mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 03:52:28 +02:00
Code
d4fb6d493a
openvpn/easy-rsa/Windows
History
james 4030142857 The easy-rsa directory installed by the windows installer comes with the 
old easy-rsa 1.0 files. (even current openvpn-2.1_rc2-install.exe)

This bug is not that critical, but it is annoying that easy-rsa still
creates server certificates without extended key usage per default
(openssl.cnf), making the windows user wonder about error messages if
the recommended "remote-cert-tls" option is used. (In this case simply
copying the openssl.cnf from the 2.0 directory did the job, for regular
usage the path to opensc in the newly added pkcs11 section should be
changed).

And if possible please add the following three files to the "Windows"
directory if easy-rsa. They allow to build password protected versions
of the keys (I just copied the files and remove the "-nodes" parameter).
Except of build-key-server-pass.bat i think that they are vital for
security (e.g. the key files are in an unencrypted directory and
physical access is possible).  -- Daniel Zauft


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1862 e7ae566f-a301-0410-adde-c780ea21d3b5
2007-04-21 18:28:59 +00:00
..
build-ca-pass.bat The easy-rsa directory installed by the windows installer comes with the 2007-04-21 18:28:59 +00:00
build-ca.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
build-dh.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
build-key-pass.bat The easy-rsa directory installed by the windows installer comes with the 2007-04-21 18:28:59 +00:00
build-key-pkcs12.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
build-key-server-pass.bat The easy-rsa directory installed by the windows installer comes with the 2007-04-21 18:28:59 +00:00
build-key-server.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
build-key.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
clean-all.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
index.txt.start This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
init-config.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
README.txt This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
revoke-full.bat This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
serial.start This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
vars.bat.sample This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00

README.txt 

Extract all zip'd files to the OpenVPN home directory,
including the openssl.cnf file from the top-level
"easy-rsa" directory.

First run init-config.bat

Next, edit vars.bat to adapt it to your environment, and
create the directory that will hold your key files.

To generate TLS keys:

Create new empty index and serial files (once only)
1. vars
2. clean-all

Build a CA key (once only)
1. vars
2. build-ca

Build a DH file (for server side, once only)
1. vars
2. build-dh

Build a private key/certficate for the openvpn server
1. vars
2. build-key-server <machine-name>

Build key files in PEM format (for each client machine)
1. vars
2. build-key <machine-name>
   (use <machine name> for specific name within script)

or

Build key files in PKCS #12 format (for each client machine)
1. vars
2. build-key-pkcs12 <machine-name>
   (use <machine name> for specific name within script)

To revoke a TLS certificate and generate a CRL file:
1. vars
2. revoke-full <machine-name>
3. verify last line of output confirms revokation
4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>"