| Version 10 (modified by , 4 years ago) (diff) |
|---|
Upgrading EasyRSA
This page describes the EasyRSA PKI upgrade process:
EasyRSA version 2 to EasyRSA version 3, see below.
EasyRSA version <3.0.6 to EasyRSA version >3.0.6
Table of Contents
Steps
These CHECKS will be made if you upgrade now:
Before ANY changes are made a test run will be attempted ...
- Verify: new PKI dir does not exist and will not be over written.
- Verify: new backup PKI dir does not exist and will not be over written.
- Verify and Source the current PKI settings: ./vars or ./vars.bat
- Verify the current ca.crt
Then:
- CONFIRM NOW THAT THIS IS THE CORRECT ca.crt and continue or quit
These CHANGES will be made if you continue:
Before ANY changes are made a test run will be attempted ...
- Complete backup of the current PKI to ./VERY-SAFE-PKI
- Create new PKI dirs for use with EasyRSA-3
- Copy required working database files to new PKI
- Copy current PKI to new PKI
- create new openssl-easyrsa.cnf file
- Remove EasyRSA-2 program files
- Build new EasyRSA-3 vars file
Setup
- You must install a new copy of EasyRSA v3.0.7 or above
- Copy your existing EasyRSA v2 files and directories into
./easyrsa3
Your./easyrsa3directory should now look something like Before below: - Linux: run
./easyrsa - Windows: run
easyrsa-start.batand then./easyrsa
If you have trouble starting EasyRSA-v3, please consult the relevant documentation.
Your./easyrsa3directory should now look something like After below:
Before
(This list is not completely accurate ... )
.
├── bin
│ ├── { EasyRSA v3 Windows executables ... }
│
├── keys
│ ├── { Your current EasyRSA v2 PKI ... }
│
└── x509-types
├── { EasyRSA v3 x509 definition files ... }
Linux EasyRSA-v2 program files:
├── build-ca
├── build-dh
├── build-inter
├── build-key
├── build-key-pass
├── build-ca.bat
├── build-key-pkcs12
├── build-key-server
├── build-req
├── build-req-pass
├── clean-all
├── inherit-inter
├── list-crl
├── make-crl
├── pkitool
├── revoke-crt
├── revoke-full
└── sign-req
Windows EasyRSA-v2 program files:
├── build-ca-pass.bat
├── build-dh.bat
├── build-key.bat
├── build-key-pass.bat
├── build-key-pkcs12.bat
├── build-key-server.bat
├── build-key-server-pass.bat
├── clean-all.bat
├── EasyRSA-Start.bat
├── init-config.bat
├── revoke-full.bat
├── vars.bat
├── vars.bat.sample
└── whichopensslcnf
Common EasyRSA-v2 files:
├── index.txt.start
├── README.txt
└── serial.start
Common EasyRSA-v3 files:
├── easyrsa
├── openssl-easyrsa.cnf
└── vars.example
After
.
├── bin
│ ├── { EasyRSA v3 Windows executables ... }
│
├── keys
│ ├── { Your old EasyRSA v2 PKI ... }
│
├── pki
│ ├── { Your new EasyRSA v3 PKI ... }
│
├── VERY-SAFE-PKI
│ ├── { Your old EasyRSA v2 PKI ... backup files }
│
└── x509-types
├── { EasyRSA v3 x509 definition files ... }
Common EasyRSA-v3 files:
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── vars.example
Fails
Correct the error reported first.
Before you can try the update again you MUST remove these two directories:
./easyrsa3/pki./easyrsa3/VERY_SAFE_PKI
You may also need to remove the newly created vars file at:
./easyrsa3/vars
If you find this warning at the top of the ./vars file then it is safe to remove:
########################++++++++++######################### ### ### ### WARNING: THIS FILE WAS AUTOMATICALLY GENERATED ### ### ALL SETTINGS ARE AT THE END OF THE FILE ### ### ### ########################++++++++++#########################
CA certificate does not match vars file settings
The current CA details do not match the vars file in place.
v30x to v306
Only one change is required:
pki/index.txt.attr
Required:unique_subject = no
Help
Help:
#easyrsa at freenode IRC.
https://forums.openvpn.net/viewforum.php?f=31
