aboutsummaryrefslogtreecommitdiff
path: root/easy-rsa/pkitool
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-11-02 18:09:01 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-11-02 18:09:01 +0000
commit8810c26cc5782addcf1f0a40212a7d1ebe827e6f (patch)
treecdf818d2e7f8058386fba0c2a989826c4102da8c /easy-rsa/pkitool
parentVERSION 2.1_beta6 (diff)
downloadopenvpn-8810c26cc5782addcf1f0a40212a7d1ebe827e6f.tar.xz
Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
be compatible with 2.0.x distribution. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@757 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'easy-rsa/pkitool')
-rwxr-xr-xeasy-rsa/pkitool233
1 files changed, 0 insertions, 233 deletions
diff --git a/easy-rsa/pkitool b/easy-rsa/pkitool
deleted file mode 100755
index 2d2d764..0000000
--- a/easy-rsa/pkitool
+++ /dev/null
@@ -1,233 +0,0 @@
-#!/bin/sh
-
-# OpenVPN -- An application to securely tunnel IP networks
-# over a single TCP/UDP port, with support for SSL/TLS-based
-# session authentication and key exchange,
-# packet encryption, packet authentication, and
-# packet compression.
-#
-# Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program (see the file COPYING included with this
-# distribution); if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-# pkitool is a front-end for the openssl tool.
-
-# Calling scripts can set the certificate organizational
-# unit with the KEY_OU environmental variable.
-
-PROGNAME=pkitool
-VERSION=2.0
-DEBUG=0
-
-GREP=grep
-OPENSSL=openssl
-
-need_vars()
-{
- echo ' Please edit the vars script to reflect your configuration,'
- echo ' then source it with "source ./vars".'
- echo ' Next, to start with a fresh PKI configuration and to delete any'
- echo ' previous certificates and keys, run "./clean-all".'
- echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
-}
-
-usage()
-{
- echo "$PROGNAME $VERSION"
- echo "Usage: $PROGNAME [options...] [common-name]"
- echo "Options:"
- echo " --batch : batch mode (default)"
- echo " --interact : interactive mode"
- echo " --server : build server cert"
- echo " --initca : build root CA"
- echo " --inter : build intermediate CA"
- echo " --pass : encrypt private key with password"
- echo " --csr : only generate a CSR, do not sign"
- echo " --sign : sign an existing CSR"
- echo " --pkcs12 : generate a combined pkcs12 file"
- echo "Notes:"
- need_vars
- echo "Generated files and corresponding OpenVPN directives:"
- echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
- echo " ca.crt -> root certificate (--ca)"
- echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
- echo " .crt files -> client/server certificates (--cert)"
- echo " .key files -> private keys, keep secure (--key)"
- echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
- echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
- echo "Examples:"
- echo " $PROGNAME --initca -> Build root certificate"
- echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
- echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
- echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
- echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
- echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format"
- echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
- echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
- echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
- echo " Also see ./inherit-inter script."
- echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
- echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
- echo " [edit vars with your site-specific info]"
- echo " source ./vars"
- echo " ./clean-all"
- echo " ./build-dh -> takes a long time, consider backgrounding"
- echo " ./$PROGNAME --initca"
- echo " ./$PROGNAME --server myserver"
- echo " ./$PROGNAME client1"
- echo " ./$PROGNAME --pass client2"
- echo "Typical usage for adding client cert to existing PKI:"
- echo " source ./vars"
- echo " ./$PROGNAME client-new"
-}
-
-# Set defaults
-DO_REQ="1"
-REQ_EXT=""
-DO_CA="1"
-CA_EXT=""
-DO_P12="0"
-DO_ROOT="0"
-NODES_REQ="-nodes"
-NODES_P12=""
-BATCH="-batch"
-CA="ca"
-
-# Process options
-while [ $# -gt 0 ]; do
- case "$1" in
- --server ) REQ_EXT="$REQ_EXT -extensions server"
- CA_EXT="$CA_EXT -extensions server" ;;
- --batch ) BATCH="-batch" ;;
- --interact ) BATCH="" ;;
- --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
- --initca ) DO_ROOT="1" ;;
- --pass ) NODES_REQ="" ;;
- --csr ) DO_CA="0" ;;
- --sign ) DO_REQ="0" ;;
- --pkcs12 ) DO_P12="1" ;;
- --* ) echo "$PROGNAME: unknown option: $1"
- exit 1 ;;
- * ) break ;;
- esac
- shift
-done
-
-# If we are generating pkcs12, only encrypt the final step
-if [ $DO_P12 -eq 1 ]; then
- NODES_P12="$NODES_REQ"
- NODES_REQ="-nodes"
-fi
-
-# If undefined, set default key expiration intervals
-if [ -z "$KEY_EXPIRE" ]; then
- KEY_EXPIRE=3650
-fi
-if [ -z "$CA_EXPIRE" ]; then
- CA_EXPIRE=3650
-fi
-
-# Set organizational unit to empty string if undefined
-if [ -z "$KEY_OU" ]; then
- KEY_OU=""
-fi
-
-# Set KEY_CN
-if [ $DO_ROOT -eq 1 ]; then
- if [ -z "$KEY_CN" ]; then
- if [ "$1" ]; then
- KEY_CN="$1"
- elif [ "$KEY_ORG" ]; then
- KEY_CN="$KEY_ORG CA"
- fi
- fi
- if [ $BATCH ] && [ "$KEY_CN" ]; then
- echo "Using CA Common Name:" $KEY_CN
- fi
-elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
- echo "Using Common Name:" $KEY_CN
-else
- if [ $# -ne 1 ]; then
- usage
- exit 1
- else
- KEY_CN="$1"
- fi
-fi
-export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN
-
-# Show parameters (debugging)
-if [ $DEBUG -eq 1 ]; then
- echo DO_REQ $DO_REQ
- echo REQ_EXT $REQ_EXT
- echo DO_CA $DO_CA
- echo CA_EXT $CA_EXT
- echo NODES_REQ $NODES_REQ
- echo NODES_P12 $NODES_P12
- echo DO_P12 $DO_P12
- echo KEY_CN $KEY_CN
- echo BATCH $BATCH
- echo DO_ROOT $DO_ROOT
- echo KEY_EXPIRE $KEY_EXPIRE
- echo CA_EXPIRE $CA_EXPIRE
- echo KEY_OU $KEY_OU
-fi
-
-# Make sure ./vars was sourced beforehand
-if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
- cd "$KEY_DIR"
-
- # Make sure $KEY_CONFIG points to the correct version
- # of openssl.cnf
- if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
- :
- else
- echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
- echo "version of openssl.cnf: $KEY_CONFIG"
- echo "The correct version should have a comment that says: easy-rsa version 2.x";
- exit 1;
- fi
-
- # Build root CA
- if [ $DO_ROOT -eq 1 ]; then
- $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
- -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
- chmod 0600 "$CA.key"
- else
- # Make sure CA key/cert is available
- if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
- if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
- echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
- echo "Try $PROGNAME --initca to build a root certificate/key."
- exit 1
- fi
- fi
-
- # Build cert/key
- ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
- -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
- ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
- -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
- ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
- -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
- ( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \
- ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
-
- fi
-
-# Need definitions
-else
- need_vars
-fi