I'm currently managing a CA using easy-rsa v2.2.0 but I would like to migrate the actual 'keys' dir content to a new system running easy-rsa v3.
Can that be achieved? Thank you for any advice.
Migrating easy-rsa, from v2 to v3
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Dec 01, 2015 2:15 pm
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Migrating easy-rsa, from v2 to v3
The CA/cert/key files are all compatible but the "database" (text files) will probably cause many issues.
What ever you do make sure you have a backup !
Personally, I started a new PKI with Easyrsa-v3 ..
I presume you have read this:
topic19629.html
What ever you do make sure you have a backup !
Personally, I started a new PKI with Easyrsa-v3 ..
I presume you have read this:
topic19629.html
-
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Dec 01, 2015 2:15 pm
Re: Migrating easy-rsa, from v2 to v3
The original need stems from a move from OpenBSD 5.8 to 5.9. In fact OpenBSD 5.9 packages EasyRSA as v3.
I see the problems, however, recreating a whole set of certificates from scratch sounds unreasonable, just because of a version upgrade, IMHO.
I see the problems, however, recreating a whole set of certificates from scratch sounds unreasonable, just because of a version upgrade, IMHO.
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Migrating easy-rsa, from v2 to v3
Easyrsa 2x is still available here .. you do not have to upgrade.
Although there is no official upgrade path, a quick test proves that it is possible to transpose your v2 PKI to a v3 structure without pain .. which is a pleasant surprise !
Although there is no official upgrade path, a quick test proves that it is possible to transpose your v2 PKI to a v3 structure without pain .. which is a pleasant surprise !
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Aug 30, 2019 1:29 pm
Re: Migrating easy-rsa, from v2 to v3
Hello, I answer this old thread to give the method I followed to do the migration, as here is were I ended when I looked for some info on how to migrate.
I just tried it on my server and everything seems to work fine (I replaced my former client certificate with a new generated one without touching the server conf and it worked).
So here are the steps:
I just tried it on my server and everything seems to work fine (I replaced my former client certificate with a new generated one without touching the server conf and it worked).
So here are the steps:
- be sure to have installed easyrsa 3
- create a new my_ca folder
Code: Select all
# as root
$ cd /home/openvpn/my_ca
$ cd ..
$ mv my_ca my_ca_v2
$ make-cadir my_ca_v3
- instanciate the v3 files normally to see where should go the files
Code: Select all
# as root
$ cd /home/openvpn/my_ca_v3
$ vi vars
# copy the values from my_ca_v2/vars needed, like your organisation description
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-dh
$ ./easyrsa build-server-full dummy_server
$ find .
- copy all generated files from my_ca_v2
Code: Select all
# as root
$ cd /home/openvpn/my_ca_v3/pki
$ old=/home/openvpn/my_ca_v2/keys
$ cp $old/*crt ./issued/
$ cp $old/*key ./private/
$ cp $old/ca.crt ./ca.crt
$ cp $old/*csr ./reqs/
$ cp $old/??.pem certs_by_serial/
# all my pem files were following a 01 02 03 serie
$ cp $old/dh2048.pem ./dh.pem
$ cp $old/index.txt ./index.txt
- generate new client certificate
Code: Select all
# as root
$ cd /home/openvpn/my_ca_v3
$ ./easyrsa build-client-full jai_2 nopass
$ cd pki
$ mkdir -p /tmp/jai_2/
$ cp ./issued/jai_2.crt ./private/jai_2.key ./reqs/jai_2.req /tmp/jai_2/
# then normal scp and configuration of my client
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jan 25, 2022 10:38 pm
Re: Migrating easy-rsa, from v2 to v3
Here is another guide, which uses : https://community.openvpn.net/openvpn/w ... sa-upgrade
Code: Select all
./easyrsa upgrade pki