aboutsummaryrefslogtreecommitdiff
path: root/easy-rsa
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-10-28 20:29:40 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-10-28 20:29:40 +0000
commitdbec0a285f1001b111da63ecbe0f7d15bc9f4cbb (patch)
treeb312de3f30af6772aa4e29ae3b68526b3c3967a4 /easy-rsa
parentAdded man page entry for new environmental variable set (diff)
downloadopenvpn-dbec0a285f1001b111da63ecbe0f7d15bc9f4cbb.tar.xz
Modified pkitool to allow flexibility in separating
the Common Name convention from the cert/key filename convention. For example: KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james will crete a client certificate/key pair of james.crt/james.key having a Common Name of "James's Laptop" and a Name of "james". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3463 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'easy-rsa')
-rwxr-xr-xeasy-rsa/2.0/pkitool34
1 files changed, 20 insertions, 14 deletions
diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool
index a18b1ae..7df760f 100755
--- a/easy-rsa/2.0/pkitool
+++ b/easy-rsa/2.0/pkitool
@@ -245,7 +245,7 @@ if [ -z "$KEY_NAME" ]; then
KEY_NAME=""
fi
-# Set KEY_CN
+# Set KEY_CN, FN
if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
@@ -255,10 +255,15 @@ if [ $DO_ROOT -eq 1 ]; then
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
- echo "Using CA Common Name:" $KEY_CN
+ echo "Using CA Common Name:" "$KEY_CN"
+ fi
+ FN="$KEY_CN"
+elif [ $BATCH ] && [ "$KEY_CN" ]; then
+ echo "Using Common Name:" "$KEY_CN"
+ FN="$KEY_CN"
+ if [ "$1" ]; then
+ FN="$1"
fi
-elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
- echo "Using Common Name:" $KEY_CN
else
if [ $# -ne 1 ]; then
usage
@@ -266,6 +271,7 @@ else
else
KEY_CN="$1"
fi
+ FN="$KEY_CN"
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
@@ -342,21 +348,21 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
- -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
- ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
- -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
- ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
- -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
- ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
- ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
+ -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
+ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
+ -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
+ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
+ -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
+ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
+ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
- $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
+ $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
- [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
+ [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
fi
fi