From 8810c26cc5782addcf1f0a40212a7d1ebe827e6f Mon Sep 17 00:00:00 2001 From: james Date: Wed, 2 Nov 2005 18:09:01 +0000 Subject: Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible with 2.0.x distribution. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@757 e7ae566f-a301-0410-adde-c780ea21d3b5 --- easy-rsa/2.0/README | 168 +++++++++++++++++++++++++++ easy-rsa/2.0/build-ca | 8 ++ easy-rsa/2.0/build-dh | 11 ++ easy-rsa/2.0/build-inter | 7 ++ easy-rsa/2.0/build-key | 7 ++ easy-rsa/2.0/build-key-pass | 7 ++ easy-rsa/2.0/build-key-pkcs12 | 8 ++ easy-rsa/2.0/build-key-server | 10 ++ easy-rsa/2.0/build-req | 7 ++ easy-rsa/2.0/build-req-pass | 7 ++ easy-rsa/2.0/clean-all | 16 +++ easy-rsa/2.0/inherit-inter | 39 +++++++ easy-rsa/2.0/list-crl | 13 +++ easy-rsa/2.0/openssl.cnf | 261 ++++++++++++++++++++++++++++++++++++++++++ easy-rsa/2.0/pkitool | 233 +++++++++++++++++++++++++++++++++++++ easy-rsa/2.0/revoke-full | 39 +++++++ easy-rsa/2.0/sign-req | 7 ++ easy-rsa/2.0/vars | 55 +++++++++ easy-rsa/README | 168 --------------------------- easy-rsa/build-ca | 8 -- easy-rsa/build-dh | 11 -- easy-rsa/build-inter | 7 -- easy-rsa/build-key | 7 -- easy-rsa/build-key-pass | 7 -- easy-rsa/build-key-pkcs12 | 8 -- easy-rsa/build-key-server | 10 -- easy-rsa/build-req | 7 -- easy-rsa/build-req-pass | 7 -- easy-rsa/clean-all | 16 --- easy-rsa/inherit-inter | 39 ------- easy-rsa/list-crl | 13 --- easy-rsa/openssl.cnf | 261 ------------------------------------------ easy-rsa/pkitool | 233 ------------------------------------- easy-rsa/revoke-full | 39 ------- easy-rsa/sign-req | 7 -- easy-rsa/vars | 55 --------- 36 files changed, 903 insertions(+), 903 deletions(-) create mode 100644 easy-rsa/2.0/README create mode 100755 easy-rsa/2.0/build-ca create mode 100755 easy-rsa/2.0/build-dh create mode 100755 easy-rsa/2.0/build-inter create mode 100755 easy-rsa/2.0/build-key create mode 100755 easy-rsa/2.0/build-key-pass create mode 100755 easy-rsa/2.0/build-key-pkcs12 create mode 100755 easy-rsa/2.0/build-key-server create mode 100755 easy-rsa/2.0/build-req create mode 100755 easy-rsa/2.0/build-req-pass create mode 100755 easy-rsa/2.0/clean-all create mode 100755 easy-rsa/2.0/inherit-inter create mode 100755 easy-rsa/2.0/list-crl create mode 100755 easy-rsa/2.0/openssl.cnf create mode 100755 easy-rsa/2.0/pkitool create mode 100755 easy-rsa/2.0/revoke-full create mode 100755 easy-rsa/2.0/sign-req create mode 100755 easy-rsa/2.0/vars delete mode 100644 easy-rsa/README delete mode 100755 easy-rsa/build-ca delete mode 100755 easy-rsa/build-dh delete mode 100755 easy-rsa/build-inter delete mode 100755 easy-rsa/build-key delete mode 100755 easy-rsa/build-key-pass delete mode 100755 easy-rsa/build-key-pkcs12 delete mode 100755 easy-rsa/build-key-server delete mode 100755 easy-rsa/build-req delete mode 100755 easy-rsa/build-req-pass delete mode 100755 easy-rsa/clean-all delete mode 100755 easy-rsa/inherit-inter delete mode 100755 easy-rsa/list-crl delete mode 100755 easy-rsa/openssl.cnf delete mode 100755 easy-rsa/pkitool delete mode 100755 easy-rsa/revoke-full delete mode 100755 easy-rsa/sign-req delete mode 100755 easy-rsa/vars diff --git a/easy-rsa/2.0/README b/easy-rsa/2.0/README new file mode 100644 index 0000000..02800c2 --- /dev/null +++ b/easy-rsa/2.0/README @@ -0,0 +1,168 @@ +EASY-RSA Version 2.0-rc1 + +This is a small RSA key management package, based on the openssl +command line tool, that can be found in the easy-rsa subdirectory +of the OpenVPN distribution. + +These are reference notes. For step-by-step instructions, see the +HOWTO: + +http://openvpn.net/howto.html + +This package is based on the ./pkitool script. Run ./pkitool +without arguments for a detailed help message (which is also pasted +below). + +Release Notes for easy-rsa-2.0 + +* Most functionality has been consolidated into the pkitool + script. For compatibility, all previous scripts from 1.0 such + as build-key and build-key-server are provided as stubs + which call pkitool to do the real work. + +* pkitool has a --batch flag (enabled by default) which generates + keys/certs without needing any interactive input. pkitool + can still generate certs/keys using interactive prompting by + using the --interact flag. + +* The inherit-inter script has been provided for creating + a new PKI rooted on an intermediate certificate built within a + higher-level PKI. See comments in the inherit-inter script + for more info. + +* The openssl.cnf file has been modified. pkitool will not + work with the openssl.cnf file included with previous + easy-rsa releases. + +* The vars file has been modified -- the following extra + variables have been added: EASY_RSA, CA_EXPIRE, + KEY_EXPIRE. + +* The make-crl and revoke-crt scripts have been removed and + are replaced by the revoke-full script. + +* The "Organizational Unit" X509 field can be set using + the KEY_OU environmental variable before calling pkitool. + +* This release only affects the Linux/Unix version of easy-rsa. + The Windows version (written to use the Windows shell) is unchanged. + +INSTALL easy-rsa + +1. Edit vars. +2. Set KEY_CONFIG to point to the openssl.cnf file + included in this distribution. +3. Set KEY_DIR to point to a directory which will + contain all keys, certificates, etc. This + directory need not exist, and if it does, + it will be deleted with rm -rf, so BE + CAREFUL how you set KEY_DIR. +4. (Optional) Edit other fields in vars + per your site data. You may want to + increase KEY_SIZE to 2048 if you are + paranoid and don't mind slower key + processing, but certainly 1024 is + fine for testing purposes. KEY_SIZE + must be compatible across both peers + participating in a secure SSL/TLS + connection. +5 . vars +6. ./clean-all +7. As you create certificates, keys, and + certificate signing requests, understand that + only .key files should be kept confidential. + .crt and .csr files can be sent over insecure + channels such as plaintext email. + +IMPORTANT + +To avoid a possible Man-in-the-Middle attack where an authorized +client tries to connect to another client by impersonating the +server, make sure to enforce some kind of server certificate +verification by clients. There are currently four different ways +of accomplishing this, listed in the order of preference: + +(1) Build your server certificates with the build-key-server + script, or using the --server option to pkitool. + This will designate the certificate as a + server-only certificate by setting nsCertType=server. + Now add the following line to your client configuration: + + ns-cert-type server + + This will block clients from connecting to any + server which lacks the nsCertType=server designation + in its certificate, even if the certificate has been + signed by the CA which is cited in the OpenVPN configuration + file (--ca directive). + +(2) Use the --tls-remote directive on the client to + accept/reject the server connection based on the common + name of the server certificate. + +(3) Use a --tls-verify script or plugin to accept/reject the + server connection based on a custom test of the server + certificate's embedded X509 subject details. + +(4) Sign server certificates with one CA and client certificates + with a different CA. The client config "ca" directive should + reference the server-signing CA while the server config "ca" + directive should reference the client-signing CA. + +NOTES + +Show certificate fields: + openssl x509 -in cert.crt -text + +PKITOOL documentation + +pkitool 2.0 +Usage: pkitool [options...] [common-name] +Options: + --batch : batch mode (default) + --interact : interactive mode + --server : build server cert + --initca : build root CA + --inter : build intermediate CA + --pass : encrypt private key with password + --csr : only generate a CSR, do not sign + --sign : sign an existing CSR + --pkcs12 : generate a combined pkcs12 file +Notes: + Please edit the vars script to reflect your configuration, + then source it with "source ./vars". + Next, to start with a fresh PKI configuration and to delete any + previous certificates and keys, run "./clean-all". + Finally, you can run this tool (pkitool) to build certificates/keys. +Generated files and corresponding OpenVPN directives: +(Files will be placed in the $KEY_DIR directory, defined in ./vars) + ca.crt -> root certificate (--ca) + ca.key -> root key, keep secure (not directly used by OpenVPN) + .crt files -> client/server certificates (--cert) + .key files -> private keys, keep secure (--key) + .csr files -> certificate signing request (not directly used by OpenVPN) + dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) +Examples: + pkitool --initca -> Build root certificate + pkitool --initca --pass -> Build root certificate with password-protected key + pkitool --server server1 -> Build "server1" certificate/key + pkitool client1 -> Build "client1" certificate/key + pkitool --pass client2 -> Build password-protected "client2" certificate/key + pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS #12 format + pkitool --csr client4 -> Build "client4" CSR to be signed by another CA + pkitool --sign client4 -> Sign "client4" CSR + pkitool --inter interca -> Build an intermediate key-signing certificate/key + Also see ./inherit-inter script. +Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. +Protect client2 key with a password. Build DH parms. Generated files in ./keys : + [edit vars with your site-specific info] + source ./vars + ./clean-all + ./build-dh -> takes a long time, consider backgrounding + ./pkitool --initca + ./pkitool --server myserver + ./pkitool client1 + ./pkitool --pass client2 +Typical usage for adding client cert to existing PKI: + source ./vars + ./pkitool client-new diff --git a/easy-rsa/2.0/build-ca b/easy-rsa/2.0/build-ca new file mode 100755 index 0000000..fb1e2ca --- /dev/null +++ b/easy-rsa/2.0/build-ca @@ -0,0 +1,8 @@ +#!/bin/bash + +# +# Build a root certificate +# + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --initca $* diff --git a/easy-rsa/2.0/build-dh b/easy-rsa/2.0/build-dh new file mode 100755 index 0000000..ec7a805 --- /dev/null +++ b/easy-rsa/2.0/build-dh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. + +if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then + openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa/2.0/build-inter b/easy-rsa/2.0/build-inter new file mode 100755 index 0000000..f831d6f --- /dev/null +++ b/easy-rsa/2.0/build-inter @@ -0,0 +1,7 @@ +#!/bin/bash + +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --inter $* diff --git a/easy-rsa/2.0/build-key b/easy-rsa/2.0/build-key new file mode 100755 index 0000000..6196308 --- /dev/null +++ b/easy-rsa/2.0/build-key @@ -0,0 +1,7 @@ +#!/bin/bash + +# Make a certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact $* diff --git a/easy-rsa/2.0/build-key-pass b/easy-rsa/2.0/build-key-pass new file mode 100755 index 0000000..35543e0 --- /dev/null +++ b/easy-rsa/2.0/build-key-pass @@ -0,0 +1,7 @@ +#!/bin/bash + +# Similar to build-key, but protect the private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pass $* diff --git a/easy-rsa/2.0/build-key-pkcs12 b/easy-rsa/2.0/build-key-pkcs12 new file mode 100755 index 0000000..5ef064f --- /dev/null +++ b/easy-rsa/2.0/build-key-pkcs12 @@ -0,0 +1,8 @@ +#!/bin/bash + +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/easy-rsa/2.0/build-key-server b/easy-rsa/2.0/build-key-server new file mode 100755 index 0000000..5502675 --- /dev/null +++ b/easy-rsa/2.0/build-key-server @@ -0,0 +1,10 @@ +#!/bin/bash + +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --server $* diff --git a/easy-rsa/2.0/build-req b/easy-rsa/2.0/build-req new file mode 100755 index 0000000..26587d1 --- /dev/null +++ b/easy-rsa/2.0/build-req @@ -0,0 +1,7 @@ +#!/bin/bash + +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr $* diff --git a/easy-rsa/2.0/build-req-pass b/easy-rsa/2.0/build-req-pass new file mode 100755 index 0000000..6e6c863 --- /dev/null +++ b/easy-rsa/2.0/build-req-pass @@ -0,0 +1,7 @@ +#!/bin/bash + +# Like build-req, but protect your private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/easy-rsa/2.0/clean-all b/easy-rsa/2.0/clean-all new file mode 100755 index 0000000..0576db5 --- /dev/null +++ b/easy-rsa/2.0/clean-all @@ -0,0 +1,16 @@ +#!/bin/bash + +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! + +if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa/2.0/inherit-inter b/easy-rsa/2.0/inherit-inter new file mode 100755 index 0000000..2101951 --- /dev/null +++ b/easy-rsa/2.0/inherit-inter @@ -0,0 +1,39 @@ +#!/bin/bash + +# Build a new PKI which is rooted on an intermediate certificate generated +# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +# have independent vars settings, and must use a different KEY_DIR directory +# from the parent. This tool can be used to generate arbitrary depth +# certificate chains. +# +# To build an intermediate CA, follow the same steps for a regular PKI but +# replace ./build-key or ./pkitool --initca with this script. + +# The EXPORT_CA file will contain the CA certificate chain and should be +# referenced by the OpenVPN "ca" directive in config files. The ca.crt file +# will only contain the local intermediate CA -- it's needed by the easy-rsa +# scripts but not by OpenVPN directly. +EXPORT_CA="export-ca.crt" + +if [ $# -ne 2 ]; then + echo "usage: $0 " + echo "parent-key-dir: the KEY_DIR directory of the parent PKI" + echo "common-name: the common name of the intermediate certificate in the parent PKI" + exit 1; +fi + +if [ "$KEY_DIR" ]; then + cp "$1/$2.crt" "$KEY_DIR/ca.crt" + cp "$1/$2.key" "$KEY_DIR/ca.key" + + if [ -e "$1/$EXPORT_CA" ]; then + PARENT_CA="$1/$EXPORT_CA" + else + PARENT_CA="$1/ca.crt" + fi + cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" + cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa/2.0/list-crl b/easy-rsa/2.0/list-crl new file mode 100755 index 0000000..7736fa8 --- /dev/null +++ b/easy-rsa/2.0/list-crl @@ -0,0 +1,13 @@ +#!/bin/bash + +# list revoked certificates + +CRL="${1:-crl.pem}" + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ + openssl crl -text -noout -in "$CRL" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa/2.0/openssl.cnf b/easy-rsa/2.0/openssl.cnf new file mode 100755 index 0000000..7fedebe --- /dev/null +++ b/easy-rsa/2.0/openssl.cnf @@ -0,0 +1,261 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool new file mode 100755 index 0000000..2d2d764 --- /dev/null +++ b/easy-rsa/2.0/pkitool @@ -0,0 +1,233 @@ +#!/bin/sh + +# OpenVPN -- An application to securely tunnel IP networks +# over a single TCP/UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2005 OpenVPN Solutions LLC +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING included with this +# distribution); if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# pkitool is a front-end for the openssl tool. + +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. + +PROGNAME=pkitool +VERSION=2.0 +DEBUG=0 + +GREP=grep +OPENSSL=openssl + +need_vars() +{ + echo ' Please edit the vars script to reflect your configuration,' + echo ' then source it with "source ./vars".' + echo ' Next, to start with a fresh PKI configuration and to delete any' + echo ' previous certificates and keys, run "./clean-all".' + echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." +} + +usage() +{ + echo "$PROGNAME $VERSION" + echo "Usage: $PROGNAME [options...] [common-name]" + echo "Options:" + echo " --batch : batch mode (default)" + echo " --interact : interactive mode" + echo " --server : build server cert" + echo " --initca : build root CA" + echo " --inter : build intermediate CA" + echo " --pass : encrypt private key with password" + echo " --csr : only generate a CSR, do not sign" + echo " --sign : sign an existing CSR" + echo " --pkcs12 : generate a combined pkcs12 file" + echo "Notes:" + need_vars + echo "Generated files and corresponding OpenVPN directives:" + echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' + echo " ca.crt -> root certificate (--ca)" + echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" + echo " .crt files -> client/server certificates (--cert)" + echo " .key files -> private keys, keep secure (--key)" + echo " .csr files -> certificate signing request (not directly used by OpenVPN)" + echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" + echo "Examples:" + echo " $PROGNAME --initca -> Build root certificate" + echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" + echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" + echo " $PROGNAME client1 -> Build \"client1\" certificate/key" + echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" + echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format" + echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" + echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" + echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" + echo " Also see ./inherit-inter script." + echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." + echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" + echo " [edit vars with your site-specific info]" + echo " source ./vars" + echo " ./clean-all" + echo " ./build-dh -> takes a long time, consider backgrounding" + echo " ./$PROGNAME --initca" + echo " ./$PROGNAME --server myserver" + echo " ./$PROGNAME client1" + echo " ./$PROGNAME --pass client2" + echo "Typical usage for adding client cert to existing PKI:" + echo " source ./vars" + echo " ./$PROGNAME client-new" +} + +# Set defaults +DO_REQ="1" +REQ_EXT="" +DO_CA="1" +CA_EXT="" +DO_P12="0" +DO_ROOT="0" +NODES_REQ="-nodes" +NODES_P12="" +BATCH="-batch" +CA="ca" + +# Process options +while [ $# -gt 0 ]; do + case "$1" in + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; + --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; + --initca ) DO_ROOT="1" ;; + --pass ) NODES_REQ="" ;; + --csr ) DO_CA="0" ;; + --sign ) DO_REQ="0" ;; + --pkcs12 ) DO_P12="1" ;; + --* ) echo "$PROGNAME: unknown option: $1" + exit 1 ;; + * ) break ;; + esac + shift +done + +# If we are generating pkcs12, only encrypt the final step +if [ $DO_P12 -eq 1 ]; then + NODES_P12="$NODES_REQ" + NODES_REQ="-nodes" +fi + +# If undefined, set default key expiration intervals +if [ -z "$KEY_EXPIRE" ]; then + KEY_EXPIRE=3650 +fi +if [ -z "$CA_EXPIRE" ]; then + CA_EXPIRE=3650 +fi + +# Set organizational unit to empty string if undefined +if [ -z "$KEY_OU" ]; then + KEY_OU="" +fi + +# Set KEY_CN +if [ $DO_ROOT -eq 1 ]; then + if [ -z "$KEY_CN" ]; then + if [ "$1" ]; then + KEY_CN="$1" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + fi + fi + if [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using CA Common Name:" $KEY_CN + fi +elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then + echo "Using Common Name:" $KEY_CN +else + if [ $# -ne 1 ]; then + usage + exit 1 + else + KEY_CN="$1" + fi +fi +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN + +# Show parameters (debugging) +if [ $DEBUG -eq 1 ]; then + echo DO_REQ $DO_REQ + echo REQ_EXT $REQ_EXT + echo DO_CA $DO_CA + echo CA_EXT $CA_EXT + echo NODES_REQ $NODES_REQ + echo NODES_P12 $NODES_P12 + echo DO_P12 $DO_P12 + echo KEY_CN $KEY_CN + echo BATCH $BATCH + echo DO_ROOT $DO_ROOT + echo KEY_EXPIRE $KEY_EXPIRE + echo CA_EXPIRE $CA_EXPIRE + echo KEY_OU $KEY_OU +fi + +# Make sure ./vars was sourced beforehand +if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then + cd "$KEY_DIR" + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf + if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "version of openssl.cnf: $KEY_CONFIG" + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; + fi + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \ + -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else + # Make sure CA key/cert is available + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi + + # Build cert/key + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \ + -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ + -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ + -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) + + fi + +# Need definitions +else + need_vars +fi diff --git a/easy-rsa/2.0/revoke-full b/easy-rsa/2.0/revoke-full new file mode 100755 index 0000000..9dc9b1e --- /dev/null +++ b/easy-rsa/2.0/revoke-full @@ -0,0 +1,39 @@ +#!/bin/bash + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL="crl.pem" +RT="revoke-test.pem" + +if [ $# -ne 1 ]; then + echo "usage: revoke-full "; + exit 1 +fi + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" + rm -f "$RT" + + # set defaults + export KEY_CN="" + export KEY_OU="" + + # revoke key and generate a new CRL + openssl ca -revoke "$1.crt" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs + openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else + cat ca.crt "$CRL" >"$RT" + fi + + # verify the revocation + openssl verify -CAfile "$RT" -crl_check "$1.crt" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa/2.0/sign-req b/easy-rsa/2.0/sign-req new file mode 100755 index 0000000..38655d3 --- /dev/null +++ b/easy-rsa/2.0/sign-req @@ -0,0 +1,7 @@ +#!/bin/bash + +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --sign $* diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars new file mode 100755 index 0000000..a4bd149 --- /dev/null +++ b/easy-rsa/2.0/vars @@ -0,0 +1,55 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG="$EASY_RSA/openssl.cnf" + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="$EASY_RSA/keys" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=1024 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="US" +export KEY_PROVINCE="CA" +export KEY_CITY="SanFrancisco" +export KEY_ORG="Fort-Funston" +export KEY_EMAIL="me@myhost.mydomain" diff --git a/easy-rsa/README b/easy-rsa/README deleted file mode 100644 index 02800c2..0000000 --- a/easy-rsa/README +++ /dev/null @@ -1,168 +0,0 @@ -EASY-RSA Version 2.0-rc1 - -This is a small RSA key management package, based on the openssl -command line tool, that can be found in the easy-rsa subdirectory -of the OpenVPN distribution. - -These are reference notes. For step-by-step instructions, see the -HOWTO: - -http://openvpn.net/howto.html - -This package is based on the ./pkitool script. Run ./pkitool -without arguments for a detailed help message (which is also pasted -below). - -Release Notes for easy-rsa-2.0 - -* Most functionality has been consolidated into the pkitool - script. For compatibility, all previous scripts from 1.0 such - as build-key and build-key-server are provided as stubs - which call pkitool to do the real work. - -* pkitool has a --batch flag (enabled by default) which generates - keys/certs without needing any interactive input. pkitool - can still generate certs/keys using interactive prompting by - using the --interact flag. - -* The inherit-inter script has been provided for creating - a new PKI rooted on an intermediate certificate built within a - higher-level PKI. See comments in the inherit-inter script - for more info. - -* The openssl.cnf file has been modified. pkitool will not - work with the openssl.cnf file included with previous - easy-rsa releases. - -* The vars file has been modified -- the following extra - variables have been added: EASY_RSA, CA_EXPIRE, - KEY_EXPIRE. - -* The make-crl and revoke-crt scripts have been removed and - are replaced by the revoke-full script. - -* The "Organizational Unit" X509 field can be set using - the KEY_OU environmental variable before calling pkitool. - -* This release only affects the Linux/Unix version of easy-rsa. - The Windows version (written to use the Windows shell) is unchanged. - -INSTALL easy-rsa - -1. Edit vars. -2. Set KEY_CONFIG to point to the openssl.cnf file - included in this distribution. -3. Set KEY_DIR to point to a directory which will - contain all keys, certificates, etc. This - directory need not exist, and if it does, - it will be deleted with rm -rf, so BE - CAREFUL how you set KEY_DIR. -4. (Optional) Edit other fields in vars - per your site data. You may want to - increase KEY_SIZE to 2048 if you are - paranoid and don't mind slower key - processing, but certainly 1024 is - fine for testing purposes. KEY_SIZE - must be compatible across both peers - participating in a secure SSL/TLS - connection. -5 . vars -6. ./clean-all -7. As you create certificates, keys, and - certificate signing requests, understand that - only .key files should be kept confidential. - .crt and .csr files can be sent over insecure - channels such as plaintext email. - -IMPORTANT - -To avoid a possible Man-in-the-Middle attack where an authorized -client tries to connect to another client by impersonating the -server, make sure to enforce some kind of server certificate -verification by clients. There are currently four different ways -of accomplishing this, listed in the order of preference: - -(1) Build your server certificates with the build-key-server - script, or using the --server option to pkitool. - This will designate the certificate as a - server-only certificate by setting nsCertType=server. - Now add the following line to your client configuration: - - ns-cert-type server - - This will block clients from connecting to any - server which lacks the nsCertType=server designation - in its certificate, even if the certificate has been - signed by the CA which is cited in the OpenVPN configuration - file (--ca directive). - -(2) Use the --tls-remote directive on the client to - accept/reject the server connection based on the common - name of the server certificate. - -(3) Use a --tls-verify script or plugin to accept/reject the - server connection based on a custom test of the server - certificate's embedded X509 subject details. - -(4) Sign server certificates with one CA and client certificates - with a different CA. The client config "ca" directive should - reference the server-signing CA while the server config "ca" - directive should reference the client-signing CA. - -NOTES - -Show certificate fields: - openssl x509 -in cert.crt -text - -PKITOOL documentation - -pkitool 2.0 -Usage: pkitool [options...] [common-name] -Options: - --batch : batch mode (default) - --interact : interactive mode - --server : build server cert - --initca : build root CA - --inter : build intermediate CA - --pass : encrypt private key with password - --csr : only generate a CSR, do not sign - --sign : sign an existing CSR - --pkcs12 : generate a combined pkcs12 file -Notes: - Please edit the vars script to reflect your configuration, - then source it with "source ./vars". - Next, to start with a fresh PKI configuration and to delete any - previous certificates and keys, run "./clean-all". - Finally, you can run this tool (pkitool) to build certificates/keys. -Generated files and corresponding OpenVPN directives: -(Files will be placed in the $KEY_DIR directory, defined in ./vars) - ca.crt -> root certificate (--ca) - ca.key -> root key, keep secure (not directly used by OpenVPN) - .crt files -> client/server certificates (--cert) - .key files -> private keys, keep secure (--key) - .csr files -> certificate signing request (not directly used by OpenVPN) - dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) -Examples: - pkitool --initca -> Build root certificate - pkitool --initca --pass -> Build root certificate with password-protected key - pkitool --server server1 -> Build "server1" certificate/key - pkitool client1 -> Build "client1" certificate/key - pkitool --pass client2 -> Build password-protected "client2" certificate/key - pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS #12 format - pkitool --csr client4 -> Build "client4" CSR to be signed by another CA - pkitool --sign client4 -> Sign "client4" CSR - pkitool --inter interca -> Build an intermediate key-signing certificate/key - Also see ./inherit-inter script. -Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. -Protect client2 key with a password. Build DH parms. Generated files in ./keys : - [edit vars with your site-specific info] - source ./vars - ./clean-all - ./build-dh -> takes a long time, consider backgrounding - ./pkitool --initca - ./pkitool --server myserver - ./pkitool client1 - ./pkitool --pass client2 -Typical usage for adding client cert to existing PKI: - source ./vars - ./pkitool client-new diff --git a/easy-rsa/build-ca b/easy-rsa/build-ca deleted file mode 100755 index fb1e2ca..0000000 --- a/easy-rsa/build-ca +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# -# Build a root certificate -# - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --initca $* diff --git a/easy-rsa/build-dh b/easy-rsa/build-dh deleted file mode 100755 index ec7a805..0000000 --- a/easy-rsa/build-dh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -# Build Diffie-Hellman parameters for the server side -# of an SSL/TLS connection. - -if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then - openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/easy-rsa/build-inter b/easy-rsa/build-inter deleted file mode 100755 index f831d6f..0000000 --- a/easy-rsa/build-inter +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Make an intermediate CA certificate/private key pair using a locally generated -# root certificate. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --inter $* diff --git a/easy-rsa/build-key b/easy-rsa/build-key deleted file mode 100755 index 6196308..0000000 --- a/easy-rsa/build-key +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Make a certificate/private key pair using a locally generated -# root certificate. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact $* diff --git a/easy-rsa/build-key-pass b/easy-rsa/build-key-pass deleted file mode 100755 index 35543e0..0000000 --- a/easy-rsa/build-key-pass +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Similar to build-key, but protect the private key -# with a password. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --pass $* diff --git a/easy-rsa/build-key-pkcs12 b/easy-rsa/build-key-pkcs12 deleted file mode 100755 index 5ef064f..0000000 --- a/easy-rsa/build-key-pkcs12 +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# Make a certificate/private key pair using a locally generated -# root certificate and convert it to a PKCS #12 file including the -# the CA certificate as well. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/easy-rsa/build-key-server b/easy-rsa/build-key-server deleted file mode 100755 index 5502675..0000000 --- a/easy-rsa/build-key-server +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# Make a certificate/private key pair using a locally generated -# root certificate. -# -# Explicitly set nsCertType to server using the "server" -# extension in the openssl.cnf file. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --server $* diff --git a/easy-rsa/build-req b/easy-rsa/build-req deleted file mode 100755 index 26587d1..0000000 --- a/easy-rsa/build-req +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Build a certificate signing request and private key. Use this -# when your root certificate and key is not available locally. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --csr $* diff --git a/easy-rsa/build-req-pass b/easy-rsa/build-req-pass deleted file mode 100755 index 6e6c863..0000000 --- a/easy-rsa/build-req-pass +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Like build-req, but protect your private key -# with a password. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/easy-rsa/clean-all b/easy-rsa/clean-all deleted file mode 100755 index 0576db5..0000000 --- a/easy-rsa/clean-all +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -# Initialize the $KEY_DIR directory. -# Note that this script does a -# rm -rf on $KEY_DIR so be careful! - -if [ "$KEY_DIR" ]; then - rm -rf "$KEY_DIR" - mkdir "$KEY_DIR" && \ - chmod go-rwx "$KEY_DIR" && \ - touch "$KEY_DIR/index.txt" && \ - echo 01 >"$KEY_DIR/serial" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/easy-rsa/inherit-inter b/easy-rsa/inherit-inter deleted file mode 100755 index 2101951..0000000 --- a/easy-rsa/inherit-inter +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -# Build a new PKI which is rooted on an intermediate certificate generated -# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should -# have independent vars settings, and must use a different KEY_DIR directory -# from the parent. This tool can be used to generate arbitrary depth -# certificate chains. -# -# To build an intermediate CA, follow the same steps for a regular PKI but -# replace ./build-key or ./pkitool --initca with this script. - -# The EXPORT_CA file will contain the CA certificate chain and should be -# referenced by the OpenVPN "ca" directive in config files. The ca.crt file -# will only contain the local intermediate CA -- it's needed by the easy-rsa -# scripts but not by OpenVPN directly. -EXPORT_CA="export-ca.crt" - -if [ $# -ne 2 ]; then - echo "usage: $0 " - echo "parent-key-dir: the KEY_DIR directory of the parent PKI" - echo "common-name: the common name of the intermediate certificate in the parent PKI" - exit 1; -fi - -if [ "$KEY_DIR" ]; then - cp "$1/$2.crt" "$KEY_DIR/ca.crt" - cp "$1/$2.key" "$KEY_DIR/ca.key" - - if [ -e "$1/$EXPORT_CA" ]; then - PARENT_CA="$1/$EXPORT_CA" - else - PARENT_CA="$1/ca.crt" - fi - cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" - cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/easy-rsa/list-crl b/easy-rsa/list-crl deleted file mode 100755 index 7736fa8..0000000 --- a/easy-rsa/list-crl +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -# list revoked certificates - -CRL="${1:-crl.pem}" - -if [ "$KEY_DIR" ]; then - cd "$KEY_DIR" && \ - openssl crl -text -noout -in "$CRL" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/easy-rsa/openssl.cnf b/easy-rsa/openssl.cnf deleted file mode 100755 index 7fedebe..0000000 --- a/easy-rsa/openssl.cnf +++ /dev/null @@ -1,261 +0,0 @@ -# For use with easy-rsa version 2.0 - -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $ENV::KEY_DIR # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_anything - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = $ENV::KEY_SIZE -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = $ENV::KEY_COUNTRY -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::KEY_PROVINCE - -localityName = Locality Name (eg, city) -localityName_default = $ENV::KEY_CITY - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::KEY_ORG - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = $ENV::KEY_EMAIL -emailAddress_max = 40 - -# JY -- added for batch mode -organizationalUnitName_default = $ENV::KEY_OU -commonName_default = $ENV::KEY_CN - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ server ] - -# JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/easy-rsa/pkitool b/easy-rsa/pkitool deleted file mode 100755 index 2d2d764..0000000 --- a/easy-rsa/pkitool +++ /dev/null @@ -1,233 +0,0 @@ -#!/bin/sh - -# OpenVPN -- An application to securely tunnel IP networks -# over a single TCP/UDP port, with support for SSL/TLS-based -# session authentication and key exchange, -# packet encryption, packet authentication, and -# packet compression. -# -# Copyright (C) 2002-2005 OpenVPN Solutions LLC -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program (see the file COPYING included with this -# distribution); if not, write to the Free Software Foundation, Inc., -# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# pkitool is a front-end for the openssl tool. - -# Calling scripts can set the certificate organizational -# unit with the KEY_OU environmental variable. - -PROGNAME=pkitool -VERSION=2.0 -DEBUG=0 - -GREP=grep -OPENSSL=openssl - -need_vars() -{ - echo ' Please edit the vars script to reflect your configuration,' - echo ' then source it with "source ./vars".' - echo ' Next, to start with a fresh PKI configuration and to delete any' - echo ' previous certificates and keys, run "./clean-all".' - echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." -} - -usage() -{ - echo "$PROGNAME $VERSION" - echo "Usage: $PROGNAME [options...] [common-name]" - echo "Options:" - echo " --batch : batch mode (default)" - echo " --interact : interactive mode" - echo " --server : build server cert" - echo " --initca : build root CA" - echo " --inter : build intermediate CA" - echo " --pass : encrypt private key with password" - echo " --csr : only generate a CSR, do not sign" - echo " --sign : sign an existing CSR" - echo " --pkcs12 : generate a combined pkcs12 file" - echo "Notes:" - need_vars - echo "Generated files and corresponding OpenVPN directives:" - echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' - echo " ca.crt -> root certificate (--ca)" - echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" - echo " .crt files -> client/server certificates (--cert)" - echo " .key files -> private keys, keep secure (--key)" - echo " .csr files -> certificate signing request (not directly used by OpenVPN)" - echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" - echo "Examples:" - echo " $PROGNAME --initca -> Build root certificate" - echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" - echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" - echo " $PROGNAME client1 -> Build \"client1\" certificate/key" - echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" - echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format" - echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" - echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" - echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" - echo " Also see ./inherit-inter script." - echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." - echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" - echo " [edit vars with your site-specific info]" - echo " source ./vars" - echo " ./clean-all" - echo " ./build-dh -> takes a long time, consider backgrounding" - echo " ./$PROGNAME --initca" - echo " ./$PROGNAME --server myserver" - echo " ./$PROGNAME client1" - echo " ./$PROGNAME --pass client2" - echo "Typical usage for adding client cert to existing PKI:" - echo " source ./vars" - echo " ./$PROGNAME client-new" -} - -# Set defaults -DO_REQ="1" -REQ_EXT="" -DO_CA="1" -CA_EXT="" -DO_P12="0" -DO_ROOT="0" -NODES_REQ="-nodes" -NODES_P12="" -BATCH="-batch" -CA="ca" - -# Process options -while [ $# -gt 0 ]; do - case "$1" in - --server ) REQ_EXT="$REQ_EXT -extensions server" - CA_EXT="$CA_EXT -extensions server" ;; - --batch ) BATCH="-batch" ;; - --interact ) BATCH="" ;; - --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; - --initca ) DO_ROOT="1" ;; - --pass ) NODES_REQ="" ;; - --csr ) DO_CA="0" ;; - --sign ) DO_REQ="0" ;; - --pkcs12 ) DO_P12="1" ;; - --* ) echo "$PROGNAME: unknown option: $1" - exit 1 ;; - * ) break ;; - esac - shift -done - -# If we are generating pkcs12, only encrypt the final step -if [ $DO_P12 -eq 1 ]; then - NODES_P12="$NODES_REQ" - NODES_REQ="-nodes" -fi - -# If undefined, set default key expiration intervals -if [ -z "$KEY_EXPIRE" ]; then - KEY_EXPIRE=3650 -fi -if [ -z "$CA_EXPIRE" ]; then - CA_EXPIRE=3650 -fi - -# Set organizational unit to empty string if undefined -if [ -z "$KEY_OU" ]; then - KEY_OU="" -fi - -# Set KEY_CN -if [ $DO_ROOT -eq 1 ]; then - if [ -z "$KEY_CN" ]; then - if [ "$1" ]; then - KEY_CN="$1" - elif [ "$KEY_ORG" ]; then - KEY_CN="$KEY_ORG CA" - fi - fi - if [ $BATCH ] && [ "$KEY_CN" ]; then - echo "Using CA Common Name:" $KEY_CN - fi -elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then - echo "Using Common Name:" $KEY_CN -else - if [ $# -ne 1 ]; then - usage - exit 1 - else - KEY_CN="$1" - fi -fi -export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN - -# Show parameters (debugging) -if [ $DEBUG -eq 1 ]; then - echo DO_REQ $DO_REQ - echo REQ_EXT $REQ_EXT - echo DO_CA $DO_CA - echo CA_EXT $CA_EXT - echo NODES_REQ $NODES_REQ - echo NODES_P12 $NODES_P12 - echo DO_P12 $DO_P12 - echo KEY_CN $KEY_CN - echo BATCH $BATCH - echo DO_ROOT $DO_ROOT - echo KEY_EXPIRE $KEY_EXPIRE - echo CA_EXPIRE $CA_EXPIRE - echo KEY_OU $KEY_OU -fi - -# Make sure ./vars was sourced beforehand -if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then - cd "$KEY_DIR" - - # Make sure $KEY_CONFIG points to the correct version - # of openssl.cnf - if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then - : - else - echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" - echo "version of openssl.cnf: $KEY_CONFIG" - echo "The correct version should have a comment that says: easy-rsa version 2.x"; - exit 1; - fi - - # Build root CA - if [ $DO_ROOT -eq 1 ]; then - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \ - -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ - chmod 0600 "$CA.key" - else - # Make sure CA key/cert is available - if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then - if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then - echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" - echo "Try $PROGNAME --initca to build a root certificate/key." - exit 1 - fi - fi - - # Build cert/key - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \ - -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \ - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ - -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ - -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ - ( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \ - ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) - - fi - -# Need definitions -else - need_vars -fi diff --git a/easy-rsa/revoke-full b/easy-rsa/revoke-full deleted file mode 100755 index 9dc9b1e..0000000 --- a/easy-rsa/revoke-full +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -# revoke a certificate, regenerate CRL, -# and verify revocation - -CRL="crl.pem" -RT="revoke-test.pem" - -if [ $# -ne 1 ]; then - echo "usage: revoke-full "; - exit 1 -fi - -if [ "$KEY_DIR" ]; then - cd "$KEY_DIR" - rm -f "$RT" - - # set defaults - export KEY_CN="" - export KEY_OU="" - - # revoke key and generate a new CRL - openssl ca -revoke "$1.crt" -config "$KEY_CONFIG" - - # generate a new CRL -- try to be compatible with - # intermediate PKIs - openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG" - if [ -e export-ca.crt ]; then - cat export-ca.crt "$CRL" >"$RT" - else - cat ca.crt "$CRL" >"$RT" - fi - - # verify the revocation - openssl verify -CAfile "$RT" -crl_check "$1.crt" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/easy-rsa/sign-req b/easy-rsa/sign-req deleted file mode 100755 index 38655d3..0000000 --- a/easy-rsa/sign-req +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Sign a certificate signing request (a .csr file) -# with a local root certificate and key. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --sign $* diff --git a/easy-rsa/vars b/easy-rsa/vars deleted file mode 100755 index a4bd149..0000000 --- a/easy-rsa/vars +++ /dev/null @@ -1,55 +0,0 @@ -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export EASY_RSA="`pwd`" - -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG="$EASY_RSA/openssl.cnf" - -# Edit this variable to point to -# your soon-to-be-created key -# directory. -# -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR="$EASY_RSA/keys" - -# Issue rm -rf warning -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=1024 - -# In how many days should the root CA key expire? -export CA_EXPIRE=3650 - -# In how many days should certificates expire? -export KEY_EXPIRE=3650 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY="US" -export KEY_PROVINCE="CA" -export KEY_CITY="SanFrancisco" -export KEY_ORG="Fort-Funston" -export KEY_EMAIL="me@myhost.mydomain" -- cgit v1.2.3