OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux:
//Generate a private key
openssl genrsa -des3 -out server.key 1024
//Generate Certificate signing request
openssl req -new -key server.key -out server.csr
//Sign certificate with private key
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
//Remove password requirement (needed for example)
cp server.key server.key.secure
openssl rsa -in server.key.secure -out server.key
//Generate dhparam file
openssl dhparam -out dh512.pem 512
Once you've done that, you need to change the filenames in server.cpp and client.cpp.
server.cpp
context_.use_certificate_chain_file("server.crt");
context_.use_private_key_file("server.key", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("dh512.pem");
client.cpp
ctx.load_verify_file("server.crt");
Then it should all work!
----------------------------------------------------------
Secure Socket Layer (SSL)
or
Transport Security Layer (TSL)
Java
Introduction: See JavaTM Secure Socket Extension (JSSE)
Simple Examples:
SimpleServer: SimpleServer.java
SimpleClient: SimpleClient.java
Running the Examples:
Server:
java SimpleServer <port> oducsc
Client:
java -Djavax.net.ssl.trustStore=wahabPublicStore SimpleClient <host> <port>
Key Stores:
The Server requires a file called: wahabPrivateStore
while the Client requires a file called: wahabPublicStore
(the password used in the following is: oducsc).
Generating wahabPrivateStore:
% keytool -genkey -alias wahabkey -keystore wahabPrivateStore
....answer the questions......
Generating wahabPublicStore:
% keytool -export -alias wahabkey -keystore wahabPrivateStore -file wahab.cert
% keytool -import -alias wahabkey -keystore wahabPublicStore -file wahab.cert
C
Generating the certificates needed by the examples
To create the root CA:
% openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
(cp random.pem ~/.rnd)
% openssl x509 -req -in rootreq.pem -sha1 -extfile myopenssl.cnf \
-extensions v3_ca -signkey rootkey.pem -out rootcert.pem
(cp /usr/local/ssl/openssl.cnf myopenssl.cnf)
% cat rootcert.pem rootkey.pem > root.pem
% openssl x509 -subject -issuer -noout -in root.pem
To create the server CA and sign it with the root CA:
% openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem
% openssl x509 -req -in serverCAreq.pem -sha1 -extfile myopenssl.cnf \
-extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial \
-out serverCAcert.pem
% cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
% openssl x509 -subject -issuer -noout -in serverCA.pem
To create the server's certificate and sign it with the server CA:
% openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
% openssl x509 -req -in serverreq.pem -sha1 -extfile myopenssl.cnf \
-extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial \
-out servercert.pem
% cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem
% openssl x509 -subject -issuer -noout -in server.pem
To create the client certificate and sign it with the root CA:
% openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
% openssl x509 -req -in clientreq.pem -sha1 -extfile myopenssl.cnf \
-extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial \
-out clientcert.pem
% cat clientcert.pem clientkey.pem rootcert.pem > client.pem
% openssl x509 -subject -issuer -noout -in client.pem
To create the dh512.pem dh1024.pem:
% openssl dhparam -check -text -5 512 -out dh512.pem
% openssl dhparam -check -text -5 1024 -outdh1024.pem
----------------
As Ency says, provided you've created your own CA, you simply create another key for the new user. Before any more gets typed, when you set up openVPN you did create your own CA, as recommended, didn't you?
Edit: OK, then
cd easy-rsa
. ./vars
./build-key newclient
I also have some notes somewhere about making a CRL, which allows you to revoke old certificates, and pointing openVPN at the crl, but I can't immediately find them.