Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

EasyRSA. Can't generate CA :(

Discussion in 'Getting Started' started by banderas20, Aug 9, 2018.

  1. banderas20

    banderas20 New Member

    Joined:
    Aug 1, 2018
    Messages:
    14
    Likes Received:
    10
    Hello,

    I'm trying to build a PKI using EasyRSA. It's meant to be easy, but I'm bumping innto many problems:

    I edit "vars" file. I issue "source vars". Then, "./build-ca"

    And I have found these errors so far:



    Code:
    pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
    version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
    The correct version should have a comment that says: easy-rsa version 2.x
    Another one:
    Code:
    **************************************************************
      No /etc/openvpn/easy-rsa/openssl.cnf file could be found
      Further invocations will fail
    **************************************************************
    Contents of openssl.cnf:
    Code:
    !/bin/sh
    
    cnf="$1/openssl.cnf"
    
    if [ "$OPENSSL" ]; then
        if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
            cnf="$1/openssl-0.9.6.cnf"
        elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
            cnf="$1/openssl-0.9.8.cnf"
        elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
            cnf="$1/openssl-1.0.0.cnf"
        else
            cnf="$1/openssl.cnf"
        fi
    fi
    
    echo $cnf
    
    if [ ! -r $cnf ]; then
        echo "**************************************************************" >&2
        echo "  No $cnf file could be found" >&2
        echo "  Further invocations will fail" >&2
        echo "**************************************************************" >&2
    fi
    
    exit 0
    
    Contents of "vars" file:
    Code:
    # easy-rsa parameter settings
    
    # NOTE: If you installed from an RPM,
    # don't edit this file in place in
    # /usr/share/openvpn/easy-rsa --
    # instead, you should copy the whole
    # easy-rsa directory to another location
    # (such as /etc/openvpn) so that your
    # edits will not be wiped out by a future
    # OpenVPN package upgrade.
    
    # This variable should point to
    # the top level of the easy-rsa
    # tree.
    export EASY_RSA="`pwd`"
    
    #
    # This variable should point to
    # the requested executables
    #
    export OPENSSL="openssl"
    export PKCS11TOOL="pkcs11-tool"
    export GREP="grep"
    
    
    # This variable should point to
    # the openssl.cnf file included
    # with easy-rsa.
    export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
    
    # Edit this variable to point to
    # your soon-to-be-created key
    # directory.
    #
    # WARNING: clean-all will do
    # a rm -rf on this directory
    # so make sure you define
    # it correctly!
    export KEY_DIR="$EASY_RSA/keys"
    
    # Issue rm -rf warning
    echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
    # PKCS11 fixes
    export PKCS11_MODULE_PATH="dummy"
    export PKCS11_PIN="dummy"
    
    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=2048
    
    # In how many days should the root CA key expire?
    export CA_EXPIRE=3650
    
    # In how many days should certificates expire?
    export KEY_EXPIRE=3650
    
    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="ES"
    export KEY_PROVINCE="BA"
    export KEY_CITY="Barcelona"
    export KEY_ORG="HomeTest"
    export KEY_EMAIL="[email protected]"
    export KEY_OU="MyOrganizationalUnit"
    
    # X509 Subject Field
    export KEY_NAME="EasyRSA"
    
    # PKCS11 Smart Card
    # export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
    # export PKCS11_PIN=1234
    
    # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
    # You will also need to make sure your OpenVPN server config has the duplicate-cn option set
    # export KEY_CN="CommonName"
    ¿What happens? ¿Maybe a mismatch of versions?

    Thanks!
     
  2. atanere

    atanere Moderator
    Gold Supporter

    Joined:
    Apr 6, 2017
    Messages:
    1,700
    Likes Received:
    1,795
    That's a likely possibility, and maybe more besides. Let me call attention to this with some of our better server/programmer fellows on here, @Rob, @Scotsgeek, @ryanvade, and @JasKinasis.... maybe one of them will be able to help get you on the right path.

    Cheers
     
  3. banderas20

    banderas20 New Member

    Joined:
    Aug 1, 2018
    Messages:
    14
    Likes Received:
    10
    @atanere ,

    God bless you. Anyway, I'll take a closer look at those scripts. They seem not to be very complicated, though I'm a newbie.

    Thanks!
     

Share This Page