>On Tuesday, January 9th, 2024 at 3:27 PM, Antonio Quartulli
>wrote:
> Hi,
>
> On 09/01/2024 12:24, Peter Davis wrote:
>
> > Hi,
> > In the Easy-RSA directory I have the following files and directories:
> > easyrsa openssl-easyrsa.cnf pki ta.key vars x509-types
> >
> > Is it enough to keep t
Hi,
On 09/01/2024 12:24, Peter Davis wrote:
Hi,
In the Easy-RSA directory I have the following files and directories:
easyrsa openssl-easyrsa.cnf pki ta.key vars x509-types
Is it enough to keep the pki directory?
Why not keeping everything?
Cheers,
--
Antonio Quartulli
__
>On Tuesday, January 9th, 2024 at 2:40 PM, Antonio Quartulli
>wrote:
> Hi,
>
> On 09/01/2024 08:18, Peter Davis via Openvpn-users wrote:
>
> > Hi,
> > So if I want to revoke the keys in the future and prevent clients from
> > connecting to the server, then I need the Easy-RSA directory that
Hi,
On 09/01/2024 08:18, Peter Davis via Openvpn-users wrote:
Hi,
So if I want to revoke the keys in the future and prevent clients from
connecting to the server, then I need the Easy-RSA directory that I used to
generate the keys at that time. is it true?
Correct. More specifically, you nee
>On Tuesday, January 9th, 2024 at 10:42 AM, Gert Doering
>wrote:
> Hi,
>
> On Tue, Jan 09, 2024 at 07:08:08AM +, Peter Davis wrote:
>
> > Thanks again.
> > I forgot to tell you that this is an internal server. I have other
> > questions:
> >
> > 1- Assuming my vars file is as follows:
>
Hi,
On Tue, Jan 09, 2024 at 07:08:08AM +, Peter Davis wrote:
> Thanks again.
> I forgot to tell you that this is an internal server. I have other questions:
>
> 1- Assuming my vars file is as follows:
>
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="NY"
> export KEY_
>On Monday, January 8th, 2024 at 3:59 PM, Gert Doering
>wrote:
> Hi,
>
> On Mon, Jan 08, 2024 at 12:02:58PM +, Peter Davis via Openvpn-users wrote:
>
> > 1- What tool do you use to generate server and client keys?
>
>
> Something homegrown, based on easy-rsa
>
> > 2- Assume that the ke
On Mon, 8 Jan 2024 15:35:17 +0100, Jochen Bern wrote:
>On 08.01.24 15:09, Bo Berglund wrote:
>> OK, in my case there are only a handful of clients so I could presuambly do
>> the
>> following by creating new server crypto files from scratch:
>
>If you'd like to get into enough detail to come up
On 08.01.24 15:09, Bo Berglund wrote:
OK, in my case there are only a handful of clients so I could presuambly do the
following by creating new server crypto files from scratch:
If you'd like to get into enough detail to come up with a step-by-step
recipe, you should IMHO specify *which* certs
Hi,
On Mon, Jan 08, 2024 at 03:09:24PM +0100, Bo Berglund wrote:
> There are several different types of files involved here (*.crt, *.csr, *.key,
> *.pem) and I don't know how each is actually used...
.csr, .key have no lifetimes
.crt is the certificate, which has
$ openssl x509 -in mycert.crt
On Mon, 8 Jan 2024 12:02:53 +0100, Gert Doering wrote:
>Of course this only makes sense if there's a significant number of users -
>if it's just like "5 users", I'd send everyone a new .ovpn and make sure
>they start using it in a timely fashion ;-)
Regarding extending a server's life
--
On 08.01.24 13:02, Peter Davis wrote:
1- What tool do you use to generate server and client keys?
Whichever happens to be in current use in the environment in question.
None of what we've been talking about so far is an issue with EasyRSA in
particular (beyond the Internet handing you how-tos
hi,
On Mon, Jan 08, 2024 at 12:11:40PM +, Peter Davis via Openvpn-users wrote:
> If that's the only problem, then I can copy Easy-RSA again. When I generate
> one key, I get a warning message to generate another.
You tried to generate a new PKI (CA key+cert), which is something very
differen
Hi,
On Mon, Jan 08, 2024 at 12:02:58PM +, Peter Davis via Openvpn-users wrote:
> 1- What tool do you use to generate server and client keys?
Something homegrown, based on easy-rsa
> 2- Assume that the keys have expired. Do I have to generate a new key again
> or can I renew the previous key
Hi,
On 08/01/2024 13:11, Peter Davis wrote:
Hi,
If that's the only problem, then I can copy Easy-RSA again. When I generate one
key, I get a warning message to generate another.
When generating a certificate, you will sign it with the CA key.
If the CA key is gone, you won't be able to sign a
>On Monday, January 8th, 2024 at 3:38 PM, Antonio Quartulli
>wrote:
> Hi,
>
> On 08/01/2024 13:02, Peter Davis via Openvpn-users wrote:
>
> > I still don't quite understand why I shouldn't delete the Easy-RSA
> > directory after generating the keys!
>
>
> Because tomorrow you may add anoth
Hi,
On 08/01/2024 13:02, Peter Davis via Openvpn-users wrote:
I still don't quite understand why I shouldn't delete the Easy-RSA directory
after generating the keys!
Because tomorrow you may add another server or client and thus need to
generate another certificate.
Cheers,
--
Antonio Qua
>On Monday, January 8th, 2024 at 2:55 PM, Jochen Bern
>wrote:
> On 08.01.24 07:19, Peter Davis wrote:
>
> > On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern jochen.b...@binect.de
> > wrote:
> >
> > > On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:
> > >
> > > > Now if I ignore
On 08.01.24 07:19, Peter Davis wrote:
On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern
wrote:
On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:
Now if I ignore the warning message above, what is the risk?
Then you'll lose the content of those files that only the CA needs,
and thu
Hi,
On Mon, Jan 08, 2024 at 11:54:23AM +0100, Jochen Bern wrote:
> In a nutshell, if a specific CA certificate is used(!) in the config of
> whatever OpenVPN peer and is about to expire, you'll need to have it
> replaced, yes, *in every such config*.
What we do here ("we" being "one of the compan
On 07.01.24 21:20, Bo Berglund wrote:
If you have a couple of OpenVPN servers operating off of certs and keys
generated back in 2014 (like I have), then these are probably set to expire this
year 2024 because I think that the easyrsa I used back then sets a 10 year life
of these.
What is the pro
> On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern
> wrote:
> On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:
>
> > As you can see, I have moved the files to /etc/openvpn/server directory.
>
>
> Correction: You have copied SOME files to that directory, namely, those
> that the s
On 07/01/2024 21:20, Bo Berglund wrote:
[...snip...]
If you have a couple of OpenVPN servers operating off of certs and keys
generated back in 2014 (like I have), then these are probably set to expire this
year 2024 because I think that the easyrsa I used back then sets a 10 year life
of these.
On Sun, 7 Jan 2024 20:22:49 +0100, Jochen Bern wrote:
>On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:
>> As you can see, I have moved the files to /etc/openvpn/server directory.
>
>Correction: You have copied SOME files to that directory, namely, those
>that the server needs.
>
>> Now i
On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:
As you can see, I have moved the files to /etc/openvpn/server directory.
Correction: You have copied SOME files to that directory, namely, those
that the server needs.
Now if I ignore the warning message above, what is the risk?
Then
Hi,
On Sun, Jan 07, 2024 at 05:50:55AM +, Peter Davis wrote:
> As you can see, I have moved the files to /etc/openvpn/server directory. Now
> if I ignore the warning message above, what is the risk?
You have still missed answering my question - "build a server", what
does that mean?
Reading
>On Sunday, January 7th, 2024 at 1:27 AM, Gert Doering
>wrote:
> Hi,
>
> On Sat, Jan 06, 2024 at 06:48:55AM +, Peter Davis via Openvpn-users wrote:
>
> > Now I want to create another server and when I use the command "./easyrsa
> > init-pki", then the following message is displayed:
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
Sent with Proton Mail secure email.
On Saturday, 6 January 2024 at 06:48, Peter Davis via Openvpn-users
wrote:
> Hello,
>
> I edited the vars file as below and created an OpenVPN server:
>
>
> export KEY_COUNTRY="US"export KEY_PROVINCE=
Hi,
On Sat, Jan 06, 2024 at 06:48:55AM +, Peter Davis via Openvpn-users wrote:
> Now I want to create another server and when I use the command "./easyrsa
> init-pki", then the following message is displayed:
>
> # ./easyrsa init-pki
"create a server", what does that mean?
- create a PKI
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sent with Proton Mail secure email.
On Saturday, 6 January 2024 at 06:48, Peter Davis via Openvpn-users
wrote:
> Hello,
>
> I edited the vars file as below and created an OpenVPN server:
>
>
> export KEY_COUNTRY="US"export KEY_PROVINCE="CA
30 matches
Mail list logo
