hi,
On 02/11/20 17:51, Stephen wrote:
Hi Jan, thanks very much for your help I will definitely try that.
After I wrote my original message I also stumbled across the
set-rsa-pass switch to the easyrsa script. I tried invoking this on my
ca.key file like so:
./easyrsa set-rsa-pass ca
This also seemed to work when I tried it during a quick test and
allowed me to change the password assigned to my ca.key file.
A cursory glance at the implementation, suggests that set-rsa-pass
certainly does seem to pass the -aes256 argument to OpenSSL. So I think
this is just an alternative way of invoking the same OpenSSL commands
you suggested Jan. Albeilt one that avoids invoking OpenSSL directly...
the 'easyrsa set-rsa-pass' command invokes
easyrsa_openssl rsa -in $infile -out $outfile $crypto
with crypto=aes256 by default so yes, the easyrsa command just invokes
the OpenSSL binary for you... Remember that the easy-rsa scripts are
merely wrappers around OpenSSL.
HTH,
JJK
On 02/11/2020 16:27, Jan Just Keijser wrote:
Hi,
On 02/11/20 16:32, Stephen wrote:
Hi everyone, the Easy-RSA forums directed me to this mailing list
for support questions. Hopefully someone here will be able to help me.
I have successfully created an EasyRSA 3 based PKI CA as described
in the standard tutorials on this topic. This currently works with
OpenVPN without issue. The ca.key file I have created for my PKI is
passworded in-line with best practice. Consequently I am prompted
for this password everytime I sign cert requests with the CA. So far
so good.
My question is this:
How can I change the password associated with this ca.key file?
The specific scenario I have in mind is when i already know the
existing ca.key password but I want to change the password to
something else? For example if an admin leaves my workplace it is
obviously best practice to change password associated with the CA key.
Is this possible with EasyRSA without recreating my entire CA from
scratch and re-issuing all keys?
find your ca.key file, then run
mv ca.key oldca.key
openssl rsa -in oldca.key -out ca.key -aes256
which will first prompt you for the old password, then ask for the
new one (twice).
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
