0

This, for example, https://wiki.archlinux.org/index.php/Easy-RSA tells that I put all server related files into the "server" and all client ones into "client" directories. I've generated all the files and moved them in the "server" and "client". Then I wanted to generate a second client and got an exception. 

$ sudo easyrsa build-client-full client2

Exception:

Easy-RSA error:

Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
Run without commands for usage and command help.

easyrsa doesn't allow me to specify the location of a CA file. And perhaprs it doesn't expect to find the ca.crt/key in the "server" directory.

Here's what I have in the "server":

$ ls -al  /etc/openvpn/server/
  ca.crt
  dh.pem
  openvpn-status.log
  openvpn.log
  server.conf
  server1.crt
  server1.key
  ta.key

Where should I put all my server certificates and keys and where client keys and certificates?

Menumo02
  • 21
  • 1

1 Answers1

3

I think the misconception here is that all of this would be just one single thing that you are setting up, when in fact there are several conceptually separate roles involved.
(Roles which the guide you were "following" recommends to operate on separate machines.)

There is the role of a Certificate Authority (whether implemented through Easy-RSA or something more elaborate). It NEEDS its own key and all certificates to be able to operate.

There is the role of the OpenVPN server. It NEEDS its own key+cert as well as the CA cert.

There is the role of the OpenVPN clients. These NEED their own keys+certs as well as the CA cert.

No matter how you do this some files will be duplicated (particularly the CA certificate will likely be on MANY machines, not just the two copies you allude to).
If you want to have the CA on the same machine as the VPN server it's very possible that you can save a tiny amount of space by using the same files instead of copying some certificate files, but this does not actually appear worthwhile, and removing the files from the CA is not an option.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • my question isn't about CA in particular. where should I pust my server and client-related files? – Menumo02 May 23 '17 at 16:04
  • @Menumo02 What specifically is the remaining concern? I tried to address what appeared to be the source of confusion but I'm not sure what else you are looking for an answer to. Also, no need to repeat the same comment over and over. – Håkan Lindqvist May 23 '17 at 18:11
  • where exactly should I store all server certificates and keys, and where client ones? it's not described in the documentation. – Menumo02 May 24 '17 at 00:06
  • @Menumo02 Is this about Easy-RSA (where you just wouldn't (re-)move them) or about OpenVPN (where you should probably just follow the distro's conventions)? – Håkan Lindqvist May 24 '17 at 05:11
  • about both..... i'll create a separate q-on – Menumo02 May 24 '17 at 07:37