After starting create-certs I'm asked "Enter PEM pass phrase". I assumed that a pass phrase is not required (even unwanted) so I pressed the ENTER key after which the script continues, is this the correct thing to do?
I do get a non-blocking message "vpnclient.csr: No such file or directory", does that mean anything?
@marcoblom Encrypting the client key is not required, but is highly recommended, and if it's a client key for an Android device, the key must me encrypted, as Android has a non-customizable 771 permission structure for user land storage.
I'm not sure why it wouldn't be creating the the CSR for the client, as the command that's being ran is:
I again tried the script create-certs.sh from https://openwrt.org/docs/guide-user/services/vpn/openvpn/basicbut this time I DID enter a pass phrase. That worked, it now creates the file vpnclient.csr and correctly creates other files in /etc/openvpn that were 0 bytes on my first try. The script create-ovpn.sh now also works (it didn't the first time). Perhaps it also helped that I rebooted my router between the first try yesterday and the second, successful try today.
I didn't try the alternate script provided in this topic.
Can you PM the openssl.cnf, as I utilize a custom one I created years ago, which is what the OpenSSL PKI wiki utilizes. My hunch is one of the req sections in the default openssl.cnf, likely req_attributes, is the cause of not generating a CSR if a passphrase is not provided when the command does not include -nodes.
It's due to the [ req_attributes ] section, which stipulates the minimum password length is 4 characters.
Unless the key is for a server, private keys should always be encrypted with a passphrase, else you're opening a massive hole in the security of the VPN and all data flowing through its tunnel.