root@OpenWrt:~# easyrsa build-client-full client nopass
Note: using Easy-RSA configuration from: /usr/lib/easy-rsa/vars
Easy-RSA error:
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /root/pki
Run easyrsa without commands for usage and command help.
It says it does not exist, but I used It before to make a client ovpn file.
Or do I need to use this complete lines? (doesn't this overwrite my existing keys?
# Configuration parameters
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
# Remove and re-initialize PKI directory
easyrsa init-pki
# Generate DH parameters
easyrsa gen-dh
# Create a new CA
easyrsa build-ca nopass
# Generate server keys and certificate
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
# Generate client keys and certificate
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
When did you do it last? Have you upgraded to 21.02.1 since the last time you generated the keys? If so, did you reinstall the necessary packages?
Side note: you can also create the keys on a regular computer. This is much much faster than doing it I. A resource constrained device like a consumer router.
To sign additional new client certificates into the existing deployed CA, you need the CA certificate and the CA private key. I'm not sure how easyrsa stores them but I'm guessing you need to point to a directory containing them. Do not remove that directory! Start from like the fourth step where you make client certificates. It's not necessary to do any server related stuff over again, including the time-consuming DH creation.
You can of course start over by generating a new CA chain, of course that will require replacing the CA and certificate on the server and all existing clients.