The directory listing you sent me earlier had
/usr/share/openvpn/easy-rsa/2.0/keys/ca.key and ca.key.orig.
Post by Johan Vermeulenhello,
I'm unable to find the key.pem or the *.key
What I don't understand is: I do have a backup.
And the setup on the original Opensuse-server is still there, from
different versions of Openvpn
I just can't find the keys.
I don't understand it.
minas:~ # locate easy-rsa
/data0/usr/share/openvpn/easy-rsa
/data0/usr/share/openvpn/easy-rsa/2.0
/data0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data0/usr/share/openvpn/easy-rsa/2.0/build-key
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data0/usr/share/openvpn/easy-rsa/2.0/build-req
/data0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data0/usr/share/openvpn/easy-rsa/2.0/README
/data0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data0/usr/share/openvpn/easy-rsa/2.0/vars
/data0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data0/usr/share/openvpn/easy-rsa/build-ca
/data0/usr/share/openvpn/easy-rsa/build-dh
/data0/usr/share/openvpn/easy-rsa/build-inter
/data0/usr/share/openvpn/easy-rsa/build-key
/data0/usr/share/openvpn/easy-rsa/build-key-pass
/data0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/build-key-server
/data0/usr/share/openvpn/easy-rsa/build-req
/data0/usr/share/openvpn/easy-rsa/build-req-pass
/data0/usr/share/openvpn/easy-rsa/clean-all
/data0/usr/share/openvpn/easy-rsa/list-crl
/data0/usr/share/openvpn/easy-rsa/make-crl
/data0/usr/share/openvpn/easy-rsa/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/README
/data0/usr/share/openvpn/easy-rsa/revoke-crt
/data0/usr/share/openvpn/easy-rsa/revoke-full
/data0/usr/share/openvpn/easy-rsa/sign-req
/data0/usr/share/openvpn/easy-rsa/vars
/data0/usr/share/openvpn/easy-rsa/Windows
/data0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/data/md0/usr/share/openvpn/easy-rsa
/data/md0/usr/share/openvpn/easy-rsa/2.0
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data/md0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data/md0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data/md0/usr/share/openvpn/easy-rsa/2.0/README
/data/md0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/vars
/data/md0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data/md0/usr/share/openvpn/easy-rsa/build-ca
/data/md0/usr/share/openvpn/easy-rsa/build-dh
/data/md0/usr/share/openvpn/easy-rsa/build-inter
/data/md0/usr/share/openvpn/easy-rsa/build-key
/data/md0/usr/share/openvpn/easy-rsa/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/build-req
/data/md0/usr/share/openvpn/easy-rsa/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/clean-all
/data/md0/usr/share/openvpn/easy-rsa/list-crl
/data/md0/usr/share/openvpn/easy-rsa/make-crl
/data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/README
/data/md0/usr/share/openvpn/easy-rsa/revoke-crt
/data/md0/usr/share/openvpn/easy-rsa/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/sign-req
/data/md0/usr/share/openvpn/easy-rsa/vars
/data/md0/usr/share/openvpn/easy-rsa/Windows
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/usr/share/openvpn/easy-rsa
/usr/share/openvpn/easy-rsa/1.0
/usr/share/openvpn/easy-rsa/1.0/build-ca
/usr/share/openvpn/easy-rsa/1.0/build-dh
/usr/share/openvpn/easy-rsa/1.0/build-inter
/usr/share/openvpn/easy-rsa/1.0/build-key
/usr/share/openvpn/easy-rsa/1.0/build-key-pass
/usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/1.0/build-key-server
/usr/share/openvpn/easy-rsa/1.0/build-req
/usr/share/openvpn/easy-rsa/1.0/build-req-pass
/usr/share/openvpn/easy-rsa/1.0/clean-all
/usr/share/openvpn/easy-rsa/1.0/list-crl
/usr/share/openvpn/easy-rsa/1.0/make-crl
/usr/share/openvpn/easy-rsa/1.0/openssl.cnf
/usr/share/openvpn/easy-rsa/1.0/README
/usr/share/openvpn/easy-rsa/1.0/revoke-crt
/usr/share/openvpn/easy-rsa/1.0/revoke-full
/usr/share/openvpn/easy-rsa/1.0/sign-req
/usr/share/openvpn/easy-rsa/1.0/vars
/usr/share/openvpn/easy-rsa/2.0
/usr/share/openvpn/easy-rsa/2.0/build-ca
/usr/share/openvpn/easy-rsa/2.0/build-dh
/usr/share/openvpn/easy-rsa/2.0/build-inter
/usr/share/openvpn/easy-rsa/2.0/build-key
/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/2.0/build-key-server
/usr/share/openvpn/easy-rsa/2.0/build-req
/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/usr/share/openvpn/easy-rsa/2.0/clean-all
/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/usr/share/openvpn/easy-rsa/2.0/list-crl
/usr/share/openvpn/easy-rsa/2.0/Makefile
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/usr/share/openvpn/easy-rsa/2.0/pkitool
/usr/share/openvpn/easy-rsa/2.0/README
/usr/share/openvpn/easy-rsa/2.0/revoke-full
/usr/share/openvpn/easy-rsa/2.0/sign-req
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
openssl x509 -noout -modulus -in ca.pem
openssl rsa -noout -modulus -in file.key
matches.
-Joe
On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen <
Post by Johan Vermeulenhello All,
thanks again for helping me out, this is great.
So getting a ca.pem from a backup, and a client certificate that was made
/etc/pki/tls/certs/servercert.pem
elien-crt.pem: OK
/etc/pki/tls/certs/servercert.pem: OK
error 20 at 0 depth lookup:unable to get local issuer certificate
Does this mean I have the right ca.crt ( ca.pem)?
Can I look for the right ca.key the same way?
greetings, J.
Hi Johan,
Dear All,
since a long time we have an Openvpn-server, now on Centos6,
originaly setup on OpenSuse
openvpn-2.3.1-3.el6.x86_64
It is very reliable, and my only activity on it, is generate new client
keys.
Not sure what happened -- a ./clean-all could have been run on it -- but
since last week, I'm unable to generate new client keys.
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/usr/share/openvpn/easy-rsa/2.0/keys
pkitool: Need a readable ca.crt and ca.key in
/usr/share/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
look inside the directory
/usr/share/openvpn/easy-rsa/2.0/keys
and see if you can find a ca.crt and ca.key file there; you can post an
'ls -l' if you like.
If they are not there then a './clean-all' was run most likely. I hope
you have a backup somewhere :)
The EM is straightforward enough, but I'm unsure on how to proceed.
ca-bundle.crt ca-bundle.trust.crt ca.pem make-dummy-cert Makefile
servercert.pem serverkey.pem slapd.pem
ca /etc/pki/tls/certs/ca.pem
cert /etc/pki/tls/certs/servercert.pem
key /etc/pki/tls/certs/serverkey.pem
These are the keys used for openvpn ; key management (generation) is
separated from key usage by OpenVPN; the ca.pem and servercert+serverkey
are not sufficient to generated new client keys. You will need a ca.crt (or
ca.pem) and ca.key file for that.
HTH,
JJK
PS The openssl version does not matter in this case, as CentOS 6 is new
enough; you could/should consider upgrading to 6.5 , however.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users