1

All servers are debian 9 linux. I have 200 servers with openvpn installed, each with three to four clients (tunnel 2)

clients ---> server1 (1 of 200) (also client for jumpserver) ---> jumpserver ---> main office server (client of jumpserver tunnel 1). So two tunnels. This post is about tunnel 2

server1: Files in /etc/openvpn/keys. They are same for all server1..n. They were copied from a usb disk.

ca.crt
dh2048.pem  
server.crt  
server.key  
ta.key

All the clients have the same ca.crt and ta.key (which matches with the server's ca.crt and ta.key files). All clients have different client.crt and client.key files as expected. They were generated in batch and copied over like servers.

I want to generate client.crt and client.key for 20 more clients. I issue is that I have no idea where the original easy-rsa folder with script, var file and pki folder is. It's not in the server. All I have are the end products were copied over to existing clients.

How can I generate certificate and keys for the new clients? If I start with easy-rsa again, then the public ca.crt would change. If I had to replace a server with new ca.crt, it wouldn't match anymore with the existing clients.

Edit: I have the original ca.crt and ca.key files. I want help with generating new client certificates and keys using easy-rsa.

Improve this question
5
  • You cannot sign new certificates with ca.crt if you don't have the corresponding private key.
    – larsks
    Commented Oct 16, 2022 at 3:30
  • I found the ca.key that corresponds to ca.crt. What can I do go generate new certificates and keys for the clients.
    – Cruise5
    Commented Oct 16, 2022 at 4:00
  • There are a ton of articles out there about running your own certificate authority with openssl; those might be a good place to start. For my personal environment I use xca because it saves me from having to look up openssl command lines every time I want to generate a certificate. You should be able to import your certificate and key into that tool.
    – larsks
    Commented Oct 16, 2022 at 15:43
  • I have easy-rsa installed but I have to skip ./easyrsa build-ca nopass right? What about creating a new dh key? I already have one. Would ./easyrsa gen-dh needs to be skipped? Steps: 1) ./easyrsa init-pki 2) Put already existing certificate and keys in correct pki folder 3) ./easyrsa gen-req client1 nopass 4) ./easyrsa sign-req client client1
    – Cruise5
    Commented Oct 16, 2022 at 17:40
  • I'm not particularly familiar with easy-rsa; what you've proposed sounds reasonable; I guess try it and see if it works.
    – larsks
    Commented Oct 16, 2022 at 17:43

1 Answer 1

Reset to default
1
+50

Install easyrsa as you would normally do. Something like:

  cd ~
  git clone https://github.com/OpenVPN/easy-rsa.git
  cd ~/easy-rsa/easyrsa3
  ./easyrsa init-pki

Initialize it. Something like:

  ./easyrsa \
    --batch \
    --dn-mode=org \
    --req-c=US \
    --req-st=Massachusetts \
    --req-city="Boston" \
    --req-org="The Great Certificate Company" \
    [email protected] \
    --req-ou="The Great Certificate Unit" \
    --req-cn=www.certco.com \
    build-ca nopass

Now replace the generated ~/easy-rsa/easyrsa3/pki/ca.crt and ~/easy-rsa/easyrsa3/pki/private/ca.key with your own ca.crt and ca.key double checking to make sure you do not replace the old key pair with the new key pair.

Now generate client certificates as you would normally do. They will be signed by your old ca.crt and ca.key and you should be all set.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .