On Mon, 06 Mar 2023 16:31:57 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>Hi, > >To build private keys without passwords, either: >- easyrsa build-client-full cli-name nopass (The original method) >or >- easyrsa --nopass build-client-full cli-name (The new method) >Option --nopass can be either --nopass or --no-pass >All will remain supported. > >Without one of these options, the key will be password protected. And I assume it will ask for the password while building the cert? BTW: Are certs or keys or both password protectable? >You do not need to run openssl to encrypt the file further, >but that is entirely your decision. That was only the way I could find previously in order to make the key password protected into the ovpn file.... Not to further encrypt, just to get the password there. I took the command from one of the easy-rsa2 scripts. > >To customise options specified by vars, in the case of email use: >- easyrsa --req-email=n...@example.net build-client-full cli-name >Add the options you choose for passwords. > >See 'easyrsa help options' for more. > >FTR: OpenSSL claims that email, if used, is generally the email of >the CA administrator, not email per client certificate, but that is >entirely your decision. OK, then it is all right to have my email in all of them. I won't mess further with that. I have now walked through my old MakeClient script to see what should be the new commands and I have created 3 clients (TestClient 1, 2 and 3) each with slightly different inputs. These were the commands (from history): 10020 2023-03-06 14:44:06 ./easyrsa build-client-full TestClient1 nopass 10023 2023-03-06 14:46:38 ./easyrsa build-client-full TestClient2 nopass 10039 2023-03-06 14:51:20 ./easyrsa build-client-full TestClient3 Then I built the ovpn files manually but using the commands in my MakeClient script adapted for easyrsa3. I then uploaded them to my phone for testing and it turned out that *all* of the connections asked for a password, which happened to be the same in all cases... It connected fine when using the password, but now I don't know what I did to get to that point for client #3... TestClient3 should NOT have a password in there... Why not using passwords, you may ask? That is because I have unattended RPi devices that must connect home without any user interactions so that is why I make ovpn files without passwords. And I also use this on a couple of routers so that I can connect for example my summer cottage LAN to my home LAN and make all devices 2-way interconnected. PS: It seems like the certs are enumerated when created as can be seen in directory certs_by_serial How can I erase these certs and move on without them? Just removing these files will not help since there seems to be a mechanism to keep track of the numbers. What is the correct way to retire certs? DS -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
