All servers are debian 9 linux. I have 200 servers with openvpn installed, each with three to four clients (tunnel 2)
clients ---> server1 (1 of 200) (also client for jumpserver) ---> jumpserver ---> main office server (client of jumpserver tunnel 1). So two tunnels. This post is about tunnel 2
server1: Files in /etc/openvpn/keys
. They are same for all server1..n. They were copied from a usb disk.
ca.crt
dh2048.pem
server.crt
server.key
ta.key
All the clients have the same ca.crt
and ta.key
(which matches with the server's ca.crt
and ta.key
files). All clients have different client.crt
and client.key
files as expected. They were generated in batch and copied over like servers.
I want to generate client.crt
and client.key
for 20 more clients. I issue is that I have no idea where the original easy-rsa
folder with script
, var
file and pki
folder is. It's not in the server. All I have are the end products were copied over to existing clients.
How can I generate certificate and keys for the new clients? If I start with easy-rsa again, then the public ca.crt
would change. If I had to replace a server with new ca.crt
, it wouldn't match anymore with the existing clients.
Edit: I have the original ca.crt
and ca.key
files. I want help with generating new client certificates and keys using easy-rsa.
ca.crt
if you don't have the corresponding private key.ca.key
that corresponds toca.crt
. What can I do go generate new certificates and keys for the clients../easyrsa build-ca nopass
right? What about creating a new dh key? I already have one. Would./easyrsa gen-dh
needs to be skipped? Steps: 1)./easyrsa init-pki
2) Put already existing certificate and keys in correct pki folder 3)./easyrsa gen-req client1 nopass
4)./easyrsa sign-req client client1