aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2007-04-21 18:28:59 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2007-04-21 18:28:59 +0000
commit4030142857e4b3a7106417f95da4c200f4a0982f (patch)
tree3670af516b5d3480fe406263cabb5e96e29ae8e3
parentClean up configure on FreeBSD for recent autotool versions that (diff)
downloadopenvpn-4030142857e4b3a7106417f95da4c200f4a0982f.tar.xz
The easy-rsa directory installed by the windows installer comes with the
old easy-rsa 1.0 files. (even current openvpn-2.1_rc2-install.exe) This bug is not that critical, but it is annoying that easy-rsa still creates server certificates without extended key usage per default (openssl.cnf), making the windows user wonder about error messages if the recommended "remote-cert-tls" option is used. (In this case simply copying the openssl.cnf from the 2.0 directory did the job, for regular usage the path to opensc in the newly added pkcs11 section should be changed). And if possible please add the following three files to the "Windows" directory if easy-rsa. They allow to build password protected versions of the keys (I just copied the files and remove the "-nodes" parameter). Except of build-key-server-pass.bat i think that they are vital for security (e.g. the key files are in an unencrypted directory and physical access is possible). -- Daniel Zauft git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1862 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--easy-rsa/Windows/build-ca-pass.bat8
-rw-r--r--easy-rsa/Windows/build-key-pass.bat8
-rw-r--r--easy-rsa/Windows/build-key-server-pass.bat8
3 files changed, 24 insertions, 0 deletions
diff --git a/easy-rsa/Windows/build-ca-pass.bat b/easy-rsa/Windows/build-ca-pass.bat
new file mode 100644
index 0000000..c0e046c
--- /dev/null
+++ b/easy-rsa/Windows/build-ca-pass.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key-pass.bat b/easy-rsa/Windows/build-key-pass.bat
new file mode 100644
index 0000000..c0e046c
--- /dev/null
+++ b/easy-rsa/Windows/build-key-pass.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key-server-pass.bat b/easy-rsa/Windows/build-key-server-pass.bat
new file mode 100644
index 0000000..953bc49
--- /dev/null
+++ b/easy-rsa/Windows/build-key-server-pass.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old