[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: Peter Barwich <pbarwich@xxxxxxxxxxx>
  • Date: Mon, 02 Jul 2007 13:11:34 +0100

Peter Barwich wrote:
And finally, just to confirm, your command, Josh, to decrypt the
private file (openssl rsa -in encrypted.key -out unencrypted.key),
does, indeed, work perfectly. Thanks for drawing my attention to this.

Josh replied
For your reference, all the scripts in the easy-rsa directory included
with OpenVPN are just wrapper scripts for the openssl command designed
to make generating a PKI simpler.  If you are curious about how openssl
is used in the other certificate operations (CA generation, signing,
client generation, revoking, etc) I'd encourage you to open up the
scripts and see how they invoke openssl.  Combined with the OpenSSL
documentation (either on the website of by checking the output of the
openssl command, eg `openssl ca help` will spit output on how to use the
ca command) you can figure out what options they're using and how they work.

It's certainly not required to know how to use OpenSSL before using the
easy-rsa scripts or OpenVPN, but it's sometimes nice to be able to
manipulate the keys and certificates by hand if you want to do something
not supported in the easy-rsa scripts.
Thanks again, and you are of course right.

One point that may help others is to note that openssl.cnf does not show in windows with the extension, even if 'hide extensions for known file types' is turned off. The registry has it set as a 'ConferenceLink' type (HKEY_CLASSES_ROOT\.cnf) and you're not even presented with an 'open with' dialogue in the context menu from explorer. You can alter this behaviour in the registry, (e.g. change the key name to HKEY_CLASSES_ROOT\.cnfold and log off/on) but there's really no need once you realise that the init-config script simply copies openssl.cnf.sample to openssl.cnf, and you CAN do 'open with' on openssl.cnf.sample. Not a big deal, but a little confusing for bears of small brain like me.