-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi, ------- Original Message ------- On Wednesday, June 8th, 2022 at 20:42, Micio Lampo <micio.la...@gmail.com> wrote: > Hi, > thanks again for your kind reply, but there is a misunderstanding (it's > my fault!); > therefore I try to be more clear: > > The only execution of the command 'build-ca' without 'nopass' (in my > previous message > I forgot the term 'without ') expects two passphrases to be entered: If you built your CA *with* a password (*without* nopass) then you will ALWAYS need to put *that CA* password in to generate any other certificates. So: easyrsa init-pki (new PKI) easyrsa build-ca (New CA, with password) easyrsa build-server-full server nopass (new server certificate, you MUST enter the CA password to sign this certificate) and so forth .. -- > 1) a CA key passphrase (-> 'Enter New CA Key Passphrase:') (***), > > 2) a PEM passphrase (-> 'Enter PEM pass phrase:'). > > > The chosen PEM passphrase is used "to access" the CA's private key, > and indeed it is always requested later when executing > the command 'build-server/client-full server/client [nopass]'; > if here the option 'nopass' is specified, then no PEM passphrase > for "accessing" the server/client's private key is expected > (if 'nopass' is not specified, then the command requests a PEM passphrase). > > The CA key's passphrase entered in (***) is never asked again > in the process of building a complete PKI; > hence the question: what is the usefulness of it? > > Have a nice day! > > > > On 8/6/22 17:49, tincantech wrote: > > > Hi, > > > > ------- Original Message ------- > > On Wednesday, June 8th, 2022 at 16:44, Micio Lampo > > micio.la...@gmail.com wrote: > > > > > Before, I specified a wrong email address... sorry > > > > > Hi, > > > thanks very much for your reply. > > > I posed the question in the wrong way; I'm sorry for that. > > > With 'build-ca nopass', two passphrases are expected: > > > 1) a CA key passphrase (-> 'Enter New CA Key Passphrase:'), > > > > > 2) a PEM passphrase (-> 'Enter PEM pass phrase:'). > > > > > The PEM passphrase is asked when building a server/client, > > > but, if I corrrectly understand, the CA key passphrase is never asked > > > again. > > > Hence the question: what is the usefulness of the latter? > > > > The first command to use is: 'build-ca nopass' > > > > The second command to use is: 'build-server-full server nopass' > > > > Then no passwords or passphrases are prompted for. > > > > Again, "password" and "passphrase" are synonymous. > > > > One is for the CA certificate and the next is for the server certificate. > > > > The same is also true when building a client: > > 'build-client-full client nopass' > > > > All these passwords/phrases are known as "PEM passphrases". > > > > HTH > > > -- > Fabio@Ticinocom > > -- > Lampo@Gmail -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJioQHwACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3dTgf8DGnBZtFTY/+ciGRJkwTWUWozxnTMLG6pRQUPTq7Fuiqns6j9 0/PxrtjMuxPe7aFodljM8b/Ez3AnTmJaB03O02JrSL6/Ud5LuC65NqIeeF9P DF4niHipnI1u/rIA2EAL4t2cmqs4lp7lQ42+qNHY0B2UWJ3jX8P5gvGHHisD Y+py3hvqWlG6qU2d/WmsYSSy4aUyZBJ3baR+I7hj70OUlDkrWcxlHc4lYKhI gealGZWDVAJrgoYiXIp26UM4wFSfUyyh1i4cyb4FVddYwr/1gQ2UbnqkOhB6 yv5Kwkz2oo75ph8sGRr8Wzp/QjNCyWD7vkohFFsBHYKwATzxLSfGEg== =sZm0 -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
