Join Log in
Score:1
Cruise5 avatar Server

OpenVPN - Can client certificates and keys be created if you only have ca.crt

cn flag
Cruise5

All servers are debian 9 linux. I have 200 servers with openvpn installed, each with three to four clients (tunnel 2)

clients ---> server1 (1 of 200) (also client for jumpserver) ---> jumpserver ---> main office server (client of jumpserver tunnel 1). So two tunnels. This post is about tunnel 2

server1: Files in /etc/openvpn/keys. They are same for all server1..n. They were copied from a usb disk.

ca.crt
dh2048.pem  
server.crt  
server.key  
ta.key

All the clients have the same ca.crt and ta.key (which matches with the server's ca.crt and ta.key files). All clients have different client.crt and client.key files as expected. They were generated in batch and copied over like servers.

I want to generate client.crt and client.key for 20 more clients. I issue is that I have no idea where the original easy-rsa folder with script, var file and pki folder is. It's not in the server. All I have are the end products were copied over to existing clients.

How can I generate certificate and keys for the new clients? If I start with easy-rsa again, then the public ca.crt would change. If I had to replace a server with new ca.crt, it wouldn't match anymore with the existing clients.

Edit: I have the original ca.crt and ca.key files. I want help with generating new client certificates and keys using easy-rsa.

984
1 + 5
pt flag
larsks
You cannot sign new certificates with `ca.crt` if you don't have the corresponding private key.
0
Reply
Cruise5 avatar
cn flag
Cruise5
I found the `ca.key` that corresponds to `ca.crt`. What can I do go generate new certificates and keys for the clients.
0
Reply
pt flag
larsks
There are a ton of articles out there about running your own certificate authority with openssl; those might be a good place to start. For my personal environment I use [xca](https://hohnstaedt.de/xca/) because it saves me from having to look up openssl command lines every time I want to generate a certificate. You should be able to import your certificate and key into that tool.
0
Reply
Cruise5 avatar
cn flag
Cruise5
I have easy-rsa installed but I have to skip `./easyrsa build-ca nopass` right? What about creating a new dh key? I already have one. Would `./easyrsa gen-dh` needs to be skipped? Steps: 1) `./easyrsa init-pki` 2) Put already existing certificate and keys in correct pki folder 3) `./easyrsa gen-req client1 nopass` 4) `./easyrsa sign-req client client1`
0
Reply
pt flag
larsks
I'm not particularly familiar with easy-rsa; what you've proposed sounds reasonable; I guess try it and see if it works.
0
Reply
Score:1
Dan M avatar Server
in flag
Dan M

Install easyrsa as you would normally do. Something like:

  cd ~
  git clone https://github.com/OpenVPN/easy-rsa.git
  cd ~/easy-rsa/easyrsa3
  ./easyrsa init-pki

Initialize it. Something like:

  ./easyrsa \
    --batch \
    --dn-mode=org \
    --req-c=US \
    --req-st=Massachusetts \
    --req-city="Boston" \
    --req-org="The Great Certificate Company" \
    [email protected] \
    --req-ou="The Great Certificate Unit" \
    --req-cn=www.certco.com \
    build-ca nopass

Now replace the generated ~/easy-rsa/easyrsa3/pki/ca.crt and ~/easy-rsa/easyrsa3/pki/private/ca.key with your own ca.crt and ca.key double checking to make sure you do not replace the old key pair with the new key pair.

Now generate client certificates as you would normally do. They will be signed by your old ca.crt and ca.key and you should be all set.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.