Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

  1. More ways to get the info! - we shoot all of our new original content out as well as random messages on Twitter and our newsletter!. Twitter | Newsletter
    Dismiss Notice

EasyRSA. Can't generate CA :(

Discussion in 'Getting Started' started by banderas20, Aug 9, 2018.

  1. banderas20

    banderas20 New Member

    Aug 1, 2018
    Likes Received:

    I'm trying to build a PKI using EasyRSA. It's meant to be easy, but I'm bumping innto many problems:

    I edit "vars" file. I issue "source vars". Then, "./build-ca"

    And I have found these errors so far:

    pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
    version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
    The correct version should have a comment that says: easy-rsa version 2.x
    Another one:
      No /etc/openvpn/easy-rsa/openssl.cnf file could be found
      Further invocations will fail
    Contents of openssl.cnf:
    if [ "$OPENSSL" ]; then
        if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
        elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
        elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
    echo $cnf
    if [ ! -r $cnf ]; then
        echo "**************************************************************" >&2
        echo "  No $cnf file could be found" >&2
        echo "  Further invocations will fail" >&2
        echo "**************************************************************" >&2
    exit 0
    Contents of "vars" file:
    # easy-rsa parameter settings
    # NOTE: If you installed from an RPM,
    # don't edit this file in place in
    # /usr/share/openvpn/easy-rsa --
    # instead, you should copy the whole
    # easy-rsa directory to another location
    # (such as /etc/openvpn) so that your
    # edits will not be wiped out by a future
    # OpenVPN package upgrade.
    # This variable should point to
    # the top level of the easy-rsa
    # tree.
    export EASY_RSA="`pwd`"
    # This variable should point to
    # the requested executables
    export OPENSSL="openssl"
    export PKCS11TOOL="pkcs11-tool"
    export GREP="grep"
    # This variable should point to
    # the openssl.cnf file included
    # with easy-rsa.
    export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
    # Edit this variable to point to
    # your soon-to-be-created key
    # directory.
    # WARNING: clean-all will do
    # a rm -rf on this directory
    # so make sure you define
    # it correctly!
    export KEY_DIR="$EASY_RSA/keys"
    # Issue rm -rf warning
    echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
    # PKCS11 fixes
    export PKCS11_MODULE_PATH="dummy"
    export PKCS11_PIN="dummy"
    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=2048
    # In how many days should the root CA key expire?
    export CA_EXPIRE=3650
    # In how many days should certificates expire?
    export KEY_EXPIRE=3650
    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="ES"
    export KEY_PROVINCE="BA"
    export KEY_CITY="Barcelona"
    export KEY_ORG="HomeTest"
    export KEY_EMAIL="[email protected]"
    export KEY_OU="MyOrganizationalUnit"
    # X509 Subject Field
    export KEY_NAME="EasyRSA"
    # PKCS11 Smart Card
    # export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
    # export PKCS11_PIN=1234
    # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
    # You will also need to make sure your OpenVPN server config has the duplicate-cn option set
    # export KEY_CN="CommonName"
    ¿What happens? ¿Maybe a mismatch of versions?


    (Log in to hide this advertisement)

  2. atanere

    atanere Moderator
    Gold Supporter

    Apr 6, 2017
    Likes Received:
    That's a likely possibility, and maybe more besides. Let me call attention to this with some of our better server/programmer fellows on here, @Rob, @Scotsgeek, @ryanvade, and @JasKinasis.... maybe one of them will be able to help get you on the right path.

  3. banderas20

    banderas20 New Member

    Aug 1, 2018
    Likes Received:
    @atanere ,

    God bless you. Anyway, I'll take a closer look at those scripts. They seem not to be very complicated, though I'm a newbie.

  4. tonaroma

    tonaroma New Member

    Nov 26, 2018
    Likes Received:
    after a bit of trouble shooting with the same problem i found the issue to be two things (in my case). if you have either of the two issues you'll get the same result as far as i can tell.

    basically if the .cnf file is not properly found it just says the same thing as if it's the wrong file.. (i guess no file is also a wrong version!)

    so the default setting is a little script to automatically choose the right script (per this article https://linuxconfig.org/openvpn-setup-on-ubuntu-18-04-bionic-beaver-linux) and it doesn't work. so you just have to point to the right one as directed in the article.

    also if you don't set up your "top level of the easy-rsa tree" properly you'll in essence have the same problem because the .cnf file you are trying to reference still won't be found.

    here's exactly what i put in to get the whole shabang flowing (up until my next roadblock anyway)

    # This variable should point to the top level of the easy-rsa tree.
    export EASY_RSA="/etc/openvpn/easy-rsa"
    # This variable should point to the openssl.cnf file included with easy-rsa.
    export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"

    hope that helps.. now to figure out this "Common Name" issue... :/
    wizardfromoz likes this.

Share This Page