Some questions about OpenVPN components….



  • Hello,

    I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…

    Meanwhile, i have two problems/requests :

    1. When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...

    With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...

    I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?

    Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?

    1. When issuing certificates, i have, at the end, the following message :

    "unable to write random state"

    I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...

    By the way, i change HOME variable in vars.bat in order to issue certificates...

    Certificates are well issued and work perfectly but this error message remains...

    I wanted to know :

    What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?

    Thank you very much,

    XZed


  • Rebel Alliance Developer Netgate

    You're probably better off following this for making keys/certs:

    http://doc.pfsense.org/index.php/Easyrsa_for_pfSense



  • @jimp:

    You're probably better off following this for making keys/certs:

    http://doc.pfsense.org/index.php/Easyrsa_for_pfSense

    Well i remember have used easy-rsa for pfsense, at its beginnings… but it was still in "beta"... but it seems to be right now  ;D

    So, i'll give it a try and will feedback here  ;D !

    Just a question :

    I suppose there isn't any package to backup folders (to backup easyrsa4pfsense folder) ? Well, winscp will be sufficient ^^ !

    Thanks


  • Rebel Alliance Developer Netgate

    There is a package, it's called "Backup" and you can set it up to archive any directories you want for download.

    SCP also works.



  • @jimp:

    There is a package, it's called "Backup" and you can set it up to archive any directories you want for download.

    SCP also works.

    Thank you very much !

    Sincerely,

    XZed



  • @XZed:

    @jimp:

    You're probably better off following this for making keys/certs:

    http://doc.pfsense.org/index.php/Easyrsa_for_pfSense

    Well i remember have used easy-rsa for pfsense, at its beginnings… but it was still in "beta"... but it seems to be right now  ;D

    So, i'll give it a try and will feedback here  ;D !

    Just a question :

    I suppose there isn't any package to backup folders (to backup easyrsa4pfsense folder) ? Well, winscp will be sufficient ^^ !

    Thanks

    I replied to this old post in order to give some feedback :

    Indeed, the easyrsa package is very nice ! But, pfSense 2.x brings many nice changes to OpenVPN management (CRL missing in 2.x ?? How to do ?? Perhaps will be corrected in final version ?)  ;D !

    Thank you


Log in to reply