OpenVPN Support Forum

Posted: **Mon Oct 17, 2022 10:05 pm**

Someone misplaced or deleted the original easy-rsa folder that was used to generate certificates and keys for clients. Luckily I have the ca.crt and ca.key.

I don't know how to proceed to build the client keys now. There are already hundreds of clients deployed and if I generate new CA and CA key, it would be a problem. I want to generate client keys with existing ca.crt and ca.key using easy-rsa. Any suggestions?

More details here but no solution yet: https://serverfault.com/questions/11131 ... ave-ca-crt

Posted: **Mon Oct 17, 2022 11:31 pm**

I assume that you have no backup ..

Posted: **Mon Oct 17, 2022 11:50 pm**

Backup of easy-rsa folder? No I don't have that. I have back up of the original ca.crt that was built and the ca.key that was used to sign csr and keys. I don’t have the easy-rsa folder itself.

Posted: **Tue Oct 18, 2022 10:59 am**

Then you have destroyed your PKI.

Fixing this is way beyond the scope of EasyRSA.

If you are determined to pursue your current approach then you can contact my privately for support. Fees will apply.

Posted: **Tue Oct 18, 2022 12:50 pm**

I am sorry I am not paying strangers.

Posted: **Tue Oct 18, 2022 2:03 pm**

With hundreds of clients, as you claim, If you understood the scale of your error,
you would probably choose to get to know me.

But it's your job, you fix it however you see fit.

Posted: **Tue Oct 18, 2022 2:14 pm**

Wow. What kind of rules are enforced here on this forums ? People asking money for help. There so many security implications for paying and sharing private information. If anyone has any solutions please post. No soliciting for money please.

Posted: **Tue Oct 18, 2022 3:45 pm**

You are the victim of your own incompetence.

You provide a paid service to your clients.
You do not have a backup.
Your server is not in a secure location.

Why should anybody help you for free ?

Posted: **Tue Oct 18, 2022 3:53 pm**

Because stackoverflow and this forum is not a paid one. People volunteer. I am not asking you to for help. If anyone wants to volunteer then please do so. Why are you even posting here ?

Posted: **Tue Oct 18, 2022 4:31 pm**

If your question was regarding using EasyRSA then I would help.

But your question is about how to recover from a disaster.

I can help ..

Posted: **Tue Oct 18, 2022 4:48 pm**

I have already freely given enough of my time to Easy-RSA: https://github.com/OpenVPN/easy-rsa/graphs/contributors

Posted: **Tue Oct 18, 2022 7:18 pm**

Hello rocketman11,

It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.

If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.

Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;

- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert

Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.

On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.

Best of luck to you,
Johan

Posted: **Tue Oct 18, 2022 8:39 pm**

TinCanTech wrote: ↑
Tue Oct 18, 2022 4:48 pm
I have already freely given enough of my time to Easy-RSA: https://github.com/OpenVPN/easy-rsa/graphs/contributors

I really don’t care. Asking for money on this forum shouldn’t be allowed.

Posted: **Tue Nov 15, 2022 5:32 pm**

openvpn_inc wrote: ↑
Tue Oct 18, 2022 7:18 pm
Hello rocketman11,

It is of course a shame that the most important part of your setup was not backed up. I don't want to be the guy to rub it in - you've already received enough of that, it looks like. A lesson for the future, I guess.

If you have lost your Easy-RSA folder, your PKI is indeed pretty much wiped out. However, in theory, if you have the CA key and the CA cert, you should be able to rebuild it. But it'll be a manual process. To be honest, I am not aware of a guide that explains how to do that, as it's generally accepted that you should keep that directory safe as it's the basis of your entire trust structure in the OpenVPN solution, so there wasn't much need to create such a guide.

Personally I do not have a lot of experience with Easy-RSA, but I would imagine that if I were to try to recover from this, I would try to follow these steps - not saying these are correct, but just saying that's what I would try;

- Reference Easy-RSA documentation how the structure works
- Set up a new PKI with Easy-RSA
- Put the old CA key and CA cert in there
- Edit: I previously wrote to edit serial with last generated cert serial number, but I was pointed out that this is randomized now so no worries there apparently
- Try to create a CSR and try signing a new client cert

Ultimately, the CA is used to sign CSR for server and client certificates, and so if you use that same CA, it should work to sign new client certificates.

On a sidenote, I think tincantech has been banned for his behavior. I apologize for any inconvenience, it is after all a public forum run by the community.

Best of luck to you,
Johan

Thanks, that solved my problem. Used Easy-rsa, init-pki, replace the new ca.crt and ca.key with old ones and then build-full server and client.

Posted: **Tue Nov 15, 2022 5:39 pm**

Hi rocketman11,

Glad to hear that worked. Thanks for reporting back on your success. It may be helpful to others in the future.

Kind regards,
Johan

OpenVPN Support Forum

Lost original easy-rsa folder. How to create more client keys?

Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?

Re: Lost original easy-rsa folder. How to create more client keys?