yes. against better judgment, I'm trying everything that has " key"
written in it, e.g.
/data0/etc/ssl/servercerts/serverkey.pem
op 21-01-14 14:23, Joe Patterson schreef:
The directory listing you sent me earlier had
/usr/share/openvpn/easy-rsa/2.0/keys/ca.key and ca.key.orig.
-Joe
On Tue, Jan 21, 2014 at 8:22 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>> wrote:
hello,
I'm unable to find the key.pem or the *.key
What I don't understand is: I do have a backup.
And the setup on the original Opensuse-server is still there, from
different versions of Openvpn
I just can't find the keys.
I don't understand it.
minas:~ # locate easy-rsa
/data0/usr/share/openvpn/easy-rsa
/data0/usr/share/openvpn/easy-rsa/2.0
/data0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data0/usr/share/openvpn/easy-rsa/2.0/build-key
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data0/usr/share/openvpn/easy-rsa/2.0/build-req
/data0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data0/usr/share/openvpn/easy-rsa/2.0/README
/data0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data0/usr/share/openvpn/easy-rsa/2.0/vars
/data0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data0/usr/share/openvpn/easy-rsa/build-ca
/data0/usr/share/openvpn/easy-rsa/build-dh
/data0/usr/share/openvpn/easy-rsa/build-inter
/data0/usr/share/openvpn/easy-rsa/build-key
/data0/usr/share/openvpn/easy-rsa/build-key-pass
/data0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/build-key-server
/data0/usr/share/openvpn/easy-rsa/build-req
/data0/usr/share/openvpn/easy-rsa/build-req-pass
/data0/usr/share/openvpn/easy-rsa/clean-all
/data0/usr/share/openvpn/easy-rsa/list-crl
/data0/usr/share/openvpn/easy-rsa/make-crl
/data0/usr/share/openvpn/easy-rsa/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/README
/data0/usr/share/openvpn/easy-rsa/revoke-crt
/data0/usr/share/openvpn/easy-rsa/revoke-full
/data0/usr/share/openvpn/easy-rsa/sign-req
/data0/usr/share/openvpn/easy-rsa/vars
/data0/usr/share/openvpn/easy-rsa/Windows
/data0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/data/md0/usr/share/openvpn/easy-rsa
/data/md0/usr/share/openvpn/easy-rsa/2.0
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data/md0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data/md0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data/md0/usr/share/openvpn/easy-rsa/2.0/README
/data/md0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/vars
/data/md0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data/md0/usr/share/openvpn/easy-rsa/build-ca
/data/md0/usr/share/openvpn/easy-rsa/build-dh
/data/md0/usr/share/openvpn/easy-rsa/build-inter
/data/md0/usr/share/openvpn/easy-rsa/build-key
/data/md0/usr/share/openvpn/easy-rsa/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/build-req
/data/md0/usr/share/openvpn/easy-rsa/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/clean-all
/data/md0/usr/share/openvpn/easy-rsa/list-crl
/data/md0/usr/share/openvpn/easy-rsa/make-crl
/data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/README
/data/md0/usr/share/openvpn/easy-rsa/revoke-crt
/data/md0/usr/share/openvpn/easy-rsa/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/sign-req
/data/md0/usr/share/openvpn/easy-rsa/vars
/data/md0/usr/share/openvpn/easy-rsa/Windows
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/usr/share/openvpn/easy-rsa
/usr/share/openvpn/easy-rsa/1.0
/usr/share/openvpn/easy-rsa/1.0/build-ca
/usr/share/openvpn/easy-rsa/1.0/build-dh
/usr/share/openvpn/easy-rsa/1.0/build-inter
/usr/share/openvpn/easy-rsa/1.0/build-key
/usr/share/openvpn/easy-rsa/1.0/build-key-pass
/usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/1.0/build-key-server
/usr/share/openvpn/easy-rsa/1.0/build-req
/usr/share/openvpn/easy-rsa/1.0/build-req-pass
/usr/share/openvpn/easy-rsa/1.0/clean-all
/usr/share/openvpn/easy-rsa/1.0/list-crl
/usr/share/openvpn/easy-rsa/1.0/make-crl
/usr/share/openvpn/easy-rsa/1.0/openssl.cnf
/usr/share/openvpn/easy-rsa/1.0/README
/usr/share/openvpn/easy-rsa/1.0/revoke-crt
/usr/share/openvpn/easy-rsa/1.0/revoke-full
/usr/share/openvpn/easy-rsa/1.0/sign-req
/usr/share/openvpn/easy-rsa/1.0/vars
/usr/share/openvpn/easy-rsa/2.0
/usr/share/openvpn/easy-rsa/2.0/build-ca
/usr/share/openvpn/easy-rsa/2.0/build-dh
/usr/share/openvpn/easy-rsa/2.0/build-inter
/usr/share/openvpn/easy-rsa/2.0/build-key
/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/2.0/build-key-server
/usr/share/openvpn/easy-rsa/2.0/build-req
/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/usr/share/openvpn/easy-rsa/2.0/clean-all
/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/usr/share/openvpn/easy-rsa/2.0/list-crl
/usr/share/openvpn/easy-rsa/2.0/Makefile
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/usr/share/openvpn/easy-rsa/2.0/pkitool
/usr/share/openvpn/easy-rsa/2.0/README
/usr/share/openvpn/easy-rsa/2.0/revoke-full
/usr/share/openvpn/easy-rsa/2.0/sign-req
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
op 21-01-14 13:08, Joe Patterson schreef:
openssl x509 -noout -modulus -in ca.pem
then look for a key where the output of:
openssl rsa -noout -modulus -in file.key
matches.
-Joe
On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>> wrote:
hello All,
thanks again for helping me out, this is great.
So getting a ca.pem from a backup, and a client certificate
that was made before the trouble, I get:
[root@caw-server1 keys]# openssl verify -CAfile ca.pem
elien-crt.pem /etc/pki/tls/certs/servercert.pem
elien-crt.pem: OK
/etc/pki/tls/certs/servercert.pem: OK
Any other combination would give me EM:
error 20 at 0 depth lookup:unable to get local issuer certificate
Does this mean I have the right ca.crt ( ca.pem)?
Can I look for the right ca.key the same way?
greetings, J.
op 21-01-14 11:43, Jan Just Keijser schreef:
Hi Johan,
Johan Vermeulen wrote:
Dear All,
since a long time we have an Openvpn-server, now on Centos6,
originaly setup on OpenSuse
[root@caw-server1 2.0]# rpm -qa openvpn
openvpn-2.3.1-3.el6.x86_64
It is very reliable, and my only activity on it, is
generate new client keys.
Not sure what happened -- a ./clean-all could have been run
on it -- but since last week, I'm unable to generate new
client keys.
[root@caw-server1 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/usr/share/openvpn/easy-rsa/2.0/keys
[root@caw-server1 2.0]# ./build-key testjohan
pkitool: Need a readable ca.crt and ca.key in
/usr/share/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
look inside the directory
/usr/share/openvpn/easy-rsa/2.0/keys
and see if you can find a ca.crt and ca.key file there; you
can post an 'ls -l' if you like.
If they are not there then a './clean-all' was run most
likely. I hope you have a backup somewhere :)
The EM is straightforward enough, but I'm unsure on how to
proceed.
As far as I can tell the important files are in
/etc/pki/tls/certs/ :
[root@caw-server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt ca.pem make-dummy-cert
Makefile servercert.pem serverkey.pem slapd.pem
as is reflected in /etc/openvpn/server.conf :
ca /etc/pki/tls/certs/ca.pem
cert /etc/pki/tls/certs/servercert.pem
key /etc/pki/tls/certs/serverkey.pem
These are the keys used for openvpn ; key management
(generation) is separated from key usage by OpenVPN; the
ca.pem and servercert+serverkey are not sufficient to
generated new client keys. You will need a ca.crt (or
ca.pem) and ca.key file for that.
HTH,
JJK
PS The openssl version does not matter in this case, as
CentOS 6 is new enough; you could/should consider upgrading
to 6.5 , however.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In
Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
<mailto:Openvpn-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
