Re: [Openvpn-users] Openvpn -- unable to generate keys

Joe Patterson Tue, 21 Jan 2014 05:27:33 -0800

The directory listing you sent me earlier had
/usr/share/openvpn/easy-rsa/2.0/keys/ca.key and ca.key.orig.


-Joe


On Tue, Jan 21, 2014 at 8:22 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be>wrote:

>  hello,
>
> I'm unable to find the key.pem or the *.key
>
> What I don't understand is: I do have a backup.
> And the setup on the original Opensuse-server is still there, from
> different versions of Openvpn
>  I just can't find the keys.
>
> I don't understand it.
>
> minas:~ # locate easy-rsa
> /data0/usr/share/openvpn/easy-rsa
> /data0/usr/share/openvpn/easy-rsa/2.0
> /data0/usr/share/openvpn/easy-rsa/2.0/build-ca
> /data0/usr/share/openvpn/easy-rsa/2.0/build-dh
> /data0/usr/share/openvpn/easy-rsa/2.0/build-inter
> /data0/usr/share/openvpn/easy-rsa/2.0/build-key
> /data0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
> /data0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
> /data0/usr/share/openvpn/easy-rsa/2.0/build-key-server
> /data0/usr/share/openvpn/easy-rsa/2.0/build-req
> /data0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
> /data0/usr/share/openvpn/easy-rsa/2.0/clean-all
> /data0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
> /data0/usr/share/openvpn/easy-rsa/2.0/list-crl
> /data0/usr/share/openvpn/easy-rsa/2.0/Makefile
> /data0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
> /data0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
> /data0/usr/share/openvpn/easy-rsa/2.0/pkitool
> /data0/usr/share/openvpn/easy-rsa/2.0/README
> /data0/usr/share/openvpn/easy-rsa/2.0/revoke-full
> /data0/usr/share/openvpn/easy-rsa/2.0/sign-req
> /data0/usr/share/openvpn/easy-rsa/2.0/vars
> /data0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
> /data0/usr/share/openvpn/easy-rsa/build-ca
> /data0/usr/share/openvpn/easy-rsa/build-dh
> /data0/usr/share/openvpn/easy-rsa/build-inter
> /data0/usr/share/openvpn/easy-rsa/build-key
> /data0/usr/share/openvpn/easy-rsa/build-key-pass
> /data0/usr/share/openvpn/easy-rsa/build-key-pkcs12
> /data0/usr/share/openvpn/easy-rsa/build-key-server
> /data0/usr/share/openvpn/easy-rsa/build-req
> /data0/usr/share/openvpn/easy-rsa/build-req-pass
> /data0/usr/share/openvpn/easy-rsa/clean-all
> /data0/usr/share/openvpn/easy-rsa/list-crl
> /data0/usr/share/openvpn/easy-rsa/make-crl
> /data0/usr/share/openvpn/easy-rsa/openssl.cnf
> /data0/usr/share/openvpn/easy-rsa/README
> /data0/usr/share/openvpn/easy-rsa/revoke-crt
> /data0/usr/share/openvpn/easy-rsa/revoke-full
> /data0/usr/share/openvpn/easy-rsa/sign-req
> /data0/usr/share/openvpn/easy-rsa/vars
> /data0/usr/share/openvpn/easy-rsa/Windows
> /data0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
> /data0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/README.txt
> /data0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
> /data0/usr/share/openvpn/easy-rsa/Windows/serial.start
> /data0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
> /data/md0/usr/share/openvpn/easy-rsa
> /data/md0/usr/share/openvpn/easy-rsa/2.0
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-ca
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-dh
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-inter
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-key
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-server
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-req
> /data/md0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
> /data/md0/usr/share/openvpn/easy-rsa/2.0/clean-all
> /data/md0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
> /data/md0/usr/share/openvpn/easy-rsa/2.0/list-crl
> /data/md0/usr/share/openvpn/easy-rsa/2.0/Makefile
> /data/md0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
> /data/md0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
> /data/md0/usr/share/openvpn/easy-rsa/2.0/pkitool
> /data/md0/usr/share/openvpn/easy-rsa/2.0/README
> /data/md0/usr/share/openvpn/easy-rsa/2.0/revoke-full
> /data/md0/usr/share/openvpn/easy-rsa/2.0/sign-req
> /data/md0/usr/share/openvpn/easy-rsa/2.0/vars
> /data/md0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
> /data/md0/usr/share/openvpn/easy-rsa/build-ca
> /data/md0/usr/share/openvpn/easy-rsa/build-dh
> /data/md0/usr/share/openvpn/easy-rsa/build-inter
> /data/md0/usr/share/openvpn/easy-rsa/build-key
> /data/md0/usr/share/openvpn/easy-rsa/build-key-pass
> /data/md0/usr/share/openvpn/easy-rsa/build-key-pkcs12
> /data/md0/usr/share/openvpn/easy-rsa/build-key-server
> /data/md0/usr/share/openvpn/easy-rsa/build-req
> /data/md0/usr/share/openvpn/easy-rsa/build-req-pass
> /data/md0/usr/share/openvpn/easy-rsa/clean-all
> /data/md0/usr/share/openvpn/easy-rsa/list-crl
> /data/md0/usr/share/openvpn/easy-rsa/make-crl
> /data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
> /data/md0/usr/share/openvpn/easy-rsa/README
> /data/md0/usr/share/openvpn/easy-rsa/revoke-crt
> /data/md0/usr/share/openvpn/easy-rsa/revoke-full
> /data/md0/usr/share/openvpn/easy-rsa/sign-req
> /data/md0/usr/share/openvpn/easy-rsa/vars
> /data/md0/usr/share/openvpn/easy-rsa/Windows
> /data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
> /data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
> /data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
> /data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
> /data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
> /usr/share/openvpn/easy-rsa
> /usr/share/openvpn/easy-rsa/1.0
> /usr/share/openvpn/easy-rsa/1.0/build-ca
> /usr/share/openvpn/easy-rsa/1.0/build-dh
> /usr/share/openvpn/easy-rsa/1.0/build-inter
> /usr/share/openvpn/easy-rsa/1.0/build-key
> /usr/share/openvpn/easy-rsa/1.0/build-key-pass
> /usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
> /usr/share/openvpn/easy-rsa/1.0/build-key-server
> /usr/share/openvpn/easy-rsa/1.0/build-req
> /usr/share/openvpn/easy-rsa/1.0/build-req-pass
> /usr/share/openvpn/easy-rsa/1.0/clean-all
> /usr/share/openvpn/easy-rsa/1.0/list-crl
> /usr/share/openvpn/easy-rsa/1.0/make-crl
> /usr/share/openvpn/easy-rsa/1.0/openssl.cnf
> /usr/share/openvpn/easy-rsa/1.0/README
> /usr/share/openvpn/easy-rsa/1.0/revoke-crt
> /usr/share/openvpn/easy-rsa/1.0/revoke-full
> /usr/share/openvpn/easy-rsa/1.0/sign-req
> /usr/share/openvpn/easy-rsa/1.0/vars
> /usr/share/openvpn/easy-rsa/2.0
> /usr/share/openvpn/easy-rsa/2.0/build-ca
> /usr/share/openvpn/easy-rsa/2.0/build-dh
> /usr/share/openvpn/easy-rsa/2.0/build-inter
> /usr/share/openvpn/easy-rsa/2.0/build-key
> /usr/share/openvpn/easy-rsa/2.0/build-key-pass
> /usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
> /usr/share/openvpn/easy-rsa/2.0/build-key-server
> /usr/share/openvpn/easy-rsa/2.0/build-req
> /usr/share/openvpn/easy-rsa/2.0/build-req-pass
> /usr/share/openvpn/easy-rsa/2.0/clean-all
> /usr/share/openvpn/easy-rsa/2.0/inherit-inter
> /usr/share/openvpn/easy-rsa/2.0/list-crl
> /usr/share/openvpn/easy-rsa/2.0/Makefile
> /usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
> /usr/share/openvpn/easy-rsa/2.0/openssl.cnf
> /usr/share/openvpn/easy-rsa/2.0/pkitool
> /usr/share/openvpn/easy-rsa/2.0/README
> /usr/share/openvpn/easy-rsa/2.0/revoke-full
> /usr/share/openvpn/easy-rsa/2.0/sign-req
> /usr/share/openvpn/easy-rsa/2.0/vars
> /usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
>
> op 21-01-14 13:08, Joe Patterson schreef:
>
> openssl x509 -noout -modulus -in ca.pem
>
>  then look for a key where the output of:
>
>  openssl rsa -noout -modulus -in file.key
>
>  matches.
>
>  -Joe
>
>
> On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen <
> jvermeu...@cawdekempen.be> wrote:
>
>>  hello All,
>>
>> thanks again for helping me out, this is great.
>>
>> So getting a ca.pem from a backup, and a client certificate that was made
>> before the trouble, I get:
>>
>> [root@caw-server1 keys]# openssl verify -CAfile ca.pem elien-crt.pem
>> /etc/pki/tls/certs/servercert.pem
>> elien-crt.pem: OK
>> /etc/pki/tls/certs/servercert.pem: OK
>>
>> Any other combination would give me EM:
>>
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>
>> Does this mean I have the right ca.crt ( ca.pem)?
>>
>> Can I look for the right ca.key the same way?
>>
>> greetings, J.
>>
>>
>> op 21-01-14 11:43, Jan Just Keijser schreef:
>>
>> Hi Johan,
>>
>> Johan Vermeulen wrote:
>>
>> Dear All,
>>
>> since a long time we have an Openvpn-server, now  on Centos6,
>> originaly setup on OpenSuse
>>
>> [root@caw-server1 2.0]# rpm -qa openvpn
>> openvpn-2.3.1-3.el6.x86_64
>>
>> It is very reliable, and my only activity on it, is generate new client
>> keys.
>>
>> Not sure what happened -- a ./clean-all could have been run on it -- but
>> since last week, I'm unable to generate new client keys.
>>
>> [root@caw-server1 2.0]# source ./vars
>> NOTE: If you run ./clean-all, I will be doing a rm -rf on
>> /usr/share/openvpn/easy-rsa/2.0/keys
>> [root@caw-server1 2.0]# ./build-key testjohan
>> pkitool: Need a readable ca.crt and ca.key in
>> /usr/share/openvpn/easy-rsa/2.0/keys
>> Try pkitool --initca to build a root certificate/key.
>>
>>
>>
>> look inside the directory
>> /usr/share/openvpn/easy-rsa/2.0/keys
>> and see if you can find a ca.crt and ca.key file there; you can post an
>> 'ls -l' if you like.
>> If they are not there then a './clean-all' was run most likely. I hope
>> you have a backup somewhere :)
>>
>> The EM is straightforward enough, but I'm unsure on how to proceed.
>>
>> As far as I can tell the important files are in /etc/pki/tls/certs/ :
>> [root@caw-server1 certs]# ls
>> ca-bundle.crt  ca-bundle.trust.crt  ca.pem  make-dummy-cert Makefile
>> servercert.pem  serverkey.pem  slapd.pem
>>
>> as is reflected in /etc/openvpn/server.conf :
>>
>> ca /etc/pki/tls/certs/ca.pem
>> cert /etc/pki/tls/certs/servercert.pem
>> key /etc/pki/tls/certs/serverkey.pem
>>
>>
>>
>> These are the keys used for openvpn ; key management (generation) is
>> separated from key usage by OpenVPN; the ca.pem and servercert+serverkey
>> are not sufficient to generated new client keys. You will need a ca.crt (or
>> ca.pem) and ca.key file for that.
>>
>> HTH,
>>
>> JJK
>>
>> PS The openssl version does not matter in this case, as CentOS 6 is new
>> enough; you could/should consider upgrading to 6.5 , however.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>>
>
>

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn -- unable to generate keys

Reply via email to