Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating Extra Client Keys… Problems

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leo2308
      last edited by

      Ok I initially created 16 client keys, thinking that would be enough even though there are only 7 vpn users.

      A week later, an everyone all of a sudden needs vpn, so I need to create more keys.

      The problem is that the windows computer used to create the keys has been formatted and turned into a pfsense box.

      I still have the keys folder, and all the details used to create the keys (country, province, city, key-org, common name etc..)

      So ive installed openvpn onto another windows pc, have put the keys folder into C:\Program Files\OpenVPN\easy-rsa, have recreated the vars.bat with the exact same details as before, and have tried creating more clients, but this is what I get:

      C:\Program Files\OpenVPN\easy-rsa>build-key client17
      Loading 'screen' into random state - done
      Generating a 1024 bit RSA private key
      …++++++
      ............++++++
      writing new private key to 'keys\client17.key'

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.

      Country Name (2 letter code) [UK]:
      State or Province Name (full name) [LONDON]:
      Locality Name (eg, city) [LONDON]:
      Organization Name (eg, company) [OpenVPN]:
      Organizational Unit Name (eg, section) []:###### (hashed out for privacy)
      Common Name (eg, your name or your server's hostname) []:client17
      Email Address [####@####.com]:(hashed out for privacy)

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:
      Using configuration from openssl.cnf
      Loading 'screen' into random state - done
      Check that the request matches the signature
      Signature ok
      The Subject's Distinguished Name is as follows
      countryName           :PRINTABLE:'UK'
      stateOrProvinceName   :PRINTABLE:'LONDON'
      localityName          :PRINTABLE:'LONDON'
      organizationName      :PRINTABLE:'OpenVPN'
      organizationalUnitName:PRINTABLE:###### (hashed out for privacy)
      commonName            :PRINTABLE:'client17'
      emailAddress          :IA5STRING:[####@####.com]:(hashed out for privacy)]
      The stateOrProvinceName field needed to be the same in the
      CA certificate (LONDON  ) and the request (LONDON)
      Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys*.old

      Ok so the line "The stateOrProvinceName field needed to be the same in the CA certificate (LONDON  ) and the request (LONDON)" looks like I might have had a couple spaces after "LONDON", however I tried rebuilding with 2 spaces but still get the output:

      The stateOrProvinceName field needed to be the same in the
      CA certificate (LONDON  ) and the request (LONDON  )

      So not sure why thats happening or how to fix it.

      Second thing is "Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys*.old" , I cant remembder these files in the keys folder before, how do I get around this ?

      Is there something I am missing ? is it possible for me to create more keys by just having the keys folder with the vars.bat like it originally was ? I have tested the client17 key, and it does not work. Also, after creating more keys, do I need to re-generate the Diffie Hellman parameters and re-add it to the vpn server ?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • L
        leo2308
        last edited by

        Is no-one replying because im being stupid and there is an incredibly simple solution?.. or is it that no-body has seen this before  ???

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          I never accidentially deleted my CA.
          I'm not sure if it's even possible to recreate the CA again with entering the exact same values.

          In the worst case you will have a new CA and will have to redistribute the keys again.
          Try to keep the CA backed up ;)

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • L
            leo2308
            last edited by

            Yeah i still have the original CA ;)

            I found the solution anyway, was a strange problem, heres a post I left on another forum:

            When looking at the ca.crt file, I noticed that after "State or Province Name (full name) [LONDON]:" there was "\x09":

            Subject: C=UK, ST=LONDON\x09, L=LONDON, O=OpenVPN

            This was seen as just some spaces when trying to build a key, however \x09 is actually hex for the tab key, I must have pressed it by mistake when first creating the ca file, so basically now when building client keys, i just type LONDON then hit tab, then enter.

            What I dont understand is how I managed to create the first 16 keys without pressing the tab key!

            Anyway, thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.