aboutsummaryrefslogtreecommitdiff
path: root/easy-rsa/2.0
diff options
context:
space:
mode:
authorSamuli Seppänen <samuli@openvpn.net>2011-06-29 11:24:07 +0300
committerDavid Sommerseth <davids@redhat.com>2011-07-01 10:31:26 +0200
commit4ec60a5839c73b3840ad9297e9d9d15893085eff (patch)
tree36a8e23d3abceb0e5300e6bd1f4364762dec443e /easy-rsa/2.0
parentRevert "Add new openssl.cnf to easy-rsa/Windows" (diff)
downloadopenvpn-4ec60a5839c73b3840ad9297e9d9d15893085eff.tar.xz
Updated "easy-rsa" for OpenSSL 1.0.0
This patch fixes remaining issues with Trac ticket #125. It does the following: - Update easy-rsa/2.0/README - Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf - Add easy-rsa/2.0/openssl-1.0.0.cnf - Updated vars.bat.sample to use openssl-1.0.0.cnf - Updated win/openvpn.nsi to use openssl-1.0.0.cnf - Add a few undefined variables to vars and vars.bat.sample: required by OpenSSL 1.0.0 (at least on Windows) Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'easy-rsa/2.0')
-rw-r--r--easy-rsa/2.0/README4
-rwxr-xr-xeasy-rsa/2.0/openssl-1.0.0.cnf (renamed from easy-rsa/2.0/openssl.cnf)30
-rwxr-xr-xeasy-rsa/2.0/vars6
3 files changed, 20 insertions, 20 deletions
diff --git a/easy-rsa/2.0/README b/easy-rsa/2.0/README
index bde0d8c..6f5395c 100644
--- a/easy-rsa/2.0/README
+++ b/easy-rsa/2.0/README
@@ -74,8 +74,8 @@ Release Notes for easy-rsa-2.0
INSTALL easy-rsa
1. Edit vars.
-2. Set KEY_CONFIG to point to the openssl.cnf file
- included in this distribution.
+2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf
+ file included in this distribution.
3. Set KEY_DIR to point to a directory which will
contain all keys, certificates, etc. This
directory need not exist, and if it does,
diff --git a/easy-rsa/2.0/openssl.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf
index 3e4d3b3..fa258a5 100755
--- a/easy-rsa/2.0/openssl.cnf
+++ b/easy-rsa/2.0/openssl-1.0.0.cnf
@@ -1,9 +1,4 @@
-# For use with easy-rsa version 2.0
-
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
@@ -15,12 +10,12 @@ openssl_conf = openssl_init
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
-engines = engine_section
+engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
-# extensions =
+# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -48,7 +43,7 @@ new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
-private_key = $dir/ca.key # The private key
+private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
@@ -59,7 +54,7 @@ x509_extensions = usr_cert # The extentions to add to the cert
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = md5 # which md to use.
+default_md = md5 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -102,14 +97,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert
# input_password = secret
# output_password = secret
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
+# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
@@ -151,6 +144,7 @@ organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
+
# SET-ex3 = SET extension number 3
[ req_attributes ]
@@ -196,6 +190,7 @@ authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
+
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
@@ -214,8 +209,8 @@ keyUsage = digitalSignature
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
-nsCertType = server
-nsComment = "Easy-RSA Generated Server Certificate"
+nsCertType = server
+nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
@@ -288,4 +283,3 @@ dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0
-
diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars
index cded885..2ea1ced 100755
--- a/easy-rsa/2.0/vars
+++ b/easy-rsa/2.0/vars
@@ -66,3 +66,9 @@ export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL=mail@host.domain
+export KEY_CN=changeme
+export KEY_NAME=changeme
+export KEY_OU=changeme
+export PKCS11_MODULE_PATH=changeme
+export PKCS11_PIN=1234