just that - put EasyRSA3 into the default easyRSA folder.
Removed all the scripts for easyrsa2, but did not disturb the keys directory.
Thanks