Solved Create new client certs with existing CA (on-router)

[blitzkrieg]

Hi all

Currently my OpenVPN Server1 is up.
Without going the EasyRSA3 on-another-machine route and re-generating new certs/PKI hoo-ha, how can I generate per-client certs on-the-router itself with the existing certs?
What I know:
1) I can setuprsa.sh /mnt/sda1
2) I know the current DH+CA+keys is in /jffs/openvpn/
3) I'm totally OK to have the certs+keys managed ON router (which can be removed elsewhere later)

I was thinking ./build-key client1+n but how do I sign with the existing CA? Anyone have pointers?
*I'm on Merlin 388.4 btw.

 

[Martinski]

Hi all

Currently my OpenVPN Server1 is up.
Without going the EasyRSA3 on-another-machine route and re-generating new certs/PKI hoo-ha, how can I generate per-client certs on-the-router itself with the existing certs?
...

I was thinking ./build-key client1+n but how do I sign with the existing CA? Anyone have pointers?

I've never used the built-in EasyRSA v2.0 tool on the router itself so I don't have direct experience with it. However, for about 3 years I have used the EasyRSA3 tool on my Windows PC along with some custom scripts. So while the tool versions are not exactly the same, I'd think that at minimum you must have the corresponding PKI directory tree & the CA files that the EasyRSA v2 tool expects to find in order to create the additional client cert & key files.

This means that after you "source" the "vars" file and run the "./clean-all" script, you will have to copy the required CA files into the "$EASY_RSA/keys" directory so they are locally available.

For example:

cp -fp  /jffs/openvpn/vpn_crt_server1_ca  "$EASY_RSA/keys/ca.crt"
cp -fp  /jffs/openvpn/vpn_crt_server1_ca_key  "$EASY_RSA/keys/ca.key"

Also, make sure that you have the appropriate OpenSSL config file "$EASY_RSA/openssl.cnf" locally available before you source the "vars" file.

Once all the necessary files are in place, you should be able to run the "./build-key client1+n" script to create & sign the individual client cert & key files.

Just my 2 cents.

UPDATE:
Well, I was still very curious to see how the built-in EasyRSA tool works on my ASUS router, and I was able to do what you described with the following set of commands:

setuprsa.sh /mnt/{USB_DRIVE_VOLUME}/PATH/TO/FOLDER
cd /mnt/{USB_DRIVE_VOLUME}/PATH/TO/FOLDER/easy-rsa
cp -fp ./openssl-1.0.0.cnf  ./openssl.cnf
source ./vars
./clean-all
cp -fp  /jffs/openvpn/vpn_crt_server1_ca  "$EASY_RSA/keys/ca.crt"
cp -fp  /jffs/openvpn/vpn_crt_server1_ca_key  "$EASY_RSA/keys/ca.key"
./build-key clientXYZ
## Press the Enter key for all prompts but type 'y' when asked to sign the certificate & then commit ##

That was it.

 

[blitzkrieg]

UPDATE:
Well, I was still very curious to see how the built-in EasyRSA tool works on my ASUS router, and I was able to do what you described with the following set of commands:

Hey Just realised my thread was moved from VPN to Merlin, wonder why?.

Anyways THANK you for the tip!

Yes i did those steps and client certs generated successfully! (Of course vars needed to be edit to your own _CN _NAME etc).
This thread would useful for those who wants to generate client certs on-router!

 

[RMerlin]

Hey Just realised my thread was moved from VPN to Merlin, wonder why?.

Because the questions are specific to Asuswrt-Merlin and not generic to VPN/OpenVPN.

 

[dogger66]

Semi-hijack..sorry but I've searched and haven't found answer.
What do having certificates actually do? I've created certificates and installed them on my devices...but personally don't what the benefit is/why I do it.
Can anyone either give me short answer as to what they do or point to source for me to read up the purpose please?

 

[Martinski]

Semi-hijack..sorry but I've searched and haven't found answer.
What do having certificates actually do? I've created certificates and installed them on my devices...but personally don't what the benefit is/why I do it.
Can anyone either give me short answer as to what they do or point to source for me to read up the purpose please?

As a critical part of the public key infrastructure (PKI), SSL certificates are used during the authentication process between the OpenVPN server & each OpenVPN client attempting to connect so they can verify to each other that they are who they say they are, whether they are operating as a server or a client, and whether their individual certificates can indeed be trusted.

IOW, when a client initiates a connection to an OpenVPN server, the client authenticates the server certificate, while the server authenticates the client certificate so that mutual trust can then be established. This is accomplished by making sure that all server & client certificates are signed by the same Certificate Authority (CA) using the same CA private key (ca.key). The CA also has its own master certificate (ca.crt) which is shared by the server & all its clients. There are many more details involved in this process, but that's basically the gist of it.

More information is widely available on the internet with varying degrees of depth & technical concepts so if you want to know more you just have to search for it. Here's one article that I think might be a good starting point for you:

SSL and SSL Certificates Explained For Beginners

A complete beginners guide to SSLand SSL certificates. How they work and the different certificate types,encodings and uses. Root and intermediate certificates,chains and bundles.

www.steves-internet-guide.com

HTH

 

[dogger66]

Ah...so really only needed if one uses openvpn. Thanks!

 

[Martinski]

Ah...so really only needed if one uses openvpn. Thanks!

No, that's not correct.

It appears that we have some misunderstandings here. You asked questions about certificates on a thread talking about OpenVPN client certificates so my answer to you was based on that context. But then, you seem to have jumped to the conclusion that certificates are needed only for OpenVPN, which is completely & decidedly false. And your conclusion leads me to believe that, perhaps, you didn't read carefully the online article about SSL certificates that I recommended for you; or, if you did read it, you didn't absorb the information.

If you read that article thoroughly, you'll notice that there's not a single mention of OpenVPN at all - not once. That's because SSL certificates are also used in other situations where the exchange of public keys between 2 entities is required to initiate a secure connection once a state of mutual trust has been established via the authentication process. The article even gives you a more typical example between a web server (e.g. your bank website) & the web browser on your personal laptop. The web server certificate is authenticated by your browser to ensure that the website is indeed genuine and belongs to the company that you're trying to connect to (i.e. your online bank account), and it's not a fake website set up by some hacker(s) trying to steal your login credentials & other sensitive personal information.

In any case, my final piece of advise here: if you want to gain knowledge & understanding on a specific subject, you've got to be willing to put some time & effort into doing your own research and then learn to distill the information into small but meaningful chunks that you can absorb at your own pace. Asking questions is certainly fine, but don't jump to conclusions based only on a single reply, or a small piece of information given from a much larger & complex subject matter.