diff options
Diffstat (limited to 'easy-rsa')
30 files changed, 890 insertions, 0 deletions
diff --git a/easy-rsa/README b/easy-rsa/README new file mode 100644 index 0000000..fd424ef --- /dev/null +++ b/easy-rsa/README @@ -0,0 +1,161 @@ +This is a small RSA key management package, +based on the openssl command line tool, that +can be found in the easy-rsa subdirectory +of the OpenVPN distribution. + +These are reference notes. For step +by step instructions, see the HOWTO: + +http://openvpn.net/howto.html + +INSTALL + +1. Edit vars. +2. Set KEY_CONFIG to point to the openssl.cnf file + included in this distribution. +3. Set KEY_DIR to point to a directory which will + contain all keys, certificates, etc. This + directory need not exist, and if it does, + it will be deleted with rm -rf, so BE + CAREFUL how you set KEY_DIR. +4. (Optional) Edit other fields in vars + per your site data. You may want to + increase KEY_SIZE to 2048 if you are + paranoid and don't mind slower key + processing, but certainly 1024 is + fine for testing purposes. KEY_SIZE + must be compatible across both peers + participating in a secure SSL/TLS + connection. +5 . vars +6. ./clean-all +7. As you create certificates, keys, and + certificate signing requests, understand that + only .key files should be kept confidential. + .crt and .csr files can be sent over insecure + channels such as plaintext email. +8. You should never need to copy a .key file + between computers. Normally each computer + will have its own certificate/key pair. + +BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY + +1. ./build-ca +2. ca.crt and ca.key will be built in your KEY_DIR + directory + +BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional) + +1. ./build-inter inter +2. inter.crt and inter.key will be built in your KEY_DIR + directory and signed with your root certificate. + +BUILD DIFFIE-HELLMAN PARAMETERS (necessary for +the server end of a SSL/TLS connection). + +1. ./build-dh + +BUILD A CERTIFICATE SIGNING REQUEST (If +you want to sign your certificate with a root +certificate controlled by another individual +or organization, or residing on a different machine). + +1. Get ca.crt (the root certificate) from your + certificate authority. Though this + transfer can be over an insecure channel, to prevent + man-in-the-middle attacks you must confirm that + ca.crt was not tampered with. Large CAs solve this + problem by hardwiring their root certificates into + popular web browsers. A simple way to verify a root + CA is to call the issuer on the telephone and confirm + that the md5sum or sha1sum signatures on the ca.crt + files match (such as with the command: "md5sum ca.crt"). +2. Choose a name for your certificate such as your computer + name. In our example we will use "mycert". +3. ./build-req mycert +4. You can ignore most of the fields, but set + "Common Name" to something unique such as your + computer's host name. Leave all password + fields blank, unless you want your private key + to be protected by password. Using a password + is not required -- it will make your key more secure + but also more inconvenient to use, because you will + need to supply your password anytime the key is used. + NOTE: if you are using a password, use ./build-req-pass + instead of ./build-req +5. Your key will be written to $KEY_DIR/mycert.key +6. Your certificate signing request will be written to + to $KEY_DIR/mycert.csr +7. Email mycert.csr to the individual or organization + which controls the root certificate. This can be + done over an insecure channel. +8. After the .csr file is signed by the root certificate + authority, you will receive a file mycert.crt + (your certificate). Place mycert.crt in your + KEY_DIR directory. +9. The combined files of mycert.crt, mycert.key, + and ca.crt can now be used to secure one end of + an SSL/TLS connection. + +SIGN A CERTIFICATE SIGNING REQUEST + +1. ./sign-req mycert +2. mycert.crt will be built in your KEY_DIR + directory using mycert.csr and your root CA + file as input. + +BUILD AND SIGN A CERTIFICATE SIGNING REQUEST +USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this +script generates and signs a certificate in one step, +but it requires that the generated certificate and private +key files be copied to the destination host over a +secure channel. + +1. ./build-key mycert (no password protection) +2. OR ./build-key-pass mycert (with password protection) +3. OR ./build-key-pkcs12 mycert (PKCS #12 format) +4. OR ./build-key-server mycert (with nsCertType=server) +5. mycert.crt and mycert.key will be built in your + KEY_DIR directory, and mycert.crt will be signed + by your root CA. If ./build-key-pkcs12 was used a + mycert.p12 file will also be created including the + private key, certificate and the ca certificate. + +IMPORTANT + +To avoid a possible Man-in-the-Middle attack where an authorized +client tries to connect to another client by impersonating the +server, make sure to enforce some kind of server certificate +verification by clients. There are currently four different ways +of accomplishing this, listed in the order of preference: + +(1) Build your server certificates with the build-key-server + script. This will designate the certificate as a + server-only certificate by setting nsCertType=server. + Now add the following line to your client configuration: + + ns-cert-type server + + This will block clients from connecting to any + server which lacks the nsCertType=server designation + in its certificate, even if the certificate has been + signed by the CA which is cited in the OpenVPN configuration + file (--ca directive). + +(2) Use the --tls-remote directive on the client to + accept/reject the server connection based on the common + name of the server certificate. + +(3) Use a --tls-verify script or plugin to accept/reject the + server connection based on a custom test of the server + certificate's embedded X509 subject details. + +(4) Sign server certificates with one CA and client certificates + with a different CA. The client config "ca" directive should + reference the server-signing CA while the server config "ca" + directive should reference the client-signing CA. + +NOTES + +Show certificate fields: + openssl x509 -in cert.crt -text diff --git a/easy-rsa/Windows/README.txt b/easy-rsa/Windows/README.txt new file mode 100644 index 0000000..2ede7b1 --- /dev/null +++ b/easy-rsa/Windows/README.txt @@ -0,0 +1,44 @@ +Extract all zip'd files to the OpenVPN home directory, +including the openssl.cnf file from the top-level +"easy-rsa" directory. + +First run init-config.bat + +Next, edit vars.bat to adapt it to your environment, and +create the directory that will hold your key files. + +To generate TLS keys: + +Create new empty index and serial files (once only) +1. vars +2. clean-all + +Build a CA key (once only) +1. vars +2. build-ca + +Build a DH file (for server side, once only) +1. vars +2. build-dh + +Build a private key/certficate for the openvpn server +1. vars +2. build-key-server <machine-name> + +Build key files in PEM format (for each client machine) +1. vars +2. build-key <machine-name> + (use <machine name> for specific name within script) + +or + +Build key files in PKCS #12 format (for each client machine) +1. vars +2. build-key-pkcs12 <machine-name> + (use <machine name> for specific name within script) + +To revoke a TLS certificate and generate a CRL file: +1. vars +2. revoke-full <machine-name> +3. verify last line of output confirms revokation +4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>" diff --git a/easy-rsa/Windows/build-ca.bat b/easy-rsa/Windows/build-ca.bat new file mode 100644 index 0000000..a3f234b --- /dev/null +++ b/easy-rsa/Windows/build-ca.bat @@ -0,0 +1,4 @@ +@echo off +cd %HOME% +rem build a cert authority valid for ten years, starting now +openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG% diff --git a/easy-rsa/Windows/build-dh.bat b/easy-rsa/Windows/build-dh.bat new file mode 100644 index 0000000..74bc603 --- /dev/null +++ b/easy-rsa/Windows/build-dh.bat @@ -0,0 +1,4 @@ +@echo off +cd %HOME% +rem build a dh file for the server side +openssl dhparam -out %KEY_DIR%/dh%KEY_SIZE%.pem %KEY_SIZE% diff --git a/easy-rsa/Windows/build-key-pkcs12.bat b/easy-rsa/Windows/build-key-pkcs12.bat new file mode 100644 index 0000000..1fc083e --- /dev/null +++ b/easy-rsa/Windows/build-key-pkcs12.bat @@ -0,0 +1,10 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem convert the key/cert and embed the ca cert into a pkcs12 file. +openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12 +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-key-server.bat b/easy-rsa/Windows/build-key-server.bat new file mode 100644 index 0000000..20e3605 --- /dev/null +++ b/easy-rsa/Windows/build-key-server.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-key.bat b/easy-rsa/Windows/build-key.bat new file mode 100644 index 0000000..c040904 --- /dev/null +++ b/easy-rsa/Windows/build-key.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/clean-all.bat b/easy-rsa/Windows/clean-all.bat new file mode 100644 index 0000000..71cbf4d --- /dev/null +++ b/easy-rsa/Windows/clean-all.bat @@ -0,0 +1,13 @@ +@echo off +rem move to the HOME directory specified in VARS script +cd %HOME% +rem set a temporary KEY_DIR variable +set d=%KEY_DIR% +rem delete the KEY_DIR and any subdirs quietly +rmdir /s /q %d% +rem make a new KEY_DIR +mkdir %d% +rem copy in a fesh index file so we begin with an empty database +copy index.txt.start %d%\index.txt +rem copy in a fresh serial file so we begin generating keys at index 01 +copy serial.start %d%\serial. diff --git a/easy-rsa/Windows/index.txt.start b/easy-rsa/Windows/index.txt.start new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/easy-rsa/Windows/index.txt.start diff --git a/easy-rsa/Windows/init-config.bat b/easy-rsa/Windows/init-config.bat new file mode 100755 index 0000000..048d558 --- /dev/null +++ b/easy-rsa/Windows/init-config.bat @@ -0,0 +1,2 @@ +copy vars.bat.sample vars.bat +copy openssl.cnf.sample openssl.cnf diff --git a/easy-rsa/Windows/revoke-full.bat b/easy-rsa/Windows/revoke-full.bat new file mode 100644 index 0000000..ef2e4b5 --- /dev/null +++ b/easy-rsa/Windows/revoke-full.bat @@ -0,0 +1,13 @@ +@echo off +cd %HOME% +rem revoke cert +openssl ca -revoke %KEY_DIR%\%1.crt -config %KEY_CONFIG% +rem generate new crl +openssl ca -gencrl -out %KEY_DIR%\crl.pem -config %KEY_CONFIG% +rem test revocation +rem first concatinate ca cert with newly generated crl +copy %KEY_DIR%\ca.crt+%KEY_DIR%\crl.pem %KEY_DIR%\revoke_test_file.pem +rem now verify the revocation +openssl verify -CAfile %KEY_DIR%\revoke_test_file.pem -crl_check %KEY_DIR%\%1.crt +rem delete temporary test file +del /q %KEY_DIR%\revoke_test_file.pem diff --git a/easy-rsa/Windows/serial.start b/easy-rsa/Windows/serial.start new file mode 100644 index 0000000..8a0f05e --- /dev/null +++ b/easy-rsa/Windows/serial.start @@ -0,0 +1 @@ +01 diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample new file mode 100644 index 0000000..8ab65e1 --- /dev/null +++ b/easy-rsa/Windows/vars.bat.sample @@ -0,0 +1,35 @@ +@echo off +rem Edit this variable to point to +rem the openssl.cnf file included +rem with easy-rsa. + +set HOME=%ProgramFiles%\OpenVPN\easy-rsa +set KEY_CONFIG=openssl.cnf + +rem Edit this variable to point to +rem your soon-to-be-created key +rem directory. +rem +rem WARNING: clean-all will do +rem a rm -rf on this directory +rem so make sure you define +rem it correctly! +set KEY_DIR=keys + +rem Increase this to 2048 if you +rem are paranoid. This will slow +rem down TLS negotiation performance +rem as well as the one-time DH parms +rem generation process. +set KEY_SIZE=1024 + +rem These are the default values for fields +rem which will be placed in the certificate. +rem Change these to reflect your site. +rem Don't leave any of these parms blank. + +set KEY_COUNTRY=US +set KEY_PROVINCE=CA +set KEY_CITY=SanFrancisco +set KEY_ORG=FortFunston +set KEY_EMAIL=mail@host.domain diff --git a/easy-rsa/build-ca b/easy-rsa/build-ca new file mode 100755 index 0000000..5ad59cc --- /dev/null +++ b/easy-rsa/build-ca @@ -0,0 +1,13 @@ +#!/bin/sh + +# +# Build a root certificate +# + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ + chmod 0600 ca.key +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-dh b/easy-rsa/build-dh new file mode 100755 index 0000000..6de4baf --- /dev/null +++ b/easy-rsa/build-dh @@ -0,0 +1,12 @@ +#!/bin/sh + +# +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. +# + +if test $KEY_DIR; then + openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-inter b/easy-rsa/build-inter new file mode 100755 index 0000000..8b3a6b2 --- /dev/null +++ b/easy-rsa/build-inter @@ -0,0 +1,19 @@ +#!/bin/sh + +# +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. +# + +if test $# -ne 1; then + echo "usage: build-inter <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-key b/easy-rsa/build-key new file mode 100755 index 0000000..3159d2b --- /dev/null +++ b/easy-rsa/build-key @@ -0,0 +1,20 @@ +#!/bin/sh + +# +# Make a certificate/private key pair using a locally generated +# root certificate. +# + +if test $# -ne 1; then + echo "usage: build-key <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + chmod 0600 $1.key +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-key-pass b/easy-rsa/build-key-pass new file mode 100755 index 0000000..03ab304 --- /dev/null +++ b/easy-rsa/build-key-pass @@ -0,0 +1,20 @@ +#!/bin/sh + +# +# Similar to build-key, but protect the private key +# with a password. +# + +if test $# -ne 1; then + echo "usage: build-key-pass <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + chmod 0600 $1.key +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-key-pkcs12 b/easy-rsa/build-key-pkcs12 new file mode 100755 index 0000000..f8a057b --- /dev/null +++ b/easy-rsa/build-key-pkcs12 @@ -0,0 +1,21 @@ +#!/bin/sh + +# +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +if test $# -ne 1; then + echo "usage: build-key-pkcs12 <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ + chmod 0600 $1.key $1.p12 +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-key-server b/easy-rsa/build-key-server new file mode 100755 index 0000000..30dc41e --- /dev/null +++ b/easy-rsa/build-key-server @@ -0,0 +1,22 @@ +#!/bin/sh + +# +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +if test $# -ne 1; then + echo "usage: build-key-server <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ + chmod 0600 $1.key +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-req b/easy-rsa/build-req new file mode 100755 index 0000000..30f62f5 --- /dev/null +++ b/easy-rsa/build-req @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. +# + +if test $# -ne 1; then + echo "usage: build-req <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/build-req-pass b/easy-rsa/build-req-pass new file mode 100755 index 0000000..829b286 --- /dev/null +++ b/easy-rsa/build-req-pass @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# Like build-req, but protect your private key +# with a password. +# + +if test $# -ne 1; then + echo "usage: build-req-pass <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/clean-all b/easy-rsa/clean-all new file mode 100755 index 0000000..d10aef5 --- /dev/null +++ b/easy-rsa/clean-all @@ -0,0 +1,19 @@ +#!/bin/sh + +# +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! +# + +d=$KEY_DIR + +if test $d; then + rm -rf $d + mkdir $d && \ + chmod go-rwx $d && \ + touch $d/index.txt && \ + echo 01 >$d/serial +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/list-crl b/easy-rsa/list-crl new file mode 100644 index 0000000..b214dbd --- /dev/null +++ b/easy-rsa/list-crl @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# list revoked certificates +# +# + +if test $# -ne 1; then + echo "usage: list-crl <crlfile.pem>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl crl -text -noout -in $1 +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/make-crl b/easy-rsa/make-crl new file mode 100644 index 0000000..62fe6c1 --- /dev/null +++ b/easy-rsa/make-crl @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# generate a CRL +# +# + +if test $# -ne 1; then + echo "usage: make-crl <crlfile.pem>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl ca -gencrl -out $1 -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/openssl.cnf b/easy-rsa/openssl.cnf new file mode 100644 index 0000000..270b069 --- /dev/null +++ b/easy-rsa/openssl.cnf @@ -0,0 +1,255 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/easy-rsa/revoke-crt b/easy-rsa/revoke-crt new file mode 100644 index 0000000..35b071a --- /dev/null +++ b/easy-rsa/revoke-crt @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# revoke a certificate +# +# + +if test $# -ne 1; then + echo "usage: revoke-crt <file.crt>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl ca -revoke $1 -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/revoke-full b/easy-rsa/revoke-full new file mode 100755 index 0000000..66ea03f --- /dev/null +++ b/easy-rsa/revoke-full @@ -0,0 +1,29 @@ +#!/bin/sh + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL=crl.pem +RT=revoke-test.pem + +if test $# -ne 1; then + echo "usage: revoke-full <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR + rm -f $RT + + # revoke key and generate a new CRL + openssl ca -revoke $1.crt -config $KEY_CONFIG + + # generate a new CRL + openssl ca -gencrl -out $CRL -config $KEY_CONFIG + cat ca.crt $CRL >$RT + + # verify the revocation + openssl verify -CAfile $RT -crl_check $1.crt +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/sign-req b/easy-rsa/sign-req new file mode 100755 index 0000000..59edc42 --- /dev/null +++ b/easy-rsa/sign-req @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. +# + +if test $# -ne 1; then + echo "usage: sign-req <name>"; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/easy-rsa/vars b/easy-rsa/vars new file mode 100644 index 0000000..da89cd2 --- /dev/null +++ b/easy-rsa/vars @@ -0,0 +1,49 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export D=`pwd` + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=$D/openssl.cnf + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR=$D/keys + +# Issue rm -rf warning +echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=1024 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY=KG +export KEY_PROVINCE=NA +export KEY_CITY=BISHKEK +export KEY_ORG="OpenVPN-TEST" +export KEY_EMAIL="me@myhost.mydomain" |