aboutsummaryrefslogtreecommitdiff
path: root/easy-rsa
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 07:40:02 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 07:40:02 +0000
commit3c7f2f553be4b3ba9412c1b3f64a258c469d78f4 (patch)
tree9d58836b0f1eade372de7ce15c41d6555d55ef21 /easy-rsa
parentThis is the start of the BETA21 branch. (diff)
downloadopenvpn-3c7f2f553be4b3ba9412c1b3f64a258c469d78f4.tar.xz
version 2.1_beta1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@581 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'easy-rsa')
-rw-r--r--easy-rsa/1.0/README161
-rwxr-xr-xeasy-rsa/1.0/build-ca13
-rwxr-xr-xeasy-rsa/1.0/build-dh12
-rwxr-xr-xeasy-rsa/1.0/build-inter19
-rwxr-xr-xeasy-rsa/1.0/build-key20
-rwxr-xr-xeasy-rsa/1.0/build-key-pass20
-rwxr-xr-xeasy-rsa/1.0/build-key-pkcs1221
-rwxr-xr-xeasy-rsa/1.0/build-key-server22
-rwxr-xr-xeasy-rsa/1.0/build-req18
-rwxr-xr-xeasy-rsa/1.0/build-req-pass18
-rwxr-xr-xeasy-rsa/1.0/clean-all19
-rw-r--r--easy-rsa/1.0/list-crl18
-rw-r--r--easy-rsa/1.0/make-crl (renamed from easy-rsa/make-crl)0
-rw-r--r--easy-rsa/1.0/openssl.cnf255
-rw-r--r--easy-rsa/1.0/revoke-crt (renamed from easy-rsa/revoke-crt)0
-rwxr-xr-xeasy-rsa/1.0/revoke-full29
-rwxr-xr-xeasy-rsa/1.0/sign-req18
-rw-r--r--easy-rsa/1.0/vars49
-rw-r--r--easy-rsa/README193
-rwxr-xr-xeasy-rsa/build-ca11
-rwxr-xr-xeasy-rsa/build-dh9
-rwxr-xr-xeasy-rsa/build-inter18
-rwxr-xr-xeasy-rsa/build-key19
-rwxr-xr-xeasy-rsa/build-key-pass19
-rwxr-xr-xeasy-rsa/build-key-pkcs1219
-rwxr-xr-xeasy-rsa/build-key-server18
-rwxr-xr-xeasy-rsa/build-req17
-rwxr-xr-xeasy-rsa/build-req-pass17
-rwxr-xr-xeasy-rsa/clean-all21
-rwxr-xr-xeasy-rsa/inherit-inter39
-rwxr-xr-x[-rw-r--r--]easy-rsa/list-crl19
-rwxr-xr-x[-rw-r--r--]easy-rsa/openssl.cnf8
-rwxr-xr-xeasy-rsa/pkitool233
-rwxr-xr-xeasy-rsa/revoke-full44
-rwxr-xr-xeasy-rsa/sign-req17
-rwxr-xr-x[-rw-r--r--]easy-rsa/vars22
36 files changed, 1179 insertions, 276 deletions
diff --git a/easy-rsa/1.0/README b/easy-rsa/1.0/README
new file mode 100644
index 0000000..fd424ef
--- /dev/null
+++ b/easy-rsa/1.0/README
@@ -0,0 +1,161 @@
+This is a small RSA key management package,
+based on the openssl command line tool, that
+can be found in the easy-rsa subdirectory
+of the OpenVPN distribution.
+
+These are reference notes. For step
+by step instructions, see the HOWTO:
+
+http://openvpn.net/howto.html
+
+INSTALL
+
+1. Edit vars.
+2. Set KEY_CONFIG to point to the openssl.cnf file
+ included in this distribution.
+3. Set KEY_DIR to point to a directory which will
+ contain all keys, certificates, etc. This
+ directory need not exist, and if it does,
+ it will be deleted with rm -rf, so BE
+ CAREFUL how you set KEY_DIR.
+4. (Optional) Edit other fields in vars
+ per your site data. You may want to
+ increase KEY_SIZE to 2048 if you are
+ paranoid and don't mind slower key
+ processing, but certainly 1024 is
+ fine for testing purposes. KEY_SIZE
+ must be compatible across both peers
+ participating in a secure SSL/TLS
+ connection.
+5 . vars
+6. ./clean-all
+7. As you create certificates, keys, and
+ certificate signing requests, understand that
+ only .key files should be kept confidential.
+ .crt and .csr files can be sent over insecure
+ channels such as plaintext email.
+8. You should never need to copy a .key file
+ between computers. Normally each computer
+ will have its own certificate/key pair.
+
+BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
+
+1. ./build-ca
+2. ca.crt and ca.key will be built in your KEY_DIR
+ directory
+
+BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
+
+1. ./build-inter inter
+2. inter.crt and inter.key will be built in your KEY_DIR
+ directory and signed with your root certificate.
+
+BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
+the server end of a SSL/TLS connection).
+
+1. ./build-dh
+
+BUILD A CERTIFICATE SIGNING REQUEST (If
+you want to sign your certificate with a root
+certificate controlled by another individual
+or organization, or residing on a different machine).
+
+1. Get ca.crt (the root certificate) from your
+ certificate authority. Though this
+ transfer can be over an insecure channel, to prevent
+ man-in-the-middle attacks you must confirm that
+ ca.crt was not tampered with. Large CAs solve this
+ problem by hardwiring their root certificates into
+ popular web browsers. A simple way to verify a root
+ CA is to call the issuer on the telephone and confirm
+ that the md5sum or sha1sum signatures on the ca.crt
+ files match (such as with the command: "md5sum ca.crt").
+2. Choose a name for your certificate such as your computer
+ name. In our example we will use "mycert".
+3. ./build-req mycert
+4. You can ignore most of the fields, but set
+ "Common Name" to something unique such as your
+ computer's host name. Leave all password
+ fields blank, unless you want your private key
+ to be protected by password. Using a password
+ is not required -- it will make your key more secure
+ but also more inconvenient to use, because you will
+ need to supply your password anytime the key is used.
+ NOTE: if you are using a password, use ./build-req-pass
+ instead of ./build-req
+5. Your key will be written to $KEY_DIR/mycert.key
+6. Your certificate signing request will be written to
+ to $KEY_DIR/mycert.csr
+7. Email mycert.csr to the individual or organization
+ which controls the root certificate. This can be
+ done over an insecure channel.
+8. After the .csr file is signed by the root certificate
+ authority, you will receive a file mycert.crt
+ (your certificate). Place mycert.crt in your
+ KEY_DIR directory.
+9. The combined files of mycert.crt, mycert.key,
+ and ca.crt can now be used to secure one end of
+ an SSL/TLS connection.
+
+SIGN A CERTIFICATE SIGNING REQUEST
+
+1. ./sign-req mycert
+2. mycert.crt will be built in your KEY_DIR
+ directory using mycert.csr and your root CA
+ file as input.
+
+BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
+USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
+script generates and signs a certificate in one step,
+but it requires that the generated certificate and private
+key files be copied to the destination host over a
+secure channel.
+
+1. ./build-key mycert (no password protection)
+2. OR ./build-key-pass mycert (with password protection)
+3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
+4. OR ./build-key-server mycert (with nsCertType=server)
+5. mycert.crt and mycert.key will be built in your
+ KEY_DIR directory, and mycert.crt will be signed
+ by your root CA. If ./build-key-pkcs12 was used a
+ mycert.p12 file will also be created including the
+ private key, certificate and the ca certificate.
+
+IMPORTANT
+
+To avoid a possible Man-in-the-Middle attack where an authorized
+client tries to connect to another client by impersonating the
+server, make sure to enforce some kind of server certificate
+verification by clients. There are currently four different ways
+of accomplishing this, listed in the order of preference:
+
+(1) Build your server certificates with the build-key-server
+ script. This will designate the certificate as a
+ server-only certificate by setting nsCertType=server.
+ Now add the following line to your client configuration:
+
+ ns-cert-type server
+
+ This will block clients from connecting to any
+ server which lacks the nsCertType=server designation
+ in its certificate, even if the certificate has been
+ signed by the CA which is cited in the OpenVPN configuration
+ file (--ca directive).
+
+(2) Use the --tls-remote directive on the client to
+ accept/reject the server connection based on the common
+ name of the server certificate.
+
+(3) Use a --tls-verify script or plugin to accept/reject the
+ server connection based on a custom test of the server
+ certificate's embedded X509 subject details.
+
+(4) Sign server certificates with one CA and client certificates
+ with a different CA. The client config "ca" directive should
+ reference the server-signing CA while the server config "ca"
+ directive should reference the client-signing CA.
+
+NOTES
+
+Show certificate fields:
+ openssl x509 -in cert.crt -text
diff --git a/easy-rsa/1.0/build-ca b/easy-rsa/1.0/build-ca
new file mode 100755
index 0000000..5ad59cc
--- /dev/null
+++ b/easy-rsa/1.0/build-ca
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
+ chmod 0600 ca.key
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-dh b/easy-rsa/1.0/build-dh
new file mode 100755
index 0000000..6de4baf
--- /dev/null
+++ b/easy-rsa/1.0/build-dh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+#
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+#
+
+if test $KEY_DIR; then
+ openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-inter b/easy-rsa/1.0/build-inter
new file mode 100755
index 0000000..8b3a6b2
--- /dev/null
+++ b/easy-rsa/1.0/build-inter
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+ echo "usage: build-inter <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+ openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-key b/easy-rsa/1.0/build-key
new file mode 100755
index 0000000..3159d2b
--- /dev/null
+++ b/easy-rsa/1.0/build-key
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+ echo "usage: build-key <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+ chmod 0600 $1.key
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-key-pass b/easy-rsa/1.0/build-key-pass
new file mode 100755
index 0000000..03ab304
--- /dev/null
+++ b/easy-rsa/1.0/build-key-pass
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Similar to build-key, but protect the private key
+# with a password.
+#
+
+if test $# -ne 1; then
+ echo "usage: build-key-pass <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+ chmod 0600 $1.key
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-key-pkcs12 b/easy-rsa/1.0/build-key-pkcs12
new file mode 100755
index 0000000..f8a057b
--- /dev/null
+++ b/easy-rsa/1.0/build-key-pkcs12
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+if test $# -ne 1; then
+ echo "usage: build-key-pkcs12 <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+ openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
+ chmod 0600 $1.key $1.p12
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-key-server b/easy-rsa/1.0/build-key-server
new file mode 100755
index 0000000..30dc41e
--- /dev/null
+++ b/easy-rsa/1.0/build-key-server
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+if test $# -ne 1; then
+ echo "usage: build-key-server <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
+ openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
+ chmod 0600 $1.key
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-req b/easy-rsa/1.0/build-req
new file mode 100755
index 0000000..30f62f5
--- /dev/null
+++ b/easy-rsa/1.0/build-req
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Build a certificate signing request and private key. Use this
+# when your root certificate and key is not available locally.
+#
+
+if test $# -ne 1; then
+ echo "usage: build-req <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/build-req-pass b/easy-rsa/1.0/build-req-pass
new file mode 100755
index 0000000..829b286
--- /dev/null
+++ b/easy-rsa/1.0/build-req-pass
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Like build-req, but protect your private key
+# with a password.
+#
+
+if test $# -ne 1; then
+ echo "usage: build-req-pass <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/clean-all b/easy-rsa/1.0/clean-all
new file mode 100755
index 0000000..d10aef5
--- /dev/null
+++ b/easy-rsa/1.0/clean-all
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+#
+
+d=$KEY_DIR
+
+if test $d; then
+ rm -rf $d
+ mkdir $d && \
+ chmod go-rwx $d && \
+ touch $d/index.txt && \
+ echo 01 >$d/serial
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/list-crl b/easy-rsa/1.0/list-crl
new file mode 100644
index 0000000..b214dbd
--- /dev/null
+++ b/easy-rsa/1.0/list-crl
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# list revoked certificates
+#
+#
+
+if test $# -ne 1; then
+ echo "usage: list-crl <crlfile.pem>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl crl -text -noout -in $1
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/make-crl b/easy-rsa/1.0/make-crl
index 62fe6c1..62fe6c1 100644
--- a/easy-rsa/make-crl
+++ b/easy-rsa/1.0/make-crl
diff --git a/easy-rsa/1.0/openssl.cnf b/easy-rsa/1.0/openssl.cnf
new file mode 100644
index 0000000..270b069
--- /dev/null
+++ b/easy-rsa/1.0/openssl.cnf
@@ -0,0 +1,255 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = $ENV::KEY_DIR # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = $ENV::KEY_SIZE
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = $ENV::KEY_COUNTRY
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = $ENV::KEY_PROVINCE
+
+localityName = Locality Name (eg, city)
+localityName_default = $ENV::KEY_CITY
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = $ENV::KEY_EMAIL
+emailAddress_max = 40
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/easy-rsa/revoke-crt b/easy-rsa/1.0/revoke-crt
index 35b071a..35b071a 100644
--- a/easy-rsa/revoke-crt
+++ b/easy-rsa/1.0/revoke-crt
diff --git a/easy-rsa/1.0/revoke-full b/easy-rsa/1.0/revoke-full
new file mode 100755
index 0000000..66ea03f
--- /dev/null
+++ b/easy-rsa/1.0/revoke-full
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL=crl.pem
+RT=revoke-test.pem
+
+if test $# -ne 1; then
+ echo "usage: revoke-full <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR
+ rm -f $RT
+
+ # revoke key and generate a new CRL
+ openssl ca -revoke $1.crt -config $KEY_CONFIG
+
+ # generate a new CRL
+ openssl ca -gencrl -out $CRL -config $KEY_CONFIG
+ cat ca.crt $CRL >$RT
+
+ # verify the revocation
+ openssl verify -CAfile $RT -crl_check $1.crt
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/sign-req b/easy-rsa/1.0/sign-req
new file mode 100755
index 0000000..59edc42
--- /dev/null
+++ b/easy-rsa/1.0/sign-req
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+#
+
+if test $# -ne 1; then
+ echo "usage: sign-req <name>";
+ exit 1
+fi
+
+if test $KEY_DIR; then
+ cd $KEY_DIR && \
+ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+ echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/1.0/vars b/easy-rsa/1.0/vars
new file mode 100644
index 0000000..da89cd2
--- /dev/null
+++ b/easy-rsa/1.0/vars
@@ -0,0 +1,49 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export D=`pwd`
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=$D/openssl.cnf
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR=$D/keys
+
+# Issue rm -rf warning
+echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# Increase this to 2048 if you
+# are paranoid. This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY=KG
+export KEY_PROVINCE=NA
+export KEY_CITY=BISHKEK
+export KEY_ORG="OpenVPN-TEST"
+export KEY_EMAIL="me@myhost.mydomain"
diff --git a/easy-rsa/README b/easy-rsa/README
index fd424ef..02800c2 100644
--- a/easy-rsa/README
+++ b/easy-rsa/README
@@ -1,14 +1,53 @@
-This is a small RSA key management package,
-based on the openssl command line tool, that
-can be found in the easy-rsa subdirectory
+EASY-RSA Version 2.0-rc1
+
+This is a small RSA key management package, based on the openssl
+command line tool, that can be found in the easy-rsa subdirectory
of the OpenVPN distribution.
-These are reference notes. For step
-by step instructions, see the HOWTO:
+These are reference notes. For step-by-step instructions, see the
+HOWTO:
http://openvpn.net/howto.html
-INSTALL
+This package is based on the ./pkitool script. Run ./pkitool
+without arguments for a detailed help message (which is also pasted
+below).
+
+Release Notes for easy-rsa-2.0
+
+* Most functionality has been consolidated into the pkitool
+ script. For compatibility, all previous scripts from 1.0 such
+ as build-key and build-key-server are provided as stubs
+ which call pkitool to do the real work.
+
+* pkitool has a --batch flag (enabled by default) which generates
+ keys/certs without needing any interactive input. pkitool
+ can still generate certs/keys using interactive prompting by
+ using the --interact flag.
+
+* The inherit-inter script has been provided for creating
+ a new PKI rooted on an intermediate certificate built within a
+ higher-level PKI. See comments in the inherit-inter script
+ for more info.
+
+* The openssl.cnf file has been modified. pkitool will not
+ work with the openssl.cnf file included with previous
+ easy-rsa releases.
+
+* The vars file has been modified -- the following extra
+ variables have been added: EASY_RSA, CA_EXPIRE,
+ KEY_EXPIRE.
+
+* The make-crl and revoke-crt scripts have been removed and
+ are replaced by the revoke-full script.
+
+* The "Organizational Unit" X509 field can be set using
+ the KEY_OU environmental variable before calling pkitool.
+
+* This release only affects the Linux/Unix version of easy-rsa.
+ The Windows version (written to use the Windows shell) is unchanged.
+
+INSTALL easy-rsa
1. Edit vars.
2. Set KEY_CONFIG to point to the openssl.cnf file
@@ -34,92 +73,6 @@ INSTALL
only .key files should be kept confidential.
.crt and .csr files can be sent over insecure
channels such as plaintext email.
-8. You should never need to copy a .key file
- between computers. Normally each computer
- will have its own certificate/key pair.
-
-BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
-
-1. ./build-ca
-2. ca.crt and ca.key will be built in your KEY_DIR
- directory
-
-BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
-
-1. ./build-inter inter
-2. inter.crt and inter.key will be built in your KEY_DIR
- directory and signed with your root certificate.
-
-BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
-the server end of a SSL/TLS connection).
-
-1. ./build-dh
-
-BUILD A CERTIFICATE SIGNING REQUEST (If
-you want to sign your certificate with a root
-certificate controlled by another individual
-or organization, or residing on a different machine).
-
-1. Get ca.crt (the root certificate) from your
- certificate authority. Though this
- transfer can be over an insecure channel, to prevent
- man-in-the-middle attacks you must confirm that
- ca.crt was not tampered with. Large CAs solve this
- problem by hardwiring their root certificates into
- popular web browsers. A simple way to verify a root
- CA is to call the issuer on the telephone and confirm
- that the md5sum or sha1sum signatures on the ca.crt
- files match (such as with the command: "md5sum ca.crt").
-2. Choose a name for your certificate such as your computer
- name. In our example we will use "mycert".
-3. ./build-req mycert
-4. You can ignore most of the fields, but set
- "Common Name" to something unique such as your
- computer's host name. Leave all password
- fields blank, unless you want your private key
- to be protected by password. Using a password
- is not required -- it will make your key more secure
- but also more inconvenient to use, because you will
- need to supply your password anytime the key is used.
- NOTE: if you are using a password, use ./build-req-pass
- instead of ./build-req
-5. Your key will be written to $KEY_DIR/mycert.key
-6. Your certificate signing request will be written to
- to $KEY_DIR/mycert.csr
-7. Email mycert.csr to the individual or organization
- which controls the root certificate. This can be
- done over an insecure channel.
-8. After the .csr file is signed by the root certificate
- authority, you will receive a file mycert.crt
- (your certificate). Place mycert.crt in your
- KEY_DIR directory.
-9. The combined files of mycert.crt, mycert.key,
- and ca.crt can now be used to secure one end of
- an SSL/TLS connection.
-
-SIGN A CERTIFICATE SIGNING REQUEST
-
-1. ./sign-req mycert
-2. mycert.crt will be built in your KEY_DIR
- directory using mycert.csr and your root CA
- file as input.
-
-BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
-USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
-script generates and signs a certificate in one step,
-but it requires that the generated certificate and private
-key files be copied to the destination host over a
-secure channel.
-
-1. ./build-key mycert (no password protection)
-2. OR ./build-key-pass mycert (with password protection)
-3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
-4. OR ./build-key-server mycert (with nsCertType=server)
-5. mycert.crt and mycert.key will be built in your
- KEY_DIR directory, and mycert.crt will be signed
- by your root CA. If ./build-key-pkcs12 was used a
- mycert.p12 file will also be created including the
- private key, certificate and the ca certificate.
IMPORTANT
@@ -130,7 +83,8 @@ verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:
(1) Build your server certificates with the build-key-server
- script. This will designate the certificate as a
+ script, or using the --server option to pkitool.
+ This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:
@@ -159,3 +113,56 @@ NOTES
Show certificate fields:
openssl x509 -in cert.crt -text
+
+PKITOOL documentation
+
+pkitool 2.0
+Usage: pkitool [options...] [common-name]
+Options:
+ --batch : batch mode (default)
+ --interact : interactive mode
+ --server : build server cert
+ --initca : build root CA
+ --inter : build intermediate CA
+ --pass : encrypt private key with password
+ --csr : only generate a CSR, do not sign
+ --sign : sign an existing CSR
+ --pkcs12 : generate a combined pkcs12 file
+Notes:
+ Please edit the vars script to reflect your configuration,
+ then source it with "source ./vars".
+ Next, to start with a fresh PKI configuration and to delete any
+ previous certificates and keys, run "./clean-all".
+ Finally, you can run this tool (pkitool) to build certificates/keys.
+Generated files and corresponding OpenVPN directives:
+(Files will be placed in the $KEY_DIR directory, defined in ./vars)
+ ca.crt -> root certificate (--ca)
+ ca.key -> root key, keep secure (not directly used by OpenVPN)
+ .crt files -> client/server certificates (--cert)
+ .key files -> private keys, keep secure (--key)
+ .csr files -> certificate signing request (not directly used by OpenVPN)
+ dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
+Examples:
+ pkitool --initca -> Build root certificate
+ pkitool --initca --pass -> Build root certificate with password-protected key
+ pkitool --server server1 -> Build "server1" certificate/key
+ pkitool client1 -> Build "client1" certificate/key
+ pkitool --pass client2 -> Build password-protected "client2" certificate/key
+ pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS #12 format
+ pkitool --csr client4 -> Build "client4" CSR to be signed by another CA
+ pkitool --sign client4 -> Sign "client4" CSR
+ pkitool --inter interca -> Build an intermediate key-signing certificate/key
+ Also see ./inherit-inter script.
+Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
+Protect client2 key with a password. Build DH parms. Generated files in ./keys :
+ [edit vars with your site-specific info]
+ source ./vars
+ ./clean-all
+ ./build-dh -> takes a long time, consider backgrounding
+ ./pkitool --initca
+ ./pkitool --server myserver
+ ./pkitool client1
+ ./pkitool --pass client2
+Typical usage for adding client cert to existing PKI:
+ source ./vars
+ ./pkitool client-new
diff --git a/easy-rsa/build-ca b/easy-rsa/build-ca
index 5ad59cc..fb1e2ca 100755
--- a/easy-rsa/build-ca
+++ b/easy-rsa/build-ca
@@ -1,13 +1,8 @@
-#!/bin/sh
+#!/bin/bash
#
# Build a root certificate
#
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
- chmod 0600 ca.key
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --initca $*
diff --git a/easy-rsa/build-dh b/easy-rsa/build-dh
index 6de4baf..ec7a805 100755
--- a/easy-rsa/build-dh
+++ b/easy-rsa/build-dh
@@ -1,12 +1,11 @@
-#!/bin/sh
+#!/bin/bash
-#
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
-#
-if test $KEY_DIR; then
+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
- echo you must define KEY_DIR
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
fi
diff --git a/easy-rsa/build-inter b/easy-rsa/build-inter
index 8b3a6b2..f831d6f 100755
--- a/easy-rsa/build-inter
+++ b/easy-rsa/build-inter
@@ -1,19 +1,7 @@
-#!/bin/sh
+#!/bin/bash
-#
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
-#
-if test $# -ne 1; then
- echo "usage: build-inter <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --inter $*
diff --git a/easy-rsa/build-key b/easy-rsa/build-key
index 3159d2b..6196308 100755
--- a/easy-rsa/build-key
+++ b/easy-rsa/build-key
@@ -1,20 +1,7 @@
-#!/bin/sh
+#!/bin/bash
-#
# Make a certificate/private key pair using a locally generated
# root certificate.
-#
-if test $# -ne 1; then
- echo "usage: build-key <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
- chmod 0600 $1.key
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact $*
diff --git a/easy-rsa/build-key-pass b/easy-rsa/build-key-pass
index 03ab304..35543e0 100755
--- a/easy-rsa/build-key-pass
+++ b/easy-rsa/build-key-pass
@@ -1,20 +1,7 @@
-#!/bin/sh
+#!/bin/bash
-#
# Similar to build-key, but protect the private key
# with a password.
-#
-if test $# -ne 1; then
- echo "usage: build-key-pass <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
- chmod 0600 $1.key
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pass $*
diff --git a/easy-rsa/build-key-pkcs12 b/easy-rsa/build-key-pkcs12
index f8a057b..5ef064f 100755
--- a/easy-rsa/build-key-pkcs12
+++ b/easy-rsa/build-key-pkcs12
@@ -1,21 +1,8 @@
-#!/bin/sh
+#!/bin/bash
-#
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
-if test $# -ne 1; then
- echo "usage: build-key-pkcs12 <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
- openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
- chmod 0600 $1.key $1.p12
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pkcs12 $*
diff --git a/easy-rsa/build-key-server b/easy-rsa/build-key-server
index 30dc41e..5502675 100755
--- a/easy-rsa/build-key-server
+++ b/easy-rsa/build-key-server
@@ -1,22 +1,10 @@
-#!/bin/sh
+#!/bin/bash
-#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
-if test $# -ne 1; then
- echo "usage: build-key-server <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
- chmod 0600 $1.key
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --server $*
diff --git a/easy-rsa/build-req b/easy-rsa/build-req
index 30f62f5..26587d1 100755
--- a/easy-rsa/build-req
+++ b/easy-rsa/build-req
@@ -1,18 +1,7 @@
-#!/bin/sh
+#!/bin/bash
-#
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
-#
-if test $# -ne 1; then
- echo "usage: build-req <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr $*
diff --git a/easy-rsa/build-req-pass b/easy-rsa/build-req-pass
index 829b286..6e6c863 100755
--- a/easy-rsa/build-req-pass
+++ b/easy-rsa/build-req-pass
@@ -1,18 +1,7 @@
-#!/bin/sh
+#!/bin/bash
-#
# Like build-req, but protect your private key
# with a password.
-#
-if test $# -ne 1; then
- echo "usage: build-req-pass <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr --pass $*
diff --git a/easy-rsa/clean-all b/easy-rsa/clean-all
index d10aef5..0576db5 100755
--- a/easy-rsa/clean-all
+++ b/easy-rsa/clean-all
@@ -1,19 +1,16 @@
-#!/bin/sh
+#!/bin/bash
-#
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
-#
-d=$KEY_DIR
-
-if test $d; then
- rm -rf $d
- mkdir $d && \
- chmod go-rwx $d && \
- touch $d/index.txt && \
- echo 01 >$d/serial
+if [ "$KEY_DIR" ]; then
+ rm -rf "$KEY_DIR"
+ mkdir "$KEY_DIR" && \
+ chmod go-rwx "$KEY_DIR" && \
+ touch "$KEY_DIR/index.txt" && \
+ echo 01 >"$KEY_DIR/serial"
else
- echo you must define KEY_DIR
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
fi
diff --git a/easy-rsa/inherit-inter b/easy-rsa/inherit-inter
new file mode 100755
index 0000000..2101951
--- /dev/null
+++ b/easy-rsa/inherit-inter
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Build a new PKI which is rooted on an intermediate certificate generated
+# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
+# have independent vars settings, and must use a different KEY_DIR directory
+# from the parent. This tool can be used to generate arbitrary depth
+# certificate chains.
+#
+# To build an intermediate CA, follow the same steps for a regular PKI but
+# replace ./build-key or ./pkitool --initca with this script.
+
+# The EXPORT_CA file will contain the CA certificate chain and should be
+# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
+# will only contain the local intermediate CA -- it's needed by the easy-rsa
+# scripts but not by OpenVPN directly.
+EXPORT_CA="export-ca.crt"
+
+if [ $# -ne 2 ]; then
+ echo "usage: $0 <parent-key-dir> <common-name>"
+ echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
+ echo "common-name: the common name of the intermediate certificate in the parent PKI"
+ exit 1;
+fi
+
+if [ "$KEY_DIR" ]; then
+ cp "$1/$2.crt" "$KEY_DIR/ca.crt"
+ cp "$1/$2.key" "$KEY_DIR/ca.key"
+
+ if [ -e "$1/$EXPORT_CA" ]; then
+ PARENT_CA="$1/$EXPORT_CA"
+ else
+ PARENT_CA="$1/ca.crt"
+ fi
+ cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
+ cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
+else
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
+fi
diff --git a/easy-rsa/list-crl b/easy-rsa/list-crl
index b214dbd..7736fa8 100644..100755
--- a/easy-rsa/list-crl
+++ b/easy-rsa/list-crl
@@ -1,18 +1,13 @@
-#!/bin/sh
+#!/bin/bash
-#
# list revoked certificates
-#
-#
-if test $# -ne 1; then
- echo "usage: list-crl <crlfile.pem>";
- exit 1
-fi
+CRL="${1:-crl.pem}"
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl crl -text -noout -in $1
+if [ "$KEY_DIR" ]; then
+ cd "$KEY_DIR" && \
+ openssl crl -text -noout -in "$CRL"
else
- echo you must define KEY_DIR
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
fi
diff --git a/easy-rsa/openssl.cnf b/easy-rsa/openssl.cnf
index 270b069..7fedebe 100644..100755
--- a/easy-rsa/openssl.cnf
+++ b/easy-rsa/openssl.cnf
@@ -1,3 +1,5 @@
+# For use with easy-rsa version 2.0
+
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
@@ -60,7 +62,7 @@ preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
-policy = policy_match
+policy = policy_anything
# For the CA policy
[ policy_match ]
@@ -136,6 +138,10 @@ emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
# SET-ex3 = SET extension number 3
[ req_attributes ]
diff --git a/easy-rsa/pkitool b/easy-rsa/pkitool
new file mode 100755
index 0000000..2d2d764
--- /dev/null
+++ b/easy-rsa/pkitool
@@ -0,0 +1,233 @@
+#!/bin/sh
+
+# OpenVPN -- An application to securely tunnel IP networks
+# over a single TCP/UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+# Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program (see the file COPYING included with this
+# distribution); if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+# pkitool is a front-end for the openssl tool.
+
+# Calling scripts can set the certificate organizational
+# unit with the KEY_OU environmental variable.
+
+PROGNAME=pkitool
+VERSION=2.0
+DEBUG=0
+
+GREP=grep
+OPENSSL=openssl
+
+need_vars()
+{
+ echo ' Please edit the vars script to reflect your configuration,'
+ echo ' then source it with "source ./vars".'
+ echo ' Next, to start with a fresh PKI configuration and to delete any'
+ echo ' previous certificates and keys, run "./clean-all".'
+ echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
+}
+
+usage()
+{
+ echo "$PROGNAME $VERSION"
+ echo "Usage: $PROGNAME [options...] [common-name]"
+ echo "Options:"
+ echo " --batch : batch mode (default)"
+ echo " --interact : interactive mode"
+ echo " --server : build server cert"
+ echo " --initca : build root CA"
+ echo " --inter : build intermediate CA"
+ echo " --pass : encrypt private key with password"
+ echo " --csr : only generate a CSR, do not sign"
+ echo " --sign : sign an existing CSR"
+ echo " --pkcs12 : generate a combined pkcs12 file"
+ echo "Notes:"
+ need_vars
+ echo "Generated files and corresponding OpenVPN directives:"
+ echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
+ echo " ca.crt -> root certificate (--ca)"
+ echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
+ echo " .crt files -> client/server certificates (--cert)"
+ echo " .key files -> private keys, keep secure (--key)"
+ echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
+ echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
+ echo "Examples:"
+ echo " $PROGNAME --initca -> Build root certificate"
+ echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
+ echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
+ echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
+ echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
+ echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format"
+ echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
+ echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
+ echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
+ echo " Also see ./inherit-inter script."
+ echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
+ echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
+ echo " [edit vars with your site-specific info]"
+ echo " source ./vars"
+ echo " ./clean-all"
+ echo " ./build-dh -> takes a long time, consider backgrounding"
+ echo " ./$PROGNAME --initca"
+ echo " ./$PROGNAME --server myserver"
+ echo " ./$PROGNAME client1"
+ echo " ./$PROGNAME --pass client2"
+ echo "Typical usage for adding client cert to existing PKI:"
+ echo " source ./vars"
+ echo " ./$PROGNAME client-new"
+}
+
+# Set defaults
+DO_REQ="1"
+REQ_EXT=""
+DO_CA="1"
+CA_EXT=""
+DO_P12="0"
+DO_ROOT="0"
+NODES_REQ="-nodes"
+NODES_P12=""
+BATCH="-batch"
+CA="ca"
+
+# Process options
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --server ) REQ_EXT="$REQ_EXT -extensions server"
+ CA_EXT="$CA_EXT -extensions server" ;;
+ --batch ) BATCH="-batch" ;;
+ --interact ) BATCH="" ;;
+ --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
+ --initca ) DO_ROOT="1" ;;
+ --pass ) NODES_REQ="" ;;
+ --csr ) DO_CA="0" ;;
+ --sign ) DO_REQ="0" ;;
+ --pkcs12 ) DO_P12="1" ;;
+ --* ) echo "$PROGNAME: unknown option: $1"
+ exit 1 ;;
+ * ) break ;;
+ esac
+ shift
+done
+
+# If we are generating pkcs12, only encrypt the final step
+if [ $DO_P12 -eq 1 ]; then
+ NODES_P12="$NODES_REQ"
+ NODES_REQ="-nodes"
+fi
+
+# If undefined, set default key expiration intervals
+if [ -z "$KEY_EXPIRE" ]; then
+ KEY_EXPIRE=3650
+fi
+if [ -z "$CA_EXPIRE" ]; then
+ CA_EXPIRE=3650
+fi
+
+# Set organizational unit to empty string if undefined
+if [ -z "$KEY_OU" ]; then
+ KEY_OU=""
+fi
+
+# Set KEY_CN
+if [ $DO_ROOT -eq 1 ]; then
+ if [ -z "$KEY_CN" ]; then
+ if [ "$1" ]; then
+ KEY_CN="$1"
+ elif [ "$KEY_ORG" ]; then
+ KEY_CN="$KEY_ORG CA"
+ fi
+ fi
+ if [ $BATCH ] && [ "$KEY_CN" ]; then
+ echo "Using CA Common Name:" $KEY_CN
+ fi
+elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
+ echo "Using Common Name:" $KEY_CN
+else
+ if [ $# -ne 1 ]; then
+ usage
+ exit 1
+ else
+ KEY_CN="$1"
+ fi
+fi
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN
+
+# Show parameters (debugging)
+if [ $DEBUG -eq 1 ]; then
+ echo DO_REQ $DO_REQ
+ echo REQ_EXT $REQ_EXT
+ echo DO_CA $DO_CA
+ echo CA_EXT $CA_EXT
+ echo NODES_REQ $NODES_REQ
+ echo NODES_P12 $NODES_P12
+ echo DO_P12 $DO_P12
+ echo KEY_CN $KEY_CN
+ echo BATCH $BATCH
+ echo DO_ROOT $DO_ROOT
+ echo KEY_EXPIRE $KEY_EXPIRE
+ echo CA_EXPIRE $CA_EXPIRE
+ echo KEY_OU $KEY_OU
+fi
+
+# Make sure ./vars was sourced beforehand
+if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
+ cd "$KEY_DIR"
+
+ # Make sure $KEY_CONFIG points to the correct version
+ # of openssl.cnf
+ if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+ :
+ else
+ echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
+ echo "version of openssl.cnf: $KEY_CONFIG"
+ echo "The correct version should have a comment that says: easy-rsa version 2.x";
+ exit 1;
+ fi
+
+ # Build root CA
+ if [ $DO_ROOT -eq 1 ]; then
+ $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
+ -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
+ chmod 0600 "$CA.key"
+ else
+ # Make sure CA key/cert is available
+ if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
+ if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
+ echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
+ echo "Try $PROGNAME --initca to build a root certificate/key."
+ exit 1
+ fi
+ fi
+
+ # Build cert/key
+ ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
+ -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
+ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
+ -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
+ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
+ -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
+ ( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \
+ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
+
+ fi
+
+# Need definitions
+else
+ need_vars
+fi
diff --git a/easy-rsa/revoke-full b/easy-rsa/revoke-full
index 66ea03f..9dc9b1e 100755
--- a/easy-rsa/revoke-full
+++ b/easy-rsa/revoke-full
@@ -1,29 +1,39 @@
-#!/bin/sh
+#!/bin/bash
# revoke a certificate, regenerate CRL,
# and verify revocation
-CRL=crl.pem
-RT=revoke-test.pem
+CRL="crl.pem"
+RT="revoke-test.pem"
-if test $# -ne 1; then
- echo "usage: revoke-full <name>";
- exit 1
+if [ $# -ne 1 ]; then
+ echo "usage: revoke-full <common-name>";
+ exit 1
fi
-if test $KEY_DIR; then
- cd $KEY_DIR
- rm -f $RT
+if [ "$KEY_DIR" ]; then
+ cd "$KEY_DIR"
+ rm -f "$RT"
- # revoke key and generate a new CRL
- openssl ca -revoke $1.crt -config $KEY_CONFIG
+ # set defaults
+ export KEY_CN=""
+ export KEY_OU=""
- # generate a new CRL
- openssl ca -gencrl -out $CRL -config $KEY_CONFIG
- cat ca.crt $CRL >$RT
+ # revoke key and generate a new CRL
+ openssl ca -revoke "$1.crt" -config "$KEY_CONFIG"
+
+ # generate a new CRL -- try to be compatible with
+ # intermediate PKIs
+ openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+ if [ -e export-ca.crt ]; then
+ cat export-ca.crt "$CRL" >"$RT"
+ else
+ cat ca.crt "$CRL" >"$RT"
+ fi
- # verify the revocation
- openssl verify -CAfile $RT -crl_check $1.crt
+ # verify the revocation
+ openssl verify -CAfile "$RT" -crl_check "$1.crt"
else
- echo you must define KEY_DIR
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
fi
diff --git a/easy-rsa/sign-req b/easy-rsa/sign-req
index 59edc42..38655d3 100755
--- a/easy-rsa/sign-req
+++ b/easy-rsa/sign-req
@@ -1,18 +1,7 @@
-#!/bin/sh
+#!/bin/bash
-#
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
-#
-if test $# -ne 1; then
- echo "usage: sign-req <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --sign $*
diff --git a/easy-rsa/vars b/easy-rsa/vars
index da89cd2..a4bd149 100644..100755
--- a/easy-rsa/vars
+++ b/easy-rsa/vars
@@ -12,12 +12,12 @@
# This variable should point to
# the top level of the easy-rsa
# tree.
-export D=`pwd`
+export EASY_RSA="`pwd`"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
-export KEY_CONFIG=$D/openssl.cnf
+export KEY_CONFIG="$EASY_RSA/openssl.cnf"
# Edit this variable to point to
# your soon-to-be-created key
@@ -27,10 +27,10 @@ export KEY_CONFIG=$D/openssl.cnf
# a rm -rf on this directory
# so make sure you define
# it correctly!
-export KEY_DIR=$D/keys
+export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
-echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
@@ -39,11 +39,17 @@ echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# generation process.
export KEY_SIZE=1024
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
-export KEY_COUNTRY=KG
-export KEY_PROVINCE=NA
-export KEY_CITY=BISHKEK
-export KEY_ORG="OpenVPN-TEST"
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"