How to gen client-cert for multi-server on the same machine

[Francois]

Hello,

I have a question.
I didn't find the answer because the keyword that i use don't match to what i'm looking for...

I have several router at my customers.
For some of my customer, i have to set up a VPN between the router.
the routers that i use are a small embeded PC and the proc is to slow to quickly gen the certificate.

I have a server at my office running with a debian.
And i want to use this server to gen both client and server openvpn certificate.

i know how to gen the server certificate and gen client certificate but only with one server certificate.

what i want to do is to create a folder for each customers.
and then create the openvpn server certificate, put that openvpn server certificate on the folder.
Then gen the client certificate with the openvpn server certificate wich is locate on his own folder.

Thanks
(My english is not very good so i hope that you understand my questions)

Francois

[janjust]

so you wish to generate N server certificates and N client certificates? normally you'd run only a single VPN server , for which you need only a single server cert.

you can generate as many server certs as you like using
./build-key-server --batch <name-of-server>

the files will all be placed in the 'keys' folder, but getting them out of there should be a trivial shell script.

[Francois]

hello,
thanks for your reply.
The idea is not tu use all the server certificate on the same server.

I have 25 embedded PC that i use at my customers.
I only use this embedded PC as a VPN server for my customers.
Each embedded PC has his own server certificate.

What i want is to gen the client certificate on my own server.
If one of my customer want a new OVPN client, I don't want to connect on the embedded PC and gen the client key.

I would rather go on my server and gen the key for this customer on my server.
And the idea would be to make a copy of all the server key on my server.
Each on a separate folder.

But is it possible to use the build client script with the location of the server key by argument ?

[janjust]

it's a good security practice to NOT store the client keys on the servers.
what you're describing is possible, but you need to think your PKI setup through carefully:

* you can create and sign as many server and client keys using a single CA as you want (using the 'easy-rsa' scripts)
* there is no real link between the server and client cert/keys EXCEPT the CA cert - you can mix and match all you like

[Francois]

so if i gen ca.key on the same server, they all be the same ?

I thought something.

What if i make a folder named 'keycustomer'.
On this folder I create a subfolder for each customer.
and on each folder, i copy the content of the /easy-rca folder.

if i use the scripts inside of each folder, it will gen different server keys and client keys right ?
I don't know if it's doable...

Thanks

[janjust]

this is doable, as long as you modify and source the 'vars' file in each directory. If you're using only a single CA certificate then this is will cause problems with the certificate serial numbers.