Generating new keys using Easy-RSA
by Jason.nix from LinuxQuestions.org on (#6HNY7)
Hello,
To build an OpenVPN server I did the following steps:
Code:# cd /etc/openvpn/easy-rsa
# mv vars.example vars
# nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="NY"
export KEY_ORG="MyDepartment"
export KEY_EMAIL="admin@example.xyz"
export KEY_OU="OpenVPN"I saved and closed the file. Then:
Code:# ./easyrsa init-pki
# ./easyrsa build-ca nopass
# ./easyrsa gen-req MyDepartment_Server nopass
# ./easyrsa sign-req server MyDepartment_ServerBuilding a Diffie-Hellman key exchange:
Code:# ./easyrsa --keysize=4096 gen-dh
# openvpn --genkey secret ta.keyFinally:
Code:# cp ta.key /etc/openvpn/server
# cp pki/ca.crt /etc/openvpn/server
# cp pki/private/MyDepartment_Server.key /etc/openvpn/server
# cp pki/issued/MyDepartment_Server.crt /etc/openvpn/server
# cp pki/dh.pem /etc/openvpn/server/As you can see, I have moved the files to /etc/openvpn/server directory. Now I want to create another server and when I use the command "./easyrsa init-pki", then the following message is displayed:
Quote:
All the servers I want to make are for one company. I have some questions:
1- Now if I ignore the warning message above, what is the risk?
2- What do I need to do to build new servers using Easy-RSA?
3- What files do I need to copy from Easy-RSA so that I can safely delete the Easy-RSA directory?
Thank you.
To build an OpenVPN server I did the following steps:
Code:# cd /etc/openvpn/easy-rsa
# mv vars.example vars
# nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="NY"
export KEY_ORG="MyDepartment"
export KEY_EMAIL="admin@example.xyz"
export KEY_OU="OpenVPN"I saved and closed the file. Then:
Code:# ./easyrsa init-pki
# ./easyrsa build-ca nopass
# ./easyrsa gen-req MyDepartment_Server nopass
# ./easyrsa sign-req server MyDepartment_ServerBuilding a Diffie-Hellman key exchange:
Code:# ./easyrsa --keysize=4096 gen-dh
# openvpn --genkey secret ta.keyFinally:
Code:# cp ta.key /etc/openvpn/server
# cp pki/ca.crt /etc/openvpn/server
# cp pki/private/MyDepartment_Server.key /etc/openvpn/server
# cp pki/issued/MyDepartment_Server.crt /etc/openvpn/server
# cp pki/dh.pem /etc/openvpn/server/As you can see, I have moved the files to /etc/openvpn/server directory. Now I want to create another server and when I use the command "./easyrsa init-pki", then the following message is displayed:
Quote:
| # ./easyrsa init-pki WARNING!!! You are about to remove the EASYRSA_PKI at: * /etc/openvpn/easy-rsa/pki and initialize a fresh PKI here. Type the word 'yes' to continue, or any other input to abort. Confirm removal: |
1- Now if I ignore the warning message above, what is the risk?
2- What do I need to do to build new servers using Easy-RSA?
3- What files do I need to copy from Easy-RSA so that I can safely delete the Easy-RSA directory?
Thank you.