openssl x509 -noout -modulus -in ca.pem
then look for a key where the output of:
openssl rsa -noout -modulus -in file.key
matches.
-Joe
On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be>wrote:
> hello All,
>
> thanks again for helping me out, this is great.
>
> So getting a ca.pem from a backup, and a client certificate that was made
> before the trouble, I get:
>
> [root@caw-server1 keys]# openssl verify -CAfile ca.pem elien-crt.pem
> /etc/pki/tls/certs/servercert.pem
> elien-crt.pem: OK
> /etc/pki/tls/certs/servercert.pem: OK
>
> Any other combination would give me EM:
>
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> Does this mean I have the right ca.crt ( ca.pem)?
>
> Can I look for the right ca.key the same way?
>
> greetings, J.
>
>
> op 21-01-14 11:43, Jan Just Keijser schreef:
>
> Hi Johan,
>
> Johan Vermeulen wrote:
>
> Dear All,
>
> since a long time we have an Openvpn-server, now on Centos6,
> originaly setup on OpenSuse
>
> [root@caw-server1 2.0]# rpm -qa openvpn
> openvpn-2.3.1-3.el6.x86_64
>
> It is very reliable, and my only activity on it, is generate new client
> keys.
>
> Not sure what happened -- a ./clean-all could have been run on it -- but
> since last week, I'm unable to generate new client keys.
>
> [root@caw-server1 2.0]# source ./vars
> NOTE: If you run ./clean-all, I will be doing a rm -rf on
> /usr/share/openvpn/easy-rsa/2.0/keys
> [root@caw-server1 2.0]# ./build-key testjohan
> pkitool: Need a readable ca.crt and ca.key in
> /usr/share/openvpn/easy-rsa/2.0/keys
> Try pkitool --initca to build a root certificate/key.
>
>
>
> look inside the directory
> /usr/share/openvpn/easy-rsa/2.0/keys
> and see if you can find a ca.crt and ca.key file there; you can post an
> 'ls -l' if you like.
> If they are not there then a './clean-all' was run most likely. I hope you
> have a backup somewhere :)
>
> The EM is straightforward enough, but I'm unsure on how to proceed.
>
> As far as I can tell the important files are in /etc/pki/tls/certs/ :
> [root@caw-server1 certs]# ls
> ca-bundle.crt ca-bundle.trust.crt ca.pem make-dummy-cert Makefile
> servercert.pem serverkey.pem slapd.pem
>
> as is reflected in /etc/openvpn/server.conf :
>
> ca /etc/pki/tls/certs/ca.pem
> cert /etc/pki/tls/certs/servercert.pem
> key /etc/pki/tls/certs/serverkey.pem
>
>
>
> These are the keys used for openvpn ; key management (generation) is
> separated from key usage by OpenVPN; the ca.pem and servercert+serverkey
> are not sufficient to generated new client keys. You will need a ca.crt (or
> ca.pem) and ca.key file for that.
>
> HTH,
>
> JJK
>
> PS The openssl version does not matter in this case, as CentOS 6 is new
> enough; you could/should consider upgrading to 6.5 , however.
>
>
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
