mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
4030142857
old easy-rsa 1.0 files. (even current openvpn-2.1_rc2-install.exe) This bug is not that critical, but it is annoying that easy-rsa still creates server certificates without extended key usage per default (openssl.cnf), making the windows user wonder about error messages if the recommended "remote-cert-tls" option is used. (In this case simply copying the openssl.cnf from the 2.0 directory did the job, for regular usage the path to opensc in the newly added pkcs11 section should be changed). And if possible please add the following three files to the "Windows" directory if easy-rsa. They allow to build password protected versions of the keys (I just copied the files and remove the "-nodes" parameter). Except of build-key-server-pass.bat i think that they are vital for security (e.g. the key files are in an unencrypted directory and physical access is possible). -- Daniel Zauft git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1862 e7ae566f-a301-0410-adde-c780ea21d3b5 |
||
---|---|---|
.. | ||
build-ca-pass.bat | ||
build-ca.bat | ||
build-dh.bat | ||
build-key-pass.bat | ||
build-key-pkcs12.bat | ||
build-key-server-pass.bat | ||
build-key-server.bat | ||
build-key.bat | ||
clean-all.bat | ||
index.txt.start | ||
init-config.bat | ||
README.txt | ||
revoke-full.bat | ||
serial.start | ||
vars.bat.sample |
Extract all zip'd files to the OpenVPN home directory, including the openssl.cnf file from the top-level "easy-rsa" directory. First run init-config.bat Next, edit vars.bat to adapt it to your environment, and create the directory that will hold your key files. To generate TLS keys: Create new empty index and serial files (once only) 1. vars 2. clean-all Build a CA key (once only) 1. vars 2. build-ca Build a DH file (for server side, once only) 1. vars 2. build-dh Build a private key/certficate for the openvpn server 1. vars 2. build-key-server <machine-name> Build key files in PEM format (for each client machine) 1. vars 2. build-key <machine-name> (use <machine name> for specific name within script) or Build key files in PKCS #12 format (for each client machine) 1. vars 2. build-key-pkcs12 <machine-name> (use <machine name> for specific name within script) To revoke a TLS certificate and generate a CRL file: 1. vars 2. revoke-full <machine-name> 3. verify last line of output confirms revokation 4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>"