wiki:easyrsa-upgrade

Version 13 (modified by tct, 4 years ago) (diff)

--

Upgrading EasyRSA

Note: This wiki is a work in progress.

This page describes the EasyRSA PKI upgrade process:

EasyRSA PKI version 2 to EasyRSA version 3, see below.
EasyRSA CA version <3.0.6 to EasyRSA version >3.0.6

Table of Contents

  1. Usage
  2. Steps
  3. Setup
    1. Before
    2. After
  4. Fails
    1. Incompatible vars file
    2. Too many vars files
    3. CA certificate does not match vars/vars.bat file settings
  5. v30x to v306
  6. Help

Usage

To perform the upgrade:

  1. ./easyrsa upgrade pki
    This will upgrade a version 2 PKI to version 3.
    This upgrade will also perform the CA upgrade below.
    The CA is set to allow duplicate certificates to allow for for renewal.
    The PKI is not changed only copied.
  1. ./easyrsa upgrade ca
    The CA is set to allow duplicate certificates to allow for for renewal.
    The PKI is not changed.

To automate this upgrade use --batch

Steps

These CHECKS will be made if you upgrade now:

Before ANY changes are made a test run will be attempted ...

  • Verify: new PKI dir does not exist and will not be over written.
  • Verify: new backup PKI dir does not exist and will not be over written.
  • Verify and Source the current PKI settings: ./vars or ./vars.bat
  • Verify the current ca.crt

Then:

  • CONFIRM NOW THAT THIS IS THE CORRECT ca.crt and continue or quit

These CHANGES will be made if you continue:

Before ANY changes are made a test run will be attempted ...

  • Complete backup of the current PKI to ./VERY-SAFE-PKI
  • Create new PKI dirs for use with EasyRSA-3
  • Copy required working database files to new PKI
  • Copy current PKI to new PKI
  • Update the CA to allow duplicates for renewal
  • create new openssl-easyrsa.cnf file
  • Remove EasyRSA-2 program files
  • Build new EasyRSA-3 vars file

Setup

  1. You must install a new copy of EasyRSA v3.0.7 or above
  2. Copy your existing EasyRSA v2 files and directories into ./easyrsa3
    Your ./easyrsa3 directory should now look something like Before below:
  3. Linux: run ./easyrsa upgrade pki
  4. Windows: run easyrsa-start.bat and then ./easyrsa upgrade pki
    If you have trouble starting EasyRSA-v3, please consult the relevant documentation.
    Your ./easyrsa3 directory should now look something like After below:

Before

(This list is not completely accurate ... ) 

.
├── bin
│   ├── { EasyRSA v3 Windows executables ... }
│
├── keys
│   ├── { Your current EasyRSA v2 PKI ... }
│
└── x509-types
    ├── { EasyRSA v3 x509 definition files ... }

Linux EasyRSA-v2 program files:
├── build-ca
├── build-dh
├── build-inter
├── build-key
├── build-key-pass
├── build-ca.bat
├── build-key-pkcs12
├── build-key-server
├── build-req
├── build-req-pass
├── clean-all
├── inherit-inter
├── list-crl
├── make-crl
├── pkitool
├── revoke-crt
├── revoke-full
└── sign-req

Windows EasyRSA-v2 program files:
├── build-ca-pass.bat
├── build-dh.bat
├── build-key.bat
├── build-key-pass.bat
├── build-key-pkcs12.bat
├── build-key-server.bat
├── build-key-server-pass.bat
├── clean-all.bat
├── EasyRSA-Start.bat
├── init-config.bat
├── revoke-full.bat
├── vars.bat
├── vars.bat.sample
└── whichopensslcnf

Common EasyRSA-v2 files:
├── index.txt.start
├── README.txt
└── serial.start

Common EasyRSA-v3 files:
├── easyrsa
├── openssl-easyrsa.cnf
└── vars.example

After

.
├── bin
│   ├── { EasyRSA v3 Windows executables ... }
│
├── keys
│   ├── { Your old EasyRSA v2 PKI ... }
│
├── pki
│   ├── { Your new EasyRSA v3 PKI ... }
│
├── VERY-SAFE-PKI
│   ├── { Your old EasyRSA v2 PKI ... backup files }
│
└── x509-types
    ├── { EasyRSA v3 x509 definition files ... }

Common EasyRSA-v3 files:
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── vars.example

Fails

Correct the error reported first.

Before you can try the update again you MUST remove these two directories:

  • ./easyrsa3/pki
  • ./easyrsa3/VERY_SAFE_PKI

You may also need to remove the newly created vars file at:

  • ./easyrsa3/vars

If you find this warning at the top of the ./vars file then it is safe to remove: 

 ########################++++++++++#########################
 ###                                                     ###
 ###  WARNING: THIS FILE WAS AUTOMATICALLY GENERATED     ###
 ###           ALL SETTINGS ARE AT THE END OF THE FILE   ###
 ###                                                     ###
 ########################++++++++++#########################

Incompatible vars file

The the vars file in place uses export which Easyrsa3 does not support.

Too many vars files

There exists a vars file and a vars.bat file. Only one of these files may exist.

CA certificate does not match vars/vars.bat file settings

The current CA details do not match the vars file in place.

v30x to v306

Only one change is required:

pki/index.txt.attr
Required: unique_subject = no

Help

Help:

#easyrsa at freenode IRC.
https://forums.openvpn.net/viewforum.php?f=31