mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
Remove easy-rsa
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Samuli Seppänen <samuli@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
This commit is contained in:
parent
30029449d4
commit
26abb83cb1
@ -40,7 +40,6 @@ MAINTAINERCLEANFILES = \
|
||||
CLEANFILES = openvpn.8.html configure.h
|
||||
|
||||
EXTRA_DIST = \
|
||||
easy-rsa \
|
||||
sample-config-files \
|
||||
sample-keys \
|
||||
sample-scripts \
|
||||
|
@ -1,161 +0,0 @@
|
||||
This is a small RSA key management package,
|
||||
based on the openssl command line tool, that
|
||||
can be found in the easy-rsa subdirectory
|
||||
of the OpenVPN distribution.
|
||||
|
||||
These are reference notes. For step
|
||||
by step instructions, see the HOWTO:
|
||||
|
||||
http://openvpn.net/howto.html
|
||||
|
||||
INSTALL
|
||||
|
||||
1. Edit vars.
|
||||
2. Set KEY_CONFIG to point to the openssl.cnf file
|
||||
included in this distribution.
|
||||
3. Set KEY_DIR to point to a directory which will
|
||||
contain all keys, certificates, etc. This
|
||||
directory need not exist, and if it does,
|
||||
it will be deleted with rm -rf, so BE
|
||||
CAREFUL how you set KEY_DIR.
|
||||
4. (Optional) Edit other fields in vars
|
||||
per your site data. You may want to
|
||||
increase KEY_SIZE to 2048 if you are
|
||||
paranoid and don't mind slower key
|
||||
processing, but certainly 1024 is
|
||||
fine for testing purposes. KEY_SIZE
|
||||
must be compatible across both peers
|
||||
participating in a secure SSL/TLS
|
||||
connection.
|
||||
5 . vars
|
||||
6. ./clean-all
|
||||
7. As you create certificates, keys, and
|
||||
certificate signing requests, understand that
|
||||
only .key files should be kept confidential.
|
||||
.crt and .csr files can be sent over insecure
|
||||
channels such as plaintext email.
|
||||
8. You should never need to copy a .key file
|
||||
between computers. Normally each computer
|
||||
will have its own certificate/key pair.
|
||||
|
||||
BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
|
||||
|
||||
1. ./build-ca
|
||||
2. ca.crt and ca.key will be built in your KEY_DIR
|
||||
directory
|
||||
|
||||
BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
|
||||
|
||||
1. ./build-inter inter
|
||||
2. inter.crt and inter.key will be built in your KEY_DIR
|
||||
directory and signed with your root certificate.
|
||||
|
||||
BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
|
||||
the server end of a SSL/TLS connection).
|
||||
|
||||
1. ./build-dh
|
||||
|
||||
BUILD A CERTIFICATE SIGNING REQUEST (If
|
||||
you want to sign your certificate with a root
|
||||
certificate controlled by another individual
|
||||
or organization, or residing on a different machine).
|
||||
|
||||
1. Get ca.crt (the root certificate) from your
|
||||
certificate authority. Though this
|
||||
transfer can be over an insecure channel, to prevent
|
||||
man-in-the-middle attacks you must confirm that
|
||||
ca.crt was not tampered with. Large CAs solve this
|
||||
problem by hardwiring their root certificates into
|
||||
popular web browsers. A simple way to verify a root
|
||||
CA is to call the issuer on the telephone and confirm
|
||||
that the md5sum or sha1sum signatures on the ca.crt
|
||||
files match (such as with the command: "md5sum ca.crt").
|
||||
2. Choose a name for your certificate such as your computer
|
||||
name. In our example we will use "mycert".
|
||||
3. ./build-req mycert
|
||||
4. You can ignore most of the fields, but set
|
||||
"Common Name" to something unique such as your
|
||||
computer's host name. Leave all password
|
||||
fields blank, unless you want your private key
|
||||
to be protected by password. Using a password
|
||||
is not required -- it will make your key more secure
|
||||
but also more inconvenient to use, because you will
|
||||
need to supply your password anytime the key is used.
|
||||
NOTE: if you are using a password, use ./build-req-pass
|
||||
instead of ./build-req
|
||||
5. Your key will be written to $KEY_DIR/mycert.key
|
||||
6. Your certificate signing request will be written to
|
||||
to $KEY_DIR/mycert.csr
|
||||
7. Email mycert.csr to the individual or organization
|
||||
which controls the root certificate. This can be
|
||||
done over an insecure channel.
|
||||
8. After the .csr file is signed by the root certificate
|
||||
authority, you will receive a file mycert.crt
|
||||
(your certificate). Place mycert.crt in your
|
||||
KEY_DIR directory.
|
||||
9. The combined files of mycert.crt, mycert.key,
|
||||
and ca.crt can now be used to secure one end of
|
||||
an SSL/TLS connection.
|
||||
|
||||
SIGN A CERTIFICATE SIGNING REQUEST
|
||||
|
||||
1. ./sign-req mycert
|
||||
2. mycert.crt will be built in your KEY_DIR
|
||||
directory using mycert.csr and your root CA
|
||||
file as input.
|
||||
|
||||
BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
|
||||
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
|
||||
script generates and signs a certificate in one step,
|
||||
but it requires that the generated certificate and private
|
||||
key files be copied to the destination host over a
|
||||
secure channel.
|
||||
|
||||
1. ./build-key mycert (no password protection)
|
||||
2. OR ./build-key-pass mycert (with password protection)
|
||||
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
|
||||
4. OR ./build-key-server mycert (with nsCertType=server)
|
||||
5. mycert.crt and mycert.key will be built in your
|
||||
KEY_DIR directory, and mycert.crt will be signed
|
||||
by your root CA. If ./build-key-pkcs12 was used a
|
||||
mycert.p12 file will also be created including the
|
||||
private key, certificate and the ca certificate.
|
||||
|
||||
IMPORTANT
|
||||
|
||||
To avoid a possible Man-in-the-Middle attack where an authorized
|
||||
client tries to connect to another client by impersonating the
|
||||
server, make sure to enforce some kind of server certificate
|
||||
verification by clients. There are currently four different ways
|
||||
of accomplishing this, listed in the order of preference:
|
||||
|
||||
(1) Build your server certificates with the build-key-server
|
||||
script. This will designate the certificate as a
|
||||
server-only certificate by setting nsCertType=server.
|
||||
Now add the following line to your client configuration:
|
||||
|
||||
ns-cert-type server
|
||||
|
||||
This will block clients from connecting to any
|
||||
server which lacks the nsCertType=server designation
|
||||
in its certificate, even if the certificate has been
|
||||
signed by the CA which is cited in the OpenVPN configuration
|
||||
file (--ca directive).
|
||||
|
||||
(2) Use the --tls-remote directive on the client to
|
||||
accept/reject the server connection based on the common
|
||||
name of the server certificate.
|
||||
|
||||
(3) Use a --tls-verify script or plugin to accept/reject the
|
||||
server connection based on a custom test of the server
|
||||
certificate's embedded X509 subject details.
|
||||
|
||||
(4) Sign server certificates with one CA and client certificates
|
||||
with a different CA. The client config "ca" directive should
|
||||
reference the server-signing CA while the server config "ca"
|
||||
directive should reference the client-signing CA.
|
||||
|
||||
NOTES
|
||||
|
||||
Show certificate fields:
|
||||
openssl x509 -in cert.crt -text
|
@ -1,13 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a root certificate
|
||||
#
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
|
||||
chmod 0600 ca.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,12 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build Diffie-Hellman parameters for the server side
|
||||
# of an SSL/TLS connection.
|
||||
#
|
||||
|
||||
if test $KEY_DIR; then
|
||||
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,19 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make an intermediate CA certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-inter <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,20 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
|
||||
chmod 0600 $1.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,20 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Similar to build-key, but protect the private key
|
||||
# with a password.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key-pass <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
|
||||
chmod 0600 $1.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,21 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate and convert it to a PKCS #12 file including the
|
||||
# the CA certificate as well.
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key-pkcs12 <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
|
||||
openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
|
||||
chmod 0600 $1.key $1.p12
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,22 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
# Explicitly set nsCertType to server using the "server"
|
||||
# extension in the openssl.cnf file.
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key-server <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
|
||||
chmod 0600 $1.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a certificate signing request and private key. Use this
|
||||
# when your root certificate and key is not available locally.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-req <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Like build-req, but protect your private key
|
||||
# with a password.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-req-pass <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,19 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Initialize the $KEY_DIR directory.
|
||||
# Note that this script does a
|
||||
# rm -rf on $KEY_DIR so be careful!
|
||||
#
|
||||
|
||||
d=$KEY_DIR
|
||||
|
||||
if test $d; then
|
||||
rm -rf $d
|
||||
mkdir $d && \
|
||||
chmod go-rwx $d && \
|
||||
touch $d/index.txt && \
|
||||
echo 01 >$d/serial
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# list revoked certificates
|
||||
#
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: list-crl <crlfile.pem>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl crl -text -noout -in $1
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# generate a CRL
|
||||
#
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: make-crl <crlfile.pem>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl ca -gencrl -out $1 -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,255 +0,0 @@
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "OpenSSL Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# revoke a certificate
|
||||
#
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: revoke-crt <file.crt>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl ca -revoke $1 -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,29 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# revoke a certificate, regenerate CRL,
|
||||
# and verify revocation
|
||||
|
||||
CRL=crl.pem
|
||||
RT=revoke-test.pem
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: revoke-full <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR
|
||||
rm -f $RT
|
||||
|
||||
# revoke key and generate a new CRL
|
||||
openssl ca -revoke $1.crt -config $KEY_CONFIG
|
||||
|
||||
# generate a new CRL
|
||||
openssl ca -gencrl -out $CRL -config $KEY_CONFIG
|
||||
cat ca.crt $CRL >$RT
|
||||
|
||||
# verify the revocation
|
||||
openssl verify -CAfile $RT -crl_check $1.crt
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Sign a certificate signing request (a .csr file)
|
||||
# with a local root certificate and key.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: sign-req <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
@ -1,49 +0,0 @@
|
||||
# easy-rsa parameter settings
|
||||
|
||||
# NOTE: If you installed from an RPM,
|
||||
# don't edit this file in place in
|
||||
# /usr/share/openvpn/easy-rsa --
|
||||
# instead, you should copy the whole
|
||||
# easy-rsa directory to another location
|
||||
# (such as /etc/openvpn) so that your
|
||||
# edits will not be wiped out by a future
|
||||
# OpenVPN package upgrade.
|
||||
|
||||
# This variable should point to
|
||||
# the top level of the easy-rsa
|
||||
# tree.
|
||||
export D=`pwd`
|
||||
|
||||
# This variable should point to
|
||||
# the openssl.cnf file included
|
||||
# with easy-rsa.
|
||||
export KEY_CONFIG=$D/openssl.cnf
|
||||
|
||||
# Edit this variable to point to
|
||||
# your soon-to-be-created key
|
||||
# directory.
|
||||
#
|
||||
# WARNING: clean-all will do
|
||||
# a rm -rf on this directory
|
||||
# so make sure you define
|
||||
# it correctly!
|
||||
export KEY_DIR=$D/keys
|
||||
|
||||
# Issue rm -rf warning
|
||||
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
|
||||
|
||||
# Increase this to 2048 if you
|
||||
# are paranoid. This will slow
|
||||
# down TLS negotiation performance
|
||||
# as well as the one-time DH parms
|
||||
# generation process.
|
||||
export KEY_SIZE=1024
|
||||
|
||||
# These are the default values for fields
|
||||
# which will be placed in the certificate.
|
||||
# Don't leave any of these fields blank.
|
||||
export KEY_COUNTRY=KG
|
||||
export KEY_PROVINCE=NA
|
||||
export KEY_CITY=BISHKEK
|
||||
export KEY_ORG="OpenVPN-TEST"
|
||||
export KEY_EMAIL="me@myhost.mydomain"
|
@ -1,13 +0,0 @@
|
||||
|
||||
DESTDIR=
|
||||
PREFIX=
|
||||
|
||||
all:
|
||||
echo "All done."
|
||||
echo "Run make install DESTDIR=/usr/share/somewhere"
|
||||
|
||||
install:
|
||||
install -d "${DESTDIR}/${PREFIX}"
|
||||
install -m 0755 build-* "${DESTDIR}/${PREFIX}"
|
||||
install -m 0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
|
||||
install -m 0644 openssl-0.9.6.cnf openssl-0.9.8.cnf openssl-1.0.0.cnf README vars "${DESTDIR}/${PREFIX}"
|
@ -1,229 +0,0 @@
|
||||
EASY-RSA Version 2.0-rc1
|
||||
|
||||
This is a small RSA key management package, based on the openssl
|
||||
command line tool, that can be found in the easy-rsa subdirectory
|
||||
of the OpenVPN distribution. While this tool is primary concerned
|
||||
with key management for the SSL VPN application space, it can also
|
||||
be used for building web certificates.
|
||||
|
||||
These are reference notes. For step-by-step instructions, see the
|
||||
HOWTO:
|
||||
|
||||
http://openvpn.net/howto.html
|
||||
|
||||
This package is based on the ./pkitool script. Run ./pkitool
|
||||
without arguments for a detailed help message (which is also pasted
|
||||
below).
|
||||
|
||||
Release Notes for easy-rsa-2.0
|
||||
|
||||
* Most functionality has been consolidated into the pkitool
|
||||
script. For compatibility, all previous scripts from 1.0 such
|
||||
as build-key and build-key-server are provided as stubs
|
||||
which call pkitool to do the real work.
|
||||
|
||||
* pkitool has a --batch flag (enabled by default) which generates
|
||||
keys/certs without needing any interactive input. pkitool
|
||||
can still generate certs/keys using interactive prompting by
|
||||
using the --interact flag.
|
||||
|
||||
* The inherit-inter script has been provided for creating
|
||||
a new PKI rooted on an intermediate certificate built within a
|
||||
higher-level PKI. See comments in the inherit-inter script
|
||||
for more info.
|
||||
|
||||
* The openssl.cnf file has been modified. pkitool will not
|
||||
work with the openssl.cnf file included with previous
|
||||
easy-rsa releases.
|
||||
|
||||
* The vars file has been modified -- the following extra
|
||||
variables have been added: EASY_RSA, CA_EXPIRE,
|
||||
KEY_EXPIRE.
|
||||
|
||||
* The make-crl and revoke-crt scripts have been removed and
|
||||
are replaced by the revoke-full script.
|
||||
|
||||
* The "Organizational Unit" X509 field can be set using
|
||||
the KEY_OU environmental variable before calling pkitool.
|
||||
|
||||
* This release only affects the Linux/Unix version of easy-rsa.
|
||||
The Windows version (written to use the Windows shell) is unchanged.
|
||||
|
||||
* Use the revoke-full script to revoke a certificate, and generate
|
||||
(or update) the crl.pem file in the keys directory (as set by the
|
||||
vars script). Then use "crl-verify crl.pem" in your OpenVPN server
|
||||
config file, so that OpenVPN can reject any connections coming from
|
||||
clients which present a revoked certificate. Usage for the script is:
|
||||
|
||||
revoke-full <common-name>
|
||||
|
||||
Note this this procedure is primarily designed to revoke client
|
||||
certificates. You could theoretically use this method to revoke
|
||||
server certificates as well, but then you would need to propagate
|
||||
the crl.pem file to all clients as well, and have them include
|
||||
"crl-verify crl.pem" in their configuration files.
|
||||
|
||||
* PKCS#11 support was added.
|
||||
|
||||
* For those interested in using this tool to generate web certificates,
|
||||
A variant of the easy-rsa package that allows the creation of multi-domain
|
||||
certificates with subjectAltName can be obtained from here:
|
||||
|
||||
http://www.bisente.com/proyectos/easy-rsa-subjectaltname/
|
||||
|
||||
INSTALL easy-rsa
|
||||
|
||||
1. Edit vars.
|
||||
2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf
|
||||
file included in this distribution.
|
||||
3. Set KEY_DIR to point to a directory which will
|
||||
contain all keys, certificates, etc. This
|
||||
directory need not exist, and if it does,
|
||||
it will be deleted with rm -rf, so BE
|
||||
CAREFUL how you set KEY_DIR.
|
||||
4. (Optional) Edit other fields in vars
|
||||
per your site data. You may want to
|
||||
increase KEY_SIZE to 2048 if you are
|
||||
paranoid and don't mind slower key
|
||||
processing, but certainly 1024 is
|
||||
fine for testing purposes. KEY_SIZE
|
||||
must be compatible across both peers
|
||||
participating in a secure SSL/TLS
|
||||
connection.
|
||||
5. (Optional) If you intend to use PKCS#11,
|
||||
install openssl >= 0.9.7, install the
|
||||
following components from www.opensc.org:
|
||||
- opensc >= 0.10.0
|
||||
- engine_pkcs11 >= 0.1.3
|
||||
Update the openssl.cnf to load the engine:
|
||||
- Uncomment pkcs11 under engine_section.
|
||||
- Validate path at dynamic_path under pkcs11_section.
|
||||
6. . vars
|
||||
7. ./clean-all
|
||||
8. As you create certificates, keys, and
|
||||
certificate signing requests, understand that
|
||||
only .key files should be kept confidential.
|
||||
.crt and .csr files can be sent over insecure
|
||||
channels such as plaintext email.
|
||||
|
||||
IMPORTANT
|
||||
|
||||
To avoid a possible Man-in-the-Middle attack where an authorized
|
||||
client tries to connect to another client by impersonating the
|
||||
server, make sure to enforce some kind of server certificate
|
||||
verification by clients. There are currently four different ways
|
||||
of accomplishing this, listed in the order of preference:
|
||||
|
||||
(1) Build your server certificates with specific key usage and
|
||||
extended key usage. The RFC3280 determine that the following
|
||||
attributes should be provided for TLS connections:
|
||||
|
||||
Mode Key usage Extended key usage
|
||||
---------------------------------------------------------------------------
|
||||
Client digitalSignature TLS Web Client Authentication
|
||||
keyAgreement
|
||||
digitalSignature, keyAgreement
|
||||
|
||||
Server digitalSignature, keyEncipherment TLS Web Server Authentication
|
||||
digitalSignature, keyAgreement
|
||||
|
||||
Now add the following line to your client configuration:
|
||||
|
||||
remote-cert-tls server
|
||||
|
||||
This will block clients from connecting to any
|
||||
server which lacks the required extension designation
|
||||
in its certificate, even if the certificate has been
|
||||
signed by the CA which is cited in the OpenVPN configuration
|
||||
file (--ca directive).
|
||||
|
||||
(3) Use the --tls-remote directive on the client to
|
||||
accept/reject the server connection based on the common
|
||||
name of the server certificate.
|
||||
|
||||
(3) Use a --tls-verify script or plugin to accept/reject the
|
||||
server connection based on a custom test of the server
|
||||
certificate's embedded X509 subject details.
|
||||
|
||||
(4) Sign server certificates with one CA and client certificates
|
||||
with a different CA. The client config "ca" directive should
|
||||
reference the server-signing CA while the server config "ca"
|
||||
directive should reference the client-signing CA.
|
||||
|
||||
NOTES
|
||||
|
||||
Show certificate fields:
|
||||
openssl x509 -in cert.crt -text
|
||||
|
||||
PKITOOL documentation
|
||||
|
||||
pkitool 2.0
|
||||
Usage: pkitool [options...] [common-name]
|
||||
Options:
|
||||
--batch : batch mode (default)
|
||||
--keysize : Set keysize
|
||||
size : size (default=1024)
|
||||
--interact : interactive mode
|
||||
--server : build server cert
|
||||
--initca : build root CA
|
||||
--inter : build intermediate CA
|
||||
--pass : encrypt private key with password
|
||||
--csr : only generate a CSR, do not sign
|
||||
--sign : sign an existing CSR
|
||||
--pkcs12 : generate a combined PKCS#12 file
|
||||
--pkcs11 : generate certificate on PKCS#11 token
|
||||
lib : PKCS#11 library
|
||||
slot : PKCS#11 slot
|
||||
id : PKCS#11 object id (hex string)
|
||||
label : PKCS#11 object label
|
||||
Standalone options:
|
||||
--pkcs11-slots : list PKCS#11 slots
|
||||
lib : PKCS#11 library
|
||||
--pkcs11-objects : list PKCS#11 token objects
|
||||
lib : PKCS#11 library
|
||||
slot : PKCS#11 slot
|
||||
--pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
|
||||
lib : PKCS#11 library
|
||||
slot : PKCS#11 slot
|
||||
label : PKCS#11 token label
|
||||
Notes:
|
||||
Please edit the vars script to reflect your configuration,
|
||||
then source it with "source ./vars".
|
||||
Next, to start with a fresh PKI configuration and to delete any
|
||||
previous certificates and keys, run "./clean-all".
|
||||
Finally, you can run this tool (pkitool) to build certificates/keys.
|
||||
In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
|
||||
Generated files and corresponding OpenVPN directives:
|
||||
(Files will be placed in the $KEY_DIR directory, defined in ./vars)
|
||||
ca.crt -> root certificate (--ca)
|
||||
ca.key -> root key, keep secure (not directly used by OpenVPN)
|
||||
.crt files -> client/server certificates (--cert)
|
||||
.key files -> private keys, keep secure (--key)
|
||||
.csr files -> certificate signing request (not directly used by OpenVPN)
|
||||
dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
|
||||
Examples:
|
||||
pkitool --initca -> Build root certificate
|
||||
pkitool --initca --pass -> Build root certificate with password-protected key
|
||||
pkitool --server server1 -> Build "server1" certificate/key
|
||||
pkitool client1 -> Build "client1" certificate/key
|
||||
pkitool --pass client2 -> Build password-protected "client2" certificate/key
|
||||
pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
|
||||
pkitool --csr client4 -> Build "client4" CSR to be signed by another CA
|
||||
pkitool --sign client4 -> Sign "client4" CSR
|
||||
pkitool --inter interca -> Build an intermediate key-signing certificate/key
|
||||
Also see ./inherit-inter script.
|
||||
pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
|
||||
-> Build "client5" certificate/key in PKCS#11 token
|
||||
Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
|
||||
Protect client2 key with a password. Build DH parms. Generated files in ./keys :
|
||||
[edit vars with your site-specific info]
|
||||
source ./vars
|
||||
./clean-all
|
||||
./build-dh -> takes a long time, consider backgrounding
|
||||
./pkitool --initca
|
||||
./pkitool --server myserver
|
||||
./pkitool client1
|
||||
./pkitool --pass client2
|
||||
Typical usage for adding client cert to existing PKI:
|
||||
source ./vars
|
||||
./pkitool client-new
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a root certificate
|
||||
#
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --initca $*
|
@ -1,11 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build Diffie-Hellman parameters for the server side
|
||||
# of an SSL/TLS connection.
|
||||
|
||||
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
|
||||
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make an intermediate CA certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --inter $*
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact $*
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Similar to build-key, but protect the private key
|
||||
# with a password.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --pass $*
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate and convert it to a PKCS #12 file including the
|
||||
# the CA certificate as well.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --pkcs12 $*
|
@ -1,10 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
# Explicitly set nsCertType to server using the "server"
|
||||
# extension in the openssl.cnf file.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --server $*
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build a certificate signing request and private key. Use this
|
||||
# when your root certificate and key is not available locally.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --csr $*
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Like build-req, but protect your private key
|
||||
# with a password.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --csr --pass $*
|
@ -1,16 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Initialize the $KEY_DIR directory.
|
||||
# Note that this script does a
|
||||
# rm -rf on $KEY_DIR so be careful!
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
rm -rf "$KEY_DIR"
|
||||
mkdir "$KEY_DIR" && \
|
||||
chmod go-rwx "$KEY_DIR" && \
|
||||
touch "$KEY_DIR/index.txt" && \
|
||||
echo 01 >"$KEY_DIR/serial"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
@ -1,39 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build a new PKI which is rooted on an intermediate certificate generated
|
||||
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
|
||||
# have independent vars settings, and must use a different KEY_DIR directory
|
||||
# from the parent. This tool can be used to generate arbitrary depth
|
||||
# certificate chains.
|
||||
#
|
||||
# To build an intermediate CA, follow the same steps for a regular PKI but
|
||||
# replace ./build-key or ./pkitool --initca with this script.
|
||||
|
||||
# The EXPORT_CA file will contain the CA certificate chain and should be
|
||||
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
|
||||
# will only contain the local intermediate CA -- it's needed by the easy-rsa
|
||||
# scripts but not by OpenVPN directly.
|
||||
EXPORT_CA="export-ca.crt"
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "usage: $0 <parent-key-dir> <common-name>"
|
||||
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
|
||||
echo "common-name: the common name of the intermediate certificate in the parent PKI"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
|
||||
cp "$1/$2.key" "$KEY_DIR/ca.key"
|
||||
|
||||
if [ -e "$1/$EXPORT_CA" ]; then
|
||||
PARENT_CA="$1/$EXPORT_CA"
|
||||
else
|
||||
PARENT_CA="$1/ca.crt"
|
||||
fi
|
||||
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
|
||||
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
@ -1,13 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# list revoked certificates
|
||||
|
||||
CRL="${1:-crl.pem}"
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cd "$KEY_DIR" && \
|
||||
$OPENSSL crl -text -noout -in "$CRL"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
@ -1,265 +0,0 @@
|
||||
# For use with easy-rsa version 2.0
|
||||
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
@ -1,290 +0,0 @@
|
||||
# For use with easy-rsa version 2.0
|
||||
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
@ -1,285 +0,0 @@
|
||||
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
|
||||
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
@ -1,379 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# OpenVPN -- An application to securely tunnel IP networks
|
||||
# over a single TCP/UDP port, with support for SSL/TLS-based
|
||||
# session authentication and key exchange,
|
||||
# packet encryption, packet authentication, and
|
||||
# packet compression.
|
||||
#
|
||||
# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License version 2
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program (see the file COPYING included with this
|
||||
# distribution); if not, write to the Free Software Foundation, Inc.,
|
||||
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
# pkitool is a front-end for the openssl tool.
|
||||
|
||||
# Calling scripts can set the certificate organizational
|
||||
# unit with the KEY_OU environmental variable.
|
||||
|
||||
# Calling scripts can also set the KEY_NAME environmental
|
||||
# variable to set the "name" X509 subject field.
|
||||
|
||||
PROGNAME=pkitool
|
||||
VERSION=2.0
|
||||
DEBUG=0
|
||||
|
||||
die()
|
||||
{
|
||||
local m="$1"
|
||||
|
||||
echo "$m" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
need_vars()
|
||||
{
|
||||
echo ' Please edit the vars script to reflect your configuration,'
|
||||
echo ' then source it with "source ./vars".'
|
||||
echo ' Next, to start with a fresh PKI configuration and to delete any'
|
||||
echo ' previous certificates and keys, run "./clean-all".'
|
||||
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
|
||||
}
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "$PROGNAME $VERSION"
|
||||
echo "Usage: $PROGNAME [options...] [common-name]"
|
||||
echo "Options:"
|
||||
echo " --batch : batch mode (default)"
|
||||
echo " --keysize : Set keysize"
|
||||
echo " size : size (default=1024)"
|
||||
echo " --interact : interactive mode"
|
||||
echo " --server : build server cert"
|
||||
echo " --initca : build root CA"
|
||||
echo " --inter : build intermediate CA"
|
||||
echo " --pass : encrypt private key with password"
|
||||
echo " --csr : only generate a CSR, do not sign"
|
||||
echo " --sign : sign an existing CSR"
|
||||
echo " --pkcs12 : generate a combined PKCS#12 file"
|
||||
echo " --pkcs11 : generate certificate on PKCS#11 token"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " id : PKCS#11 object id (hex string)"
|
||||
echo " label : PKCS#11 object label"
|
||||
echo "Standalone options:"
|
||||
echo " --pkcs11-slots : list PKCS#11 slots"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " --pkcs11-objects : list PKCS#11 token objects"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " label : PKCS#11 token label"
|
||||
echo "Notes:"
|
||||
need_vars
|
||||
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
|
||||
echo "Generated files and corresponding OpenVPN directives:"
|
||||
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
|
||||
echo " ca.crt -> root certificate (--ca)"
|
||||
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
|
||||
echo " .crt files -> client/server certificates (--cert)"
|
||||
echo " .key files -> private keys, keep secure (--key)"
|
||||
echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
|
||||
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
|
||||
echo "Examples:"
|
||||
echo " $PROGNAME --initca -> Build root certificate"
|
||||
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
|
||||
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
|
||||
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
|
||||
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
|
||||
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
|
||||
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
|
||||
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
|
||||
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
|
||||
echo " Also see ./inherit-inter script."
|
||||
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
|
||||
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
|
||||
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
|
||||
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
|
||||
echo " [edit vars with your site-specific info]"
|
||||
echo " source ./vars"
|
||||
echo " ./clean-all"
|
||||
echo " ./build-dh -> takes a long time, consider backgrounding"
|
||||
echo " ./$PROGNAME --initca"
|
||||
echo " ./$PROGNAME --server myserver"
|
||||
echo " ./$PROGNAME client1"
|
||||
echo " ./$PROGNAME --pass client2"
|
||||
echo "Typical usage for adding client cert to existing PKI:"
|
||||
echo " source ./vars"
|
||||
echo " ./$PROGNAME client-new"
|
||||
}
|
||||
|
||||
# Set tool defaults
|
||||
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
|
||||
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
|
||||
[ -n "$GREP" ] || export GREP="grep"
|
||||
|
||||
# Set defaults
|
||||
DO_REQ="1"
|
||||
REQ_EXT=""
|
||||
DO_CA="1"
|
||||
CA_EXT=""
|
||||
DO_P12="0"
|
||||
DO_P11="0"
|
||||
DO_ROOT="0"
|
||||
NODES_REQ="-nodes"
|
||||
NODES_P12=""
|
||||
BATCH="-batch"
|
||||
CA="ca"
|
||||
# must be set or errors of openssl.cnf
|
||||
PKCS11_MODULE_PATH="dummy"
|
||||
PKCS11_PIN="dummy"
|
||||
|
||||
# Process options
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--keysize ) KEY_SIZE=$2
|
||||
shift;;
|
||||
--server ) REQ_EXT="$REQ_EXT -extensions server"
|
||||
CA_EXT="$CA_EXT -extensions server" ;;
|
||||
--batch ) BATCH="-batch" ;;
|
||||
--interact ) BATCH="" ;;
|
||||
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
|
||||
--initca ) DO_ROOT="1" ;;
|
||||
--pass ) NODES_REQ="" ;;
|
||||
--csr ) DO_CA="0" ;;
|
||||
--sign ) DO_REQ="0" ;;
|
||||
--pkcs12 ) DO_P12="1" ;;
|
||||
--pkcs11 ) DO_P11="1"
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
PKCS11_ID="$4"
|
||||
PKCS11_LABEL="$5"
|
||||
shift 4;;
|
||||
|
||||
# standalone
|
||||
--pkcs11-init)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
PKCS11_LABEL="$4"
|
||||
if [ -z "$PKCS11_LABEL" ]; then
|
||||
die "Please specify library name, slot and label"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
|
||||
--label "$PKCS11_LABEL" &&
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
|
||||
exit $?;;
|
||||
--pkcs11-slots)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
if [ -z "$PKCS11_MODULE_PATH" ]; then
|
||||
die "Please specify library name"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
|
||||
exit 0;;
|
||||
--pkcs11-objects)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
if [ -z "$PKCS11_SLOT" ]; then
|
||||
die "Please specify library name and slot"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
|
||||
exit 0;;
|
||||
|
||||
--help|--usage)
|
||||
usage
|
||||
exit ;;
|
||||
--version)
|
||||
echo "$PROGNAME $VERSION"
|
||||
exit ;;
|
||||
# errors
|
||||
--* ) die "$PROGNAME: unknown option: $1" ;;
|
||||
* ) break ;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if ! [ -z "$BATCH" ]; then
|
||||
if $OPENSSL version | grep 0.9.6 > /dev/null; then
|
||||
die "Batch mode is unsupported in openssl<0.9.7"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
|
||||
die "PKCS#11 and PKCS#12 cannot be specified together"
|
||||
fi
|
||||
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
|
||||
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If we are generating pkcs12, only encrypt the final step
|
||||
if [ $DO_P12 -eq 1 ]; then
|
||||
NODES_P12="$NODES_REQ"
|
||||
NODES_REQ="-nodes"
|
||||
fi
|
||||
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
if [ -z "$PKCS11_LABEL" ]; then
|
||||
die "PKCS#11 arguments incomplete"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If undefined, set default key expiration intervals
|
||||
if [ -z "$KEY_EXPIRE" ]; then
|
||||
KEY_EXPIRE=3650
|
||||
fi
|
||||
if [ -z "$CA_EXPIRE" ]; then
|
||||
CA_EXPIRE=3650
|
||||
fi
|
||||
|
||||
# Set organizational unit to empty string if undefined
|
||||
if [ -z "$KEY_OU" ]; then
|
||||
KEY_OU=""
|
||||
fi
|
||||
|
||||
# Set X509 Name string to empty string if undefined
|
||||
if [ -z "$KEY_NAME" ]; then
|
||||
KEY_NAME=""
|
||||
fi
|
||||
|
||||
# Set KEY_CN, FN
|
||||
if [ $DO_ROOT -eq 1 ]; then
|
||||
if [ -z "$KEY_CN" ]; then
|
||||
if [ "$1" ]; then
|
||||
KEY_CN="$1"
|
||||
elif [ "$KEY_ORG" ]; then
|
||||
KEY_CN="$KEY_ORG CA"
|
||||
fi
|
||||
fi
|
||||
if [ $BATCH ] && [ "$KEY_CN" ]; then
|
||||
echo "Using CA Common Name:" "$KEY_CN"
|
||||
fi
|
||||
FN="$KEY_CN"
|
||||
elif [ $BATCH ] && [ "$KEY_CN" ]; then
|
||||
echo "Using Common Name:" "$KEY_CN"
|
||||
FN="$KEY_CN"
|
||||
if [ "$1" ]; then
|
||||
FN="$1"
|
||||
fi
|
||||
else
|
||||
if [ $# -ne 1 ]; then
|
||||
usage
|
||||
exit 1
|
||||
else
|
||||
KEY_CN="$1"
|
||||
fi
|
||||
FN="$KEY_CN"
|
||||
fi
|
||||
|
||||
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
|
||||
|
||||
# Show parameters (debugging)
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
echo DO_REQ $DO_REQ
|
||||
echo REQ_EXT $REQ_EXT
|
||||
echo DO_CA $DO_CA
|
||||
echo CA_EXT $CA_EXT
|
||||
echo NODES_REQ $NODES_REQ
|
||||
echo NODES_P12 $NODES_P12
|
||||
echo DO_P12 $DO_P12
|
||||
echo KEY_CN $KEY_CN
|
||||
echo BATCH $BATCH
|
||||
echo DO_ROOT $DO_ROOT
|
||||
echo KEY_EXPIRE $KEY_EXPIRE
|
||||
echo CA_EXPIRE $CA_EXPIRE
|
||||
echo KEY_OU $KEY_OU
|
||||
echo KEY_NAME $KEY_NAME
|
||||
echo DO_P11 $DO_P11
|
||||
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
|
||||
echo PKCS11_SLOT $PKCS11_SLOT
|
||||
echo PKCS11_ID $PKCS11_ID
|
||||
echo PKCS11_LABEL $PKCS11_LABEL
|
||||
fi
|
||||
|
||||
# Make sure ./vars was sourced beforehand
|
||||
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
|
||||
cd "$KEY_DIR"
|
||||
|
||||
# Make sure $KEY_CONFIG points to the correct version
|
||||
# of openssl.cnf
|
||||
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
|
||||
:
|
||||
else
|
||||
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
|
||||
echo "version of openssl.cnf: $KEY_CONFIG"
|
||||
echo "The correct version should have a comment that says: easy-rsa version 2.x";
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Build root CA
|
||||
if [ $DO_ROOT -eq 1 ]; then
|
||||
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
|
||||
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
|
||||
chmod 0600 "$CA.key"
|
||||
else
|
||||
# Make sure CA key/cert is available
|
||||
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
|
||||
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
|
||||
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
|
||||
echo "Try $PROGNAME --initca to build a root certificate/key."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Generate key for PKCS#11 token
|
||||
PKCS11_ARGS=
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
stty -echo
|
||||
echo -n "User PIN: "
|
||||
read -r PKCS11_PIN
|
||||
stty echo
|
||||
export PKCS11_PIN
|
||||
|
||||
echo "Generating key pair on PKCS#11 token..."
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
|
||||
--login --pin "$PKCS11_PIN" \
|
||||
--key-type rsa:1024 \
|
||||
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
|
||||
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
|
||||
fi
|
||||
|
||||
# Build cert/key
|
||||
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
|
||||
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
|
||||
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
|
||||
-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
|
||||
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
|
||||
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
|
||||
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
|
||||
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
|
||||
|
||||
# Load certificate into PKCS#11 token
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
|
||||
--login --pin "$PKCS11_PIN" \
|
||||
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
|
||||
[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# Need definitions
|
||||
else
|
||||
need_vars
|
||||
fi
|
@ -1,40 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# revoke a certificate, regenerate CRL,
|
||||
# and verify revocation
|
||||
|
||||
CRL="crl.pem"
|
||||
RT="revoke-test.pem"
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "usage: revoke-full <cert-name-base>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cd "$KEY_DIR"
|
||||
rm -f "$RT"
|
||||
|
||||
# set defaults
|
||||
export KEY_CN=""
|
||||
export KEY_OU=""
|
||||
export KEY_NAME=""
|
||||
|
||||
# revoke key and generate a new CRL
|
||||
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
|
||||
|
||||
# generate a new CRL -- try to be compatible with
|
||||
# intermediate PKIs
|
||||
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
|
||||
if [ -e export-ca.crt ]; then
|
||||
cat export-ca.crt "$CRL" >"$RT"
|
||||
else
|
||||
cat ca.crt "$CRL" >"$RT"
|
||||
fi
|
||||
|
||||
# verify the revocation
|
||||
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Sign a certificate signing request (a .csr file)
|
||||
# with a local root certificate and key.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --sign $*
|
@ -1,74 +0,0 @@
|
||||
# easy-rsa parameter settings
|
||||
|
||||
# NOTE: If you installed from an RPM,
|
||||
# don't edit this file in place in
|
||||
# /usr/share/openvpn/easy-rsa --
|
||||
# instead, you should copy the whole
|
||||
# easy-rsa directory to another location
|
||||
# (such as /etc/openvpn) so that your
|
||||
# edits will not be wiped out by a future
|
||||
# OpenVPN package upgrade.
|
||||
|
||||
# This variable should point to
|
||||
# the top level of the easy-rsa
|
||||
# tree.
|
||||
export EASY_RSA="`pwd`"
|
||||
|
||||
#
|
||||
# This variable should point to
|
||||
# the requested executables
|
||||
#
|
||||
export OPENSSL="openssl"
|
||||
export PKCS11TOOL="pkcs11-tool"
|
||||
export GREP="grep"
|
||||
|
||||
|
||||
# This variable should point to
|
||||
# the openssl.cnf file included
|
||||
# with easy-rsa.
|
||||
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
|
||||
|
||||
# Edit this variable to point to
|
||||
# your soon-to-be-created key
|
||||
# directory.
|
||||
#
|
||||
# WARNING: clean-all will do
|
||||
# a rm -rf on this directory
|
||||
# so make sure you define
|
||||
# it correctly!
|
||||
export KEY_DIR="$EASY_RSA/keys"
|
||||
|
||||
# Issue rm -rf warning
|
||||
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
|
||||
|
||||
# PKCS11 fixes
|
||||
export PKCS11_MODULE_PATH="dummy"
|
||||
export PKCS11_PIN="dummy"
|
||||
|
||||
# Increase this to 2048 if you
|
||||
# are paranoid. This will slow
|
||||
# down TLS negotiation performance
|
||||
# as well as the one-time DH parms
|
||||
# generation process.
|
||||
export KEY_SIZE=1024
|
||||
|
||||
# In how many days should the root CA key expire?
|
||||
export CA_EXPIRE=3650
|
||||
|
||||
# In how many days should certificates expire?
|
||||
export KEY_EXPIRE=3650
|
||||
|
||||
# These are the default values for fields
|
||||
# which will be placed in the certificate.
|
||||
# Don't leave any of these fields blank.
|
||||
export KEY_COUNTRY="US"
|
||||
export KEY_PROVINCE="CA"
|
||||
export KEY_CITY="SanFrancisco"
|
||||
export KEY_ORG="Fort-Funston"
|
||||
export KEY_EMAIL="me@myhost.mydomain"
|
||||
export KEY_EMAIL=mail@host.domain
|
||||
export KEY_CN=changeme
|
||||
export KEY_NAME=changeme
|
||||
export KEY_OU=changeme
|
||||
export PKCS11_MODULE_PATH=changeme
|
||||
export PKCS11_PIN=1234
|
@ -1,26 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
cnf="$1/openssl.cnf"
|
||||
|
||||
if [ "$OPENSSL" ]; then
|
||||
if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]" > /dev/null; then
|
||||
cnf="$1/openssl-0.9.6.cnf"
|
||||
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]" > /dev/null; then
|
||||
cnf="$1/openssl-0.9.8.cnf"
|
||||
elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
|
||||
cnf="$1/openssl-1.0.0.cnf"
|
||||
else
|
||||
cnf="$1/openssl.cnf"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $cnf
|
||||
|
||||
if [ ! -r $cnf ]; then
|
||||
echo "**************************************************************" >&2
|
||||
echo " No $cnf file could be found" >&2
|
||||
echo " Further invocations will fail" >&2
|
||||
echo "**************************************************************" >&2
|
||||
fi
|
||||
|
||||
exit 0
|
@ -1,44 +0,0 @@
|
||||
Extract all zip'd files to the OpenVPN home directory,
|
||||
including the openssl.cnf file from the top-level
|
||||
"easy-rsa" directory.
|
||||
|
||||
First run init-config.bat
|
||||
|
||||
Next, edit vars.bat to adapt it to your environment, and
|
||||
create the directory that will hold your key files.
|
||||
|
||||
To generate TLS keys:
|
||||
|
||||
Create new empty index and serial files (once only)
|
||||
1. vars
|
||||
2. clean-all
|
||||
|
||||
Build a CA key (once only)
|
||||
1. vars
|
||||
2. build-ca
|
||||
|
||||
Build a DH file (for server side, once only)
|
||||
1. vars
|
||||
2. build-dh
|
||||
|
||||
Build a private key/certficate for the openvpn server
|
||||
1. vars
|
||||
2. build-key-server <machine-name>
|
||||
|
||||
Build key files in PEM format (for each client machine)
|
||||
1. vars
|
||||
2. build-key <machine-name>
|
||||
(use <machine name> for specific name within script)
|
||||
|
||||
or
|
||||
|
||||
Build key files in PKCS #12 format (for each client machine)
|
||||
1. vars
|
||||
2. build-key-pkcs12 <machine-name>
|
||||
(use <machine name> for specific name within script)
|
||||
|
||||
To revoke a TLS certificate and generate a CRL file:
|
||||
1. vars
|
||||
2. revoke-full <machine-name>
|
||||
3. verify last line of output confirms revokation
|
||||
4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>"
|
@ -1,8 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a request for a cert that will be valid for ten years
|
||||
openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem sign the cert request with our ca, creating a cert/key pair
|
||||
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem delete any .old files created in this process, to avoid future file creation errors
|
||||
del /q %KEY_DIR%\*.old
|
@ -1,4 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a cert authority valid for ten years, starting now
|
||||
openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
|
@ -1,4 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a dh file for the server side
|
||||
openssl dhparam -out %KEY_DIR%/dh%KEY_SIZE%.pem %KEY_SIZE%
|
@ -1,8 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a request for a cert that will be valid for ten years
|
||||
openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem sign the cert request with our ca, creating a cert/key pair
|
||||
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem delete any .old files created in this process, to avoid future file creation errors
|
||||
del /q %KEY_DIR%\*.old
|
@ -1,10 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a request for a cert that will be valid for ten years
|
||||
openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem sign the cert request with our ca, creating a cert/key pair
|
||||
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem convert the key/cert and embed the ca cert into a pkcs12 file.
|
||||
openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12
|
||||
rem delete any .old files created in this process, to avoid future file creation errors
|
||||
del /q %KEY_DIR%\*.old
|
@ -1,8 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a request for a cert that will be valid for ten years
|
||||
openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem sign the cert request with our ca, creating a cert/key pair
|
||||
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
|
||||
rem delete any .old files created in this process, to avoid future file creation errors
|
||||
del /q %KEY_DIR%\*.old
|
@ -1,8 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a request for a cert that will be valid for ten years
|
||||
openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem sign the cert request with our ca, creating a cert/key pair
|
||||
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
|
||||
rem delete any .old files created in this process, to avoid future file creation errors
|
||||
del /q %KEY_DIR%\*.old
|
@ -1,8 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem build a request for a cert that will be valid for ten years
|
||||
openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem sign the cert request with our ca, creating a cert/key pair
|
||||
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
|
||||
rem delete any .old files created in this process, to avoid future file creation errors
|
||||
del /q %KEY_DIR%\*.old
|
@ -1,13 +0,0 @@
|
||||
@echo off
|
||||
rem move to the HOME directory specified in VARS script
|
||||
cd %HOME%
|
||||
rem set a temporary KEY_DIR variable
|
||||
set d=%KEY_DIR%
|
||||
rem delete the KEY_DIR and any subdirs quietly
|
||||
rmdir /s /q %d%
|
||||
rem make a new KEY_DIR
|
||||
mkdir %d%
|
||||
rem copy in a fesh index file so we begin with an empty database
|
||||
copy index.txt.start %d%\index.txt
|
||||
rem copy in a fresh serial file so we begin generating keys at index 01
|
||||
copy serial.start %d%\serial.
|
@ -1 +0,0 @@
|
||||
copy vars.bat.sample vars.bat
|
@ -1,13 +0,0 @@
|
||||
@echo off
|
||||
cd %HOME%
|
||||
rem revoke cert
|
||||
openssl ca -revoke %KEY_DIR%\%1.crt -config %KEY_CONFIG%
|
||||
rem generate new crl
|
||||
openssl ca -gencrl -out %KEY_DIR%\crl.pem -config %KEY_CONFIG%
|
||||
rem test revocation
|
||||
rem first concatinate ca cert with newly generated crl
|
||||
copy %KEY_DIR%\ca.crt+%KEY_DIR%\crl.pem %KEY_DIR%\revoke_test_file.pem
|
||||
rem now verify the revocation
|
||||
openssl verify -CAfile %KEY_DIR%\revoke_test_file.pem -crl_check %KEY_DIR%\%1.crt
|
||||
rem delete temporary test file
|
||||
del /q %KEY_DIR%\revoke_test_file.pem
|
@ -1 +0,0 @@
|
||||
01
|
@ -1,40 +0,0 @@
|
||||
@echo off
|
||||
rem Edit this variable to point to
|
||||
rem the openssl.cnf file included
|
||||
rem with easy-rsa.
|
||||
|
||||
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
|
||||
set KEY_CONFIG=openssl-1.0.0.cnf
|
||||
|
||||
rem Edit this variable to point to
|
||||
rem your soon-to-be-created key
|
||||
rem directory.
|
||||
rem
|
||||
rem WARNING: clean-all will do
|
||||
rem a rm -rf on this directory
|
||||
rem so make sure you define
|
||||
rem it correctly!
|
||||
set KEY_DIR=keys
|
||||
|
||||
rem Increase this to 2048 if you
|
||||
rem are paranoid. This will slow
|
||||
rem down TLS negotiation performance
|
||||
rem as well as the one-time DH parms
|
||||
rem generation process.
|
||||
set KEY_SIZE=1024
|
||||
|
||||
rem These are the default values for fields
|
||||
rem which will be placed in the certificate.
|
||||
rem Change these to reflect your site.
|
||||
rem Don't leave any of these parms blank.
|
||||
|
||||
set KEY_COUNTRY=US
|
||||
set KEY_PROVINCE=CA
|
||||
set KEY_CITY=SanFrancisco
|
||||
set KEY_ORG=OpenVPN
|
||||
set KEY_EMAIL=mail@host.domain
|
||||
set KEY_CN=changeme
|
||||
set KEY_NAME=changeme
|
||||
set KEY_OU=changeme
|
||||
set PKCS11_MODULE_PATH=changeme
|
||||
set PKCS11_PIN=1234
|
@ -222,7 +222,7 @@ fi
|
||||
%endif
|
||||
|
||||
# Install extra %doc stuff
|
||||
%doc contrib/ easy-rsa/ sample-*/ plugins/README.*
|
||||
%doc contrib/ sample-*/ plugins/README.*
|
||||
|
||||
%changelog
|
||||
* Thu Jul 30 2009 David Sommerseth <dazo@users.sourceforge.net>
|
||||
|
Loading…
Reference in New Issue
Block a user