Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Create Userkeys with minimal serverkeys

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 5 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      hi, on our pfsense are up to 10 users for openvpn configurt.
      The old admin left the company and i must setup newr useraccount for openvpn. I made some tests with easy-rsa that fails. The only files i have from server is "ca.crt,dh1024.pem,server.crt,server.key".
      How can i setup new user without kickout the old users? Can i extract the other files from pfsense that are needed to create new usercertificats.  ???  pls help :)
      thanks
      AndreasB

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        no ideas?

        1 Reply Last reply Reply Quote 0
        • Cry HavokC
          Cry Havok
          last edited by

          If you retain the same CA then you'll be ok.  If you change CA then the old keys will be refused.

          Of course, maybe if you expanded

          made some tests with easy-rsa that fails

          to include the actual error somebody might be able to help you ;)

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            Without the CA's secret key ca.key you can't do anything, time to start over if it is lost.

            1 Reply Last reply Reply Quote 0
            • N
              Nadrek
              last edited by

              @andib:

              hi, on our pfsense are up to 10 users for openvpn configurt.
              The old admin left the company and i must setup newr useraccount for openvpn. I made some tests with easy-rsa that fails. The only files i have from server is "ca.crt,dh1024.pem,server.crt,server.key".
              How can i setup new user without kickout the old users? Can i extract the other files from pfsense that are needed to create new usercertificats.  ???  pls help :)
              thanks
              AndreasB

              If the old admin left the company, and the old admin was allowed to set up new user VPN accounts, then if your business or its data is sensitive in some way (health care/HITECH and HIPAA, financial and SOX/SEC, legal and priviledged information, etc.), you probably have a legal or regulatory responsibility to ensure that that old admin is now denied access.

              So, if you depend on people outside the company not being able to get into the VPN (as opposed to having sufficient security inside the VPN so as to prevent them seeing or accessing any data, controls, or systems), then you should be coordinating (quickly!) an outage where you can put in a new ca.key and have all clients update their local keys.

              Having someone who had admin access leave is no small task; it involves changing passwords to all external facing access, and serious consideration to changing administrative passwords inside the company.

              RADIUS and other enterprise solutions can make this much more practical; but they have to be set up and maintained.

              Why do all this?  Because if you assume the old admin has all the keys and all the passwords, then that old admin can create new VPN credentials and get into the VPN (say… just past the time the last person usually leaves the office tonight... or, perhaps, before a long weekend).  At that point, they're on your VPN, and can start working on access to the rest of the network from there.  Until you change the CA, this can happen over and over.

              Alternately: Your old admin can give or sell those keys and passwords to another organization, or publish them to Evil Place X where lots of scammers and crackers around the world hang out, giving them all access to your VPN.

              I'm in a regulated industry, and have been in another; in those environments, a new person should have had a new CA and new user keys all built and ready to go prior to, or during, HR's final interview with person X.  The VPN would have been shut down until the CA update was completed, after which clients can be updated in whatever order is necessary.  More likely, after they're walked out, and everyone else is told, then the VPN gets shut down and admin passwords changed and the new CA created and so on; a very stressful day, complete with stuff with hardcoded passwords breaking (and finally getting documented, if you're wise).

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Hi, thanks for your reply's.
                Now i get the complete EasyRSA Directory from the old admin in our company.

                Now i try to build-key.bat, but get errors too.

                CA certificate and CA private key do not match
                3044:error:0B080074:x509 certificate routines:X509_check_private_key:key values
                mismatch:.\crypto\x509\x509_cmp.c:406:
                C:\Programme\OpenVPN\easy-rsa\keys*.old konnte nicht gefunden werden

                Any idea?

                yours sincerly

                andi

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I'm not sure how it goes on Windows, but on unix, you have to run a different program first that sets variables that makes sure it's reading all of the proper files and such.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.