Hi all,
I am configuring openvpn-2.0.8.I generated the ca,key and cert for both the server and the client.The client.crt for all clients is 0 bytes.Contains nothing.
My worry is,is this how it is suppose to be?because when i start the openvpn client,the config file is unable to open the certificate.
Some help please!

Definitely not - my client crts are about 3.5Kb. Size probably depends on the encryption method. Sounds as though your keygen didn't work.

What do you suggest i do?

The OpenVPN documentation on their website is very good indeed so if you follow their steps exactly to generate keys it should work. The steps involve building your own CA, the server keys and the client keys. I'd follow their procedure exactly again which will delete existing keys and create new ones under the easy-rsa/keys directory. One possibility is that when you create the keys you MUST enter a unique common name. I use server for the server key and client1, client2 etcetera for the client keys. If you don't enter a common name it will give an error message and not generate the key. If it all works as planned you should get confirmation messages that the keys are genereated.

I generate all keys on the server as root and then securely copy the client keys to the correct clients.

Thanks Andrew.
Actually,I had generated the keys again.I also use unique common names as advised by the openvpn documents.But still,i get client certificates that are 0 bytes large.I wonder what the prob is!

Haven't got access to my linux server at the moment so working from memory.

Have you made sure that all the required parameters in the vars script have something in them? If the vars script has been run, did the CA and server key generate okay? Does it go through the client build script prompts okay and then asks for "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]" ? If so then it should generate the cert. If it does this but the cert is still 0 bytes then the only thing I can think of is file permissions.

Unfortunately apart from not completing all the necessary fields in the vars script and forgetting to put a common name in I've never had any issues with generating keys - I do them all on the server in the easy-rsa directory.

Have another go from scratch, record the output of each stage and if it still won't work post the output to see if we can spot anything.

Yes.Actaually,i've done all that and it confirms each step as you list them.Also,the ca and server keys are ok.The problem is just with the client keys,which are 0bytes.
Maybe i should try from scratch again.
Thanks though

I want to know the answer for this also. If I find a solution soon I'll reply here with it.

You have re-opened a thread which was last active more than 10 years ago.

Beginning your own thread with a clear description of your specific problem will give your question better visibility and be more likely to attract current, useful answers.

Please see the Site FAQ for guidance on how to write an effective problem description.

If you get a "zero-length key," here's the answer:

At one point you got a message: failed to update database - error number 2.

"easy-rsa" maintains a database (actually just a text file, keys/index.txt) of keys that it has issued, by common name. If it finds an entry already in this file, it will generate this error, and(!) create a zero-length key file.

Locate the file and remove the entry. (It's just a text file ...) Then retry the entire procedure.

If it worked, you should see data base updated. The file will now have real contents.

... and how do I know this? ...

For me the solution was to "sudo apt-get remove --purge openvpn easy-rsa" and then reinstall them and follow the directions at... https://vsefer.com/content/install-o...-debian-jessie

Well, of course you can "just detonate a small thermonuclear bomb under easy-rsa and reinstall it," but you don't need to go to such draconian measures to fix a simple (but not at all obvious ...) problem.

Look carefully and you'll see the error message, I think in the certificate-signing step. It's terribly easy to overlook, especially since it does create a (zero length ...) file. (I'm sure that's a bug, but it'll probably never be fixed.)