'Re: [Openvpn-users] EasyRSA - changing the password associated with a ca.key file'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvpn-users
Subject:    Re: [Openvpn-users] EasyRSA - changing the password associated with a ca.key file
From:       Jan Just Keijser <janjust () nikhef ! nl>
Date:       2020-11-02 17:00:31
Message-ID: 9e359c53-7068-e0e3-0982-fe0dcf38c73a () nikhef ! nl
[Download RAW message or body]

hi,

On 02/11/20 17:51, Stephen wrote:
> Hi Jan, thanks very much for your help I will definitely try that.
>
> After I wrote my original message I also stumbled across the 
> set-rsa-pass switch to the easyrsa script. I tried invoking this on my 
> ca.key file like so:
>
> ./easyrsa set-rsa-pass ca
>
> This also seemed to work when I tried it during a quick test and 
> allowed me to change the password assigned to my ca.key file.
>
> A cursory glance at the implementation, suggests that set-rsa-pass 
> certainly does seem to pass the -aes256 argument to OpenSSL. So I think
> this is just an alternative way of invoking the same OpenSSL commands 
> you suggested Jan. Albeilt one that avoids invoking OpenSSL directly...
>
>
the 'easyrsa set-rsa-pass' command invokes
   easyrsa_openssl rsa -in $infile -out $outfile $crypto
with crypto=aes256 by default so yes, the easyrsa command just invokes 
the OpenSSL binary for you... Remember that the easy-rsa scripts are 
merely wrappers around OpenSSL.

HTH,

JJK


> On 02/11/2020 16:27, Jan Just Keijser wrote:
>> Hi,
>>
>> On 02/11/20 16:32, Stephen wrote:
>>> Hi everyone, the Easy-RSA forums directed me to this mailing list 
>>> for support questions. Hopefully someone here will be able to help me.
>>>
>>> I have successfully created an EasyRSA 3 based PKI CA as described 
>>> in the standard tutorials on this topic. This currently works with 
>>> OpenVPN without issue. The ca.key file I have created for my PKI is 
>>> passworded in-line with best practice. Consequently I am prompted 
>>> for this password everytime I sign cert requests with the CA. So far 
>>> so good.
>>>
>>> My question is this:
>>> How can I change the password associated with this ca.key file?
>>>
>>> The specific scenario I have in mind is when i already know the 
>>> existing ca.key password but I want to change the password to 
>>> something else? For example if an admin leaves my workplace it is 
>>> obviously best practice to change password associated with the CA key.
>>>
>>> Is this possible with EasyRSA without recreating my entire CA from 
>>> scratch and re-issuing all keys?
>>>
>>
>> find your ca.key file, then run
>>   mv ca.key oldca.key
>>   openssl rsa -in oldca.key  -out ca.key -aes256
>>
>> which will first prompt you for the old password, then ask for the 
>> new one (twice).
>>
>> HTH,
>>
>> JJK
>>



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic