Version 13 (modified by 4 years ago) (diff) | ,
---|
Upgrading EasyRSA
Note: This wiki is a work in progress.
This page describes the EasyRSA PKI upgrade process:
EasyRSA PKI version 2 to EasyRSA version 3, see below.
EasyRSA CA version <3.0.6 to EasyRSA version >3.0.6
Table of Contents
Usage
To perform the upgrade:
./easyrsa upgrade pki
This will upgrade a version 2 PKI to version 3.
This upgrade will also perform the CA upgrade below.
The CA is set to allow duplicate certificates to allow for for renewal.
The PKI is not changed only copied.
./easyrsa upgrade ca
The CA is set to allow duplicate certificates to allow for for renewal.
The PKI is not changed.
To automate this upgrade use --batch
Steps
These CHECKS will be made if you upgrade now:
Before ANY changes are made a test run will be attempted ...
- Verify: new PKI dir does not exist and will not be over written.
- Verify: new backup PKI dir does not exist and will not be over written.
- Verify and Source the current PKI settings: ./vars or ./vars.bat
- Verify the current ca.crt
Then:
- CONFIRM NOW THAT THIS IS THE CORRECT ca.crt and continue or quit
These CHANGES will be made if you continue:
Before ANY changes are made a test run will be attempted ...
- Complete backup of the current PKI to ./VERY-SAFE-PKI
- Create new PKI dirs for use with EasyRSA-3
- Copy required working database files to new PKI
- Copy current PKI to new PKI
- Update the CA to allow duplicates for renewal
- create new openssl-easyrsa.cnf file
- Remove EasyRSA-2 program files
- Build new EasyRSA-3 vars file
Setup
- You must install a new copy of EasyRSA v3.0.7 or above
- Copy your existing EasyRSA v2 files and directories into
./easyrsa3
Your./easyrsa3
directory should now look something like Before below: - Linux: run
./easyrsa upgrade pki
- Windows: run
easyrsa-start.bat
and then./easyrsa upgrade pki
If you have trouble starting EasyRSA-v3, please consult the relevant documentation.
Your./easyrsa3
directory should now look something like After below:
Before
(This list is not completely accurate ... )
. ├── bin │ ├── { EasyRSA v3 Windows executables ... } │ ├── keys │ ├── { Your current EasyRSA v2 PKI ... } │ └── x509-types ├── { EasyRSA v3 x509 definition files ... } Linux EasyRSA-v2 program files: ├── build-ca ├── build-dh ├── build-inter ├── build-key ├── build-key-pass ├── build-ca.bat ├── build-key-pkcs12 ├── build-key-server ├── build-req ├── build-req-pass ├── clean-all ├── inherit-inter ├── list-crl ├── make-crl ├── pkitool ├── revoke-crt ├── revoke-full └── sign-req Windows EasyRSA-v2 program files: ├── build-ca-pass.bat ├── build-dh.bat ├── build-key.bat ├── build-key-pass.bat ├── build-key-pkcs12.bat ├── build-key-server.bat ├── build-key-server-pass.bat ├── clean-all.bat ├── EasyRSA-Start.bat ├── init-config.bat ├── revoke-full.bat ├── vars.bat ├── vars.bat.sample └── whichopensslcnf Common EasyRSA-v2 files: ├── index.txt.start ├── README.txt └── serial.start Common EasyRSA-v3 files: ├── easyrsa ├── openssl-easyrsa.cnf └── vars.example
After
. ├── bin │ ├── { EasyRSA v3 Windows executables ... } │ ├── keys │ ├── { Your old EasyRSA v2 PKI ... } │ ├── pki │ ├── { Your new EasyRSA v3 PKI ... } │ ├── VERY-SAFE-PKI │ ├── { Your old EasyRSA v2 PKI ... backup files } │ └── x509-types ├── { EasyRSA v3 x509 definition files ... } Common EasyRSA-v3 files: ├── easyrsa ├── openssl-easyrsa.cnf ├── vars └── vars.example
Fails
Correct the error reported first.
Before you can try the update again you MUST remove these two directories:
./easyrsa3/pki
./easyrsa3/VERY_SAFE_PKI
You may also need to remove the newly created vars file at:
./easyrsa3/vars
If you find this warning at the top of the ./vars file then it is safe to remove:
########################++++++++++######################### ### ### ### WARNING: THIS FILE WAS AUTOMATICALLY GENERATED ### ### ALL SETTINGS ARE AT THE END OF THE FILE ### ### ### ########################++++++++++#########################
Incompatible vars
file
The the vars
file in place uses export which Easyrsa3 does not support.
Too many vars
files
There exists a vars
file and a vars.bat
file. Only one of these files may exist.
CA certificate does not match vars
/vars.bat
file settings
The current CA details do not match the vars
file in place.
v30x to v306
Only one change is required:
pki/index.txt.attr
Required:unique_subject = no
Help
Help:
#easyrsa at freenode IRC.
https://forums.openvpn.net/viewforum.php?f=31