Easy-RSA is great, but the documentation doesn’t cover much about backup and restore, so this is a quick write up on this topic.
If you want to back up your entire CA, save your easyrsa3/pki directory. You can simply restore this pki directory in a new install of easy-rsa and you will be back in business.
If you don’t want to backup your issued certificates, because for example you are using your CA for VPN authentication (then you only need the certificate serials for revocation, those are in pki/index.txt), then you only need to save the following four files:
pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key
These files don’t ever change, so you don’t need to back them up frequently.
When you want to restore your easy-rsa install, you first have to create a skeleton pki directory with the
easy-rsa init-pki command, then put the four files from above back in their previous places.
easy-rsa will still complain about other missing files and directories, but it doesn’t expect any data in those, so we can simply create empty files and directories to fix this:
touch easy-rsa/easyrsa3/pki/serial touch easy-rsa/easyrsa3/pki/index.txt touch easy-rsa/easyrsa3/pki/index.txt.attr mkdir easy-rsa/easyrsa3/pki/certs_by_serial
So if you see errors like:
Easy-RSA error: Missing expected CA file: serial (perhaps you need to run build-ca?)
Then run the empty file creation commands above.
If you have any questions, your best bet is to reach me on twitter at https://twitter.com/imreFitos