SOLVED: server key does not appear to be valid

  • While setting up a openvpn vpn  with certificates generated with the easy-rsa package from a downloaded openvpn from source you will get an error

    * The field 'Server key' does not appear to be valid

    It seems that pfsense is trying to validate the server.key by looking to see if the following lines exist
    -----END RSA PRIVATE KEY-----

    but the openvpn just creates the server key with
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----

    So adding the RSA will fix the error message.

    a bug ?

  • Mine doesn't. My server key inded has "–---BEGIN RSA PRIVATE KEY-----" and I too use easy-rsa.

    Ahh it's solved, didn't see a solution.. :)

  • So, did you manage to fix it by just adding the RSA keyword ?

    Lately I'm having problems with key generation using easyrsa as even changing the key length breaks the key generation.

  • No, my server key has the line like that.

    Following this guide exactly yields this, I believe:,7840.0.html

    The following is from the readme-file in easy-rsa, under Windows, found in "C:\Program Files\OpenVPN\easy-rsa"

    _Extract all zip'd files to the OpenVPN home directory,
    including the openssl.cnf file from the top-level
    "easy-rsa" directory.

    First run init-config.bat

    Next, edit vars.bat to adapt it to your environment, and
    create the directory that will hold your key files.

    To generate TLS keys:

    Create new empty index and serial files (once only)
    1. vars
    2. clean-all

    Build a CA key (once only)
    1. vars
    2. build-ca

    Build a DH file (for server side, once only)
    1. vars
    2. build-dh

    Build a private key/certficate for the openvpn server
    1. vars
    2. build-key-server <machine-name>Build key files in PEM format (for each client machine)
    1. vars
    2. build-key <machine-name>(use <machine name="">for specific name within script)


    Build key files in PKCS #12 format (for each client machine)
    1. vars
    2. build-key-pkcs12 <machine-name>(use <machine name="">for specific name within script)

    To revoke a TLS certificate and generate a CRL file:
    1. vars
    2. revoke-full <machine-name>3. verify last line of output confirms revokation
    4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename="">"</crl></machine-name></machine></machine-name></machine></machine-name></machine-name>_

    When re-reading this I get a little unsure about repeating 'vars.bat' for all consecutive clients, I think you have to run it once in each cmd session to populate the variables, so then you could run 'build-key user' several times, in the same cmd session. Anyway, anything not being correct directly gives you error messages so.

    I made 10 pairs of certs/keys just the other day and looked briefly at the above pfs forum post to recap the commands.

    Since it is the 'RSA' being missing one would guess you don't have RSA keys, are you really using the same 'easy-rsa' that comes with openvpn to generate keys?

  • Hi linuxninjas,

    I am using a mac and I also get a key with BEGIN PRIVATE KEY only. I have one other tunnel working and the server keys were setup using Windows. I was wondering how you solved this problem. I get TLS handshake errors and Cannot load private key file /var/etc/openvpn_server*.key errors. I figure it's because they are not RSA keys.

  • Just some notes on the same topic is found here:,7840.msg198497.html#msg198497

Log in to reply