On Mon, 06 Mar 2023 18:58:36 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>Only private keys can be encrypted by openssl with a password. >Certificates are basically public keys, therefore, password >protecting them is completely pointless. EasyRSA does not >offer any form of subsequent encryption. OK, thanks! I have now repeated the client creation process but this time using this command line: ./easyrsa --nopass build-client-full TestCliNoPass I was not asked for a password! :-) Then I ran the following crude script to create the ovpn file: ----------- Note: newsreader wrapped long line ---------- #!/bin/bash Cli_Name=$1 if [ -z "$1" ]; then echo "ERROR! No client name given!" exit 1 fi Cli_Name=$1 if [ ! -e "pki/issued/$Cli_Name.crt" ]; then echo "Cannot build ovpn file for $Cli_Name! No cert exists!" exit 2 fi eval "cd ~/openvpn/EasyRSA-3.1.2" eval "cat Default.txt > clients/$Cli_Name.ovpn" eval "echo '<ca>' >> clients/$Cli_Name.ovpn" eval "cat pki/issued/ca.crt >> clients/$Cli_Name.ovpn" eval "echo \"</ca>\" >> clients/$Cli_Name.ovpn" eval "echo \"<cert>\" >> clients/$Cli_Name.ovpn" eval "cat pki/issued/$Cli_Name.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> clients/$Cli_Name.ovpn" echo "</cert>" >> "clients/$Cli_Name.ovpn" echo "<key>" >> "clients/$Cli_Name.ovpn" eval "cat pki/private/$Cli_Name.key >> clients/$Cli_Name.ovpn" echo "</key>" >> "clients/$Cli_Name.ovpn" echo "<tls-auth>" >> "clients/$Cli_Name.ovpn" eval "cat pki/private/ta.key >> clients/$Cli_Name.ovpn" echo "</tls-auth>" >> "clients/$Cli_Name.ovpn" eval "unix2dos -k clients/$Cli_Name.ovpn" echo "Done! File clients/$Cli_Name.ovpn ready" exit 0 --------------------------------- Then I copied this ovpn file to my phone and used it with OpenVPN to connect and it worked instantly without any password question. Next I made another test with the command: ./easyrsa build-client-full TestCliNoPass nopass and checked what happend. Turns out that it too worked as expected, no password asked for. Finally I ran a new client creation pass: ./easyrsa build-client-full TestCliWithPass Now I was asked for a password etc. Ran the ovpn creation script and tested it on my phone: Now I *was* asked for the password and was logged on. So it seems to be working as it was intended. :) I must have been doing something else last time when I tested it... Now I will finalize my script to make the ovpn file in one go. And then convert the main server's easy-rsa to ver 3. Question: --------- I will call easy-rsa from within my script and I want to enter the password as a variable in the script and pass it to easy-rsa when it is called to create the client files. How can I bypass the user input and write the password from my own script into easy-rsa? A command line argument would really be perfect! Why? Well, as part of the creation of the files I also maintain an admin file where the created clients are associated with the passwords. So I want the password question to be managed by my own script and the password sent to easyrsa somehow at the point it needs it (and asks the user to type it twice)... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
