How do you verify a client rsa key via cli?

1

I am experiencing some issues with openvpn and I would like to verifiy the client's connecting key. I found a number of samples on how to verify the servers key:

linux-3kfe:/usr/share/easy-rsa/keys # openssl x509 -noout -modulus -in server.crt | openssl md5
(stdin)= beddfdbb495c246fff85b852f150f896
linux-3kfe:/usr/share/easy-rsa/keys # openssl rsa -noout -modulus -in server.key | openssl md5
(stdin)= beddfdbb495c246fff85b852f150f896
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in server.csr | openssl md5
(stdin)= beddfdbb495c246fff85b852f150f896

But no clear method to verify the client's connecting key:

linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in client1.key | openssl md5
unable to load X509 request
140312459372176:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
(stdin)= d41d8cd98f00b204e9800998ecf8427e
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in client1.csr | openssl md5
(stdin)= a78884d4c1010f599a6801b2f3b76d85
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in client1.crt | openssl md5
unable to load X509 request
139712641472144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
(stdin)= d41d8cd98f00b204e9800998ecf8427e

How would you verify client ssl rsa key outside of the server such as openvpn, to test that the client keys were produced correctly?

I tried to create a test server using the easy-rsa keys. I am not sure if I did it correctly https://bpaste.net/show/543cbd43aa1a

Would this imply my keys are being produced incorrectly?

jack2222

Posted 2015-10-15T22:32:47.450

Reputation: 11

You have used openssl req [sign request] for each of your client key tests. Instead, try the same as you did for your server ie. openssl rsa -noout -modulus -in client1.key

– dotvotdot – 2015-10-16T22:56:53.203

Can you please expand on this: I am experiencing some issues with openvpn – dotvotdot – 2015-10-16T22:58:06.310

@dotvotdot thank you very much for your response. at this point I have figured out that the keys are fine. I am thinking I should post a different question because the problem is some place completely elsewhere -> My server config works fine on a gentoo server, but the exact same openvpn server config does not work on FreeBSD. https://bpaste.net/show/fdb5a2b4c09c I see traffic hitting the NIC with tcpdump. I 'can' connect via a static site and ping the server tun0 from client, -> https://bpaste.net/show/9d192d023718 but FreeBSD appears to be unable to digest the RSA key.

– jack2222 – 2015-10-17T06:42:51.857

PS, post your comment as answer. your response shows its a functional key, I am not positive if it validates it. But after reading deeper its really not necessary. But your response is a valid response to the question. – jack2222 – 2015-10-17T06:48:42.057

Answers

0

In the case of the Key: You have used openssl req [sign request] for each of your client key tests. Instead, try the same as you did for your server ie. openssl rsa -noout -modulus -in client1.key

In the case of OpenVPN config, the log file says it all:

WARNING: using --pull/--client and --ifconfig together is probably not what you want

What you do want, is to remove the incorrect ifconfig from your client config and let the server push the correct value for you. Perhaps you want to review the Official Howto

dotvotdot

Posted 2015-10-15T22:32:47.450

Reputation: 496

Asked: 2015-10-15T22:32:47.450

Viewed: 379 times

Active: 2015-11-18T16:22:12.807