Create Userkeys with minimal serverkeys



  • hi, on our pfsense are up to 10 users for openvpn configurt.
    The old admin left the company and i must setup newr useraccount for openvpn. I made some tests with easy-rsa that fails. The only files i have from server is "ca.crt,dh1024.pem,server.crt,server.key".
    How can i setup new user without kickout the old users? Can i extract the other files from pfsense that are needed to create new usercertificats.  ???  pls help :)
    thanks
    AndreasB



  • no ideas?



  • If you retain the same CA then you'll be ok.  If you change CA then the old keys will be refused.

    Of course, maybe if you expanded

    made some tests with easy-rsa that fails

    to include the actual error somebody might be able to help you ;)



  • Without the CA's secret key ca.key you can't do anything, time to start over if it is lost.



  • @andib:

    hi, on our pfsense are up to 10 users for openvpn configurt.
    The old admin left the company and i must setup newr useraccount for openvpn. I made some tests with easy-rsa that fails. The only files i have from server is "ca.crt,dh1024.pem,server.crt,server.key".
    How can i setup new user without kickout the old users? Can i extract the other files from pfsense that are needed to create new usercertificats.  ???  pls help :)
    thanks
    AndreasB

    If the old admin left the company, and the old admin was allowed to set up new user VPN accounts, then if your business or its data is sensitive in some way (health care/HITECH and HIPAA, financial and SOX/SEC, legal and priviledged information, etc.), you probably have a legal or regulatory responsibility to ensure that that old admin is now denied access.

    So, if you depend on people outside the company not being able to get into the VPN (as opposed to having sufficient security inside the VPN so as to prevent them seeing or accessing any data, controls, or systems), then you should be coordinating (quickly!) an outage where you can put in a new ca.key and have all clients update their local keys.

    Having someone who had admin access leave is no small task; it involves changing passwords to all external facing access, and serious consideration to changing administrative passwords inside the company.

    RADIUS and other enterprise solutions can make this much more practical; but they have to be set up and maintained.

    Why do all this?  Because if you assume the old admin has all the keys and all the passwords, then that old admin can create new VPN credentials and get into the VPN (say… just past the time the last person usually leaves the office tonight... or, perhaps, before a long weekend).  At that point, they're on your VPN, and can start working on access to the rest of the network from there.  Until you change the CA, this can happen over and over.

    Alternately: Your old admin can give or sell those keys and passwords to another organization, or publish them to Evil Place X where lots of scammers and crackers around the world hang out, giving them all access to your VPN.

    I'm in a regulated industry, and have been in another; in those environments, a new person should have had a new CA and new user keys all built and ready to go prior to, or during, HR's final interview with person X.  The VPN would have been shut down until the CA update was completed, after which clients can be updated in whatever order is necessary.  More likely, after they're walked out, and everyone else is told, then the VPN gets shut down and admin passwords changed and the new CA created and so on; a very stressful day, complete with stuff with hardcoded passwords breaking (and finally getting documented, if you're wise).



  • Hi, thanks for your reply's.
    Now i get the complete EasyRSA Directory from the old admin in our company.

    Now i try to build-key.bat, but get errors too.

    CA certificate and CA private key do not match
    3044:error:0B080074:x509 certificate routines:X509_check_private_key:key values
    mismatch:.\crypto\x509\x509_cmp.c:406:
    C:\Programme\OpenVPN\easy-rsa\keys*.old konnte nicht gefunden werden

    Any idea?

    yours sincerly

    andi


  • Rebel Alliance Developer Netgate

    I'm not sure how it goes on Windows, but on unix, you have to run a different program first that sets variables that makes sure it's reading all of the proper files and such.


Log in to reply