openvpn and generating keys, and without removing old keys | Senior Full Stack Developer, Coder, C#, Java, Linux, Network, PHP, Cloud

OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux:

//Generate a private key

openssl genrsa -des3 -out server.key 1024
//Generate Certificate signing request

openssl req -new -key server.key -out server.csr
//Sign certificate with private key

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
//Remove password requirement (needed for example)

cp server.key server.key.secure
openssl rsa -in server.key.secure -out server.key
//Generate dhparam file

openssl dhparam -out dh512.pem 512
Once you've done that, you need to change the filenames in server.cpp and client.cpp.

server.cpp

context_.use_certificate_chain_file("server.crt"); 
context_.use_private_key_file("server.key", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("dh512.pem");
client.cpp

ctx.load_verify_file("server.crt");
Then it should all work!




----------------------------------------------------------

Secure Socket Layer (SSL) 
or 
Transport Security Layer (TSL)
Java

Introduction: See  JavaTM Secure Socket Extension (JSSE)
Simple Examples:

SimpleServer: SimpleServer.java 
SimpleClient: SimpleClient.java
Running the Examples:
Server: 
    java SimpleServer <port> oducsc 
Client: 
     java -Djavax.net.ssl.trustStore=wahabPublicStore SimpleClient <host> <port>

Key Stores:

The Server requires a file called: wahabPrivateStore 
while the Client requires a file called: wahabPublicStore

(the password used in the following is: oducsc). 
Generating wahabPrivateStore: 
% keytool -genkey -alias wahabkey -keystore wahabPrivateStore 
....answer the questions...... 
Generating wahabPublicStore: 
% keytool -export -alias wahabkey -keystore wahabPrivateStore -file wahab.cert 
% keytool -import -alias wahabkey -keystore wahabPublicStore -file wahab.cert 
C
Generating the certificates needed by the examples

To create the root CA:

% openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem 
(cp random.pem ~/.rnd) 
% openssl x509 -req -in rootreq.pem -sha1 -extfile myopenssl.cnf \ 
    -extensions v3_ca -signkey rootkey.pem -out rootcert.pem 
(cp /usr/local/ssl/openssl.cnf myopenssl.cnf) 
% cat rootcert.pem rootkey.pem  > root.pem 
% openssl x509  -subject -issuer -noout -in root.pem

To create the server CA and sign it with the root CA:

% openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem 
% openssl x509 -req -in serverCAreq.pem -sha1 -extfile myopenssl.cnf \ 
    -extensions v3_ca -CA root.pem  -CAkey root.pem -CAcreateserial  \ 
      -out serverCAcert.pem 
% cat serverCAcert.pem serverCAkey.pem  rootcert.pem > serverCA.pem 
% openssl x509  -subject -issuer -noout -in serverCA.pem 
 
To create the server's certificate and sign it with the server CA:
% openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem 
% openssl x509 -req -in serverreq.pem -sha1 -extfile myopenssl.cnf \ 
    -extensions usr_cert -CA serverCA.pem  -CAkey serverCA.pem -CAcreateserial  \ 
      -out servercert.pem 
% cat servercert.pem serverkey.pem  serverCAcert.pem  rootcert.pem > server.pem 
% openssl x509  -subject -issuer -noout -in server.pem
To create the client certificate  and sign it with the root CA:
% openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem 
% openssl x509 -req -in clientreq.pem -sha1 -extfile myopenssl.cnf \ 
    -extensions usr_cert -CA root.pem  -CAkey root.pem -CAcreateserial  \ 
      -out clientcert.pem 
% cat clientcert.pem clientkey.pem  rootcert.pem > client.pem 
% openssl x509  -subject -issuer -noout -in client.pem
To create the dh512.pem dh1024.pem:
% openssl dhparam -check -text -5 512 -out dh512.pem 
% openssl dhparam -check -text -5 1024  -outdh1024.pem
 
 
  
 
 

  
  
  ----------------

As Ency says, provided you've created your own CA, you simply create another key for the new user. Before any more gets typed, when you set up openVPN you did create your own CA, as recommended, didn't you?

Edit: OK, then

cd easy-rsa
. ./vars
./build-key newclient
I also have some notes somewhere about making a CRL, which allows you to revoke old certificates, and pointing openVPN at the crl, but I can't immediately find them.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux:

//Generate a private key

openssl genrsa -des3 -out server.key 1024

//Generate Certificate signing request

openssl req -new -key server.key -out server.csr

//Sign certificate with private key

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

//Remove password requirement (needed for example)

cp server.key server.key.secure

openssl rsa -in server.key.secure -out server.key

//Generate dhparam file

openssl dhparam -out dh512.pem 512

Once you've done that, you need to change the filenames in server.cpp and client.cpp.

server.cpp

context_.use_certificate_chain_file("server.crt");

context_.use_private_key_file("server.key", boost::asio::ssl::context::pem);

context_.use_tmp_dh_file("dh512.pem");

client.cpp

ctx.load_verify_file("server.crt");

Then it should all work!

----------------------------------------------------------

Secure Socket Layer (SSL)

Transport Security Layer (TSL)

Java

Introduction: See JavaTM Secure Socket Extension (JSSE)

Simple Examples:

SimpleServer: SimpleServer.java

SimpleClient: SimpleClient.java

Running the Examples:

Server:

java SimpleServer <port> oducsc

Client:

java -Djavax.net.ssl.trustStore=wahabPublicStore SimpleClient <host> <port>

Key Stores:

The Server requires a file called: wahabPrivateStore

while the Client requires a file called: wahabPublicStore

(the password used in the following is: oducsc).

Generating wahabPrivateStore:

% keytool -genkey -alias wahabkey -keystore wahabPrivateStore

....answer the questions......

Generating wahabPublicStore:

% keytool -export -alias wahabkey -keystore wahabPrivateStore -file wahab.cert

% keytool -import -alias wahabkey -keystore wahabPublicStore -file wahab.cert

Generating the certificates needed by the examples

To create the root CA:

% openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

(cp random.pem ~/.rnd)

% openssl x509 -req -in rootreq.pem -sha1 -extfile myopenssl.cnf \

-extensions v3_ca -signkey rootkey.pem -out rootcert.pem

(cp /usr/local/ssl/openssl.cnf myopenssl.cnf)

% cat rootcert.pem rootkey.pem > root.pem

% openssl x509 -subject -issuer -noout -in root.pem

To create the server CA and sign it with the root CA:

% openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem

% openssl x509 -req -in serverCAreq.pem -sha1 -extfile myopenssl.cnf \

-extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial \

-out serverCAcert.pem

% cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem

% openssl x509 -subject -issuer -noout -in serverCA.pem

To create the server's certificate and sign it with the server CA:

% openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem

% openssl x509 -req -in serverreq.pem -sha1 -extfile myopenssl.cnf \

-extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial \

-out servercert.pem

% cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem

% openssl x509 -subject -issuer -noout -in server.pem

To create the client certificate and sign it with the root CA:

% openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem

% openssl x509 -req -in clientreq.pem -sha1 -extfile myopenssl.cnf \

-extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial \

-out clientcert.pem

% cat clientcert.pem clientkey.pem rootcert.pem > client.pem

% openssl x509 -subject -issuer -noout -in client.pem

To create the dh512.pem dh1024.pem:

% openssl dhparam -check -text -5 512 -out dh512.pem

% openssl dhparam -check -text -5 1024 -outdh1024.pem

----------------

As Ency says, provided you've created your own CA, you simply create another key for the new user. Before any more gets typed, when you set up openVPN you did create your own CA, as recommended, didn't you?

Edit: OK, then

cd easy-rsa

. ./vars

./build-key newclient

I also have some notes somewhere about making a CRL, which allows you to revoke old certificates, and pointing openVPN at the crl, but I can't immediately find them.