This, for example, https://wiki.archlinux.org/index.php/Easy-RSA tells that I put all server related files into the "server" and all client ones into "client" directories. I've generated all the files and moved them in the "server" and "client". Then I wanted to generate a second client and got an exception.
$ sudo easyrsa build-client-full client2
Exception:
Easy-RSA error:
Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
Run without commands for usage and command help.
easyrsa doesn't allow me to specify the location of a CA file. And perhaprs it doesn't expect to find the ca.crt/key in the "server" directory.
Here's what I have in the "server":
$ ls -al /etc/openvpn/server/
ca.crt
dh.pem
openvpn-status.log
openvpn.log
server.conf
server1.crt
server1.key
ta.key
Where should I put all my server certificates and keys and where client keys and certificates?
Best Answer
I think the misconception here is that all of this would be just one single thing that you are setting up, when in fact there are several conceptually separate roles involved.
(Roles which the guide you were "following" recommends to operate on separate machines.)
There is the role of a Certificate Authority (whether implemented through Easy-RSA or something more elaborate). It NEEDS its own key and all certificates to be able to operate.
There is the role of the OpenVPN server. It NEEDS its own key+cert as well as the CA cert.
There is the role of the OpenVPN clients. These NEED their own keys+certs as well as the CA cert.
No matter how you do this some files will be duplicated (particularly the CA certificate will likely be on MANY machines, not just the two copies you allude to).
If you want to have the CA on the same machine as the VPN server it's very possible that you can save a tiny amount of space by using the same files instead of copying some certificate files, but this does not actually appear worthwhile, and removing the files from the CA is not an option.