Peter Barwich wrote:
And finally, just to confirm, your command, Josh, to decrypt the
private file (openssl rsa -in encrypted.key -out unencrypted.key),
does, indeed, work perfectly. Thanks for drawing my attention to this.
Thanks again, and you are of course right.
For your reference, all the scripts in the easy-rsa directory included
with OpenVPN are just wrapper scripts for the openssl command designed
to make generating a PKI simpler. If you are curious about how openssl
is used in the other certificate operations (CA generation, signing,
client generation, revoking, etc) I'd encourage you to open up the
scripts and see how they invoke openssl. Combined with the OpenSSL
documentation (either on the website of by checking the output of the
openssl command, eg `openssl ca help` will spit output on how to use the
ca command) you can figure out what options they're using and how they work.
It's certainly not required to know how to use OpenSSL before using the
easy-rsa scripts or OpenVPN, but it's sometimes nice to be able to
manipulate the keys and certificates by hand if you want to do something
not supported in the easy-rsa scripts.
One point that may help others is to note that openssl.cnf does not
show in windows with the extension, even if 'hide extensions for known
file types' is turned off. The registry has it set as a
'ConferenceLink' type (HKEY_CLASSES_ROOT\.cnf) and you're not even
presented with an 'open with' dialogue in the context menu from
explorer. You can alter this behaviour in the registry, (e.g. change
the key name to HKEY_CLASSES_ROOT\.cnfold and log off/on) but there's
really no need once you realise that the init-config script simply
copies openssl.cnf.sample to openssl.cnf, and you CAN do 'open with' on
openssl.cnf.sample. Not a big deal, but a little confusing for bears of
small brain like me.