1
I am experiencing some issues with openvpn and I would like to verifiy the client's connecting key. I found a number of samples on how to verify the servers key:
linux-3kfe:/usr/share/easy-rsa/keys # openssl x509 -noout -modulus -in server.crt | openssl md5
(stdin)= beddfdbb495c246fff85b852f150f896
linux-3kfe:/usr/share/easy-rsa/keys # openssl rsa -noout -modulus -in server.key | openssl md5
(stdin)= beddfdbb495c246fff85b852f150f896
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in server.csr | openssl md5
(stdin)= beddfdbb495c246fff85b852f150f896
But no clear method to verify the client's connecting key:
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in client1.key | openssl md5
unable to load X509 request
140312459372176:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
(stdin)= d41d8cd98f00b204e9800998ecf8427e
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in client1.csr | openssl md5
(stdin)= a78884d4c1010f599a6801b2f3b76d85
linux-3kfe:/usr/share/easy-rsa/keys # openssl req -noout -modulus -in client1.crt | openssl md5
unable to load X509 request
139712641472144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
(stdin)= d41d8cd98f00b204e9800998ecf8427e
How would you verify client ssl rsa key outside of the server such as openvpn, to test that the client keys were produced correctly?
I tried to create a test server using the easy-rsa keys. I am not sure if I did it correctly https://bpaste.net/show/543cbd43aa1a
Would this imply my keys are being produced incorrectly?
You have used
– dotvotdot – 2015-10-16T22:56:53.203openssl req
[sign request] for each of your client key tests. Instead, try the same as you did for your server ie.openssl rsa -noout -modulus -in client1.key
Can you please expand on this:
I am experiencing some issues with openvpn
– dotvotdot – 2015-10-16T22:58:06.310@dotvotdot thank you very much for your response. at this point I have figured out that the keys are fine. I am thinking I should post a different question because the problem is some place completely elsewhere -> My server config works fine on a gentoo server, but the exact same openvpn server config does not work on FreeBSD. https://bpaste.net/show/fdb5a2b4c09c I see traffic hitting the NIC with tcpdump. I 'can' connect via a static site and ping the server tun0 from client, -> https://bpaste.net/show/9d192d023718 but FreeBSD appears to be unable to digest the RSA key.
– jack2222 – 2015-10-17T06:42:51.857PS, post your comment as answer. your response shows its a functional key, I am not positive if it validates it. But after reading deeper its really not necessary. But your response is a valid response to the question. – jack2222 – 2015-10-17T06:48:42.057