Robin Thoni il y a 9 ans
révision
f8eed0f1b4

+ 69
- 0
mkclient Voir le fichier

@@ -0,0 +1,69 @@
1
+#!/bin/bash
2
+if [ $# -ne 3 ]
3
+then
4
+    echo "Usage: mkclient clientname password vpn" 1>&2
5
+    echo "password can be -p to show prompt" 1>&2
6
+    exit 1
7
+fi
8
+
9
+pass="$2"
10
+vpn="$3"
11
+clientname="$1-${vpn}"
12
+vpn="vpn_${vpn}"
13
+if [ ! -d "/etc/openvpn/${vpn}" ]
14
+then
15
+    echo "VPN does not exists" 1>&2
16
+    exit 2
17
+fi
18
+if [ $(echo "${clientname}" | grep -c -E "^[a-zA-Z0-9\._\-]+$") != 1 ]
19
+then
20
+    echo "Invalid client name"
21
+    exit 3
22
+fi
23
+cd "/etc/openvpn/${vpn}/easy-rsa/keys"
24
+clientsdir="/etc/openvpn/${vpn}/clients/"
25
+clientdir="$clientsdir${clientname}/"
26
+clientslinkdir="/var/vpn/${vpn}/"
27
+if [ -a "${clientname}.crt" ] || [ -a "${clientname}.csr" ] || [ -a "${clientname}.key" ] || [ -d $clientdir ]
28
+then
29
+    echo "Client ${clientname} already exists or is revoked"
30
+    exit 4
31
+fi
32
+
33
+if [ "${pass}" == "-p" ]
34
+then
35
+    echo -n "Password: "
36
+    read -s pass
37
+fi
38
+
39
+cd ..
40
+source ./vars
41
+KEY_CN="${clientname}" KEY_NAME="${clientname}" ./pkitool ${clientname}
42
+ret=$?
43
+if [ $ret != 0 ]
44
+then
45
+    echo "pkitool exited with code $ret"
46
+    exit 5
47
+fi
48
+cd keys
49
+echo "Copying generated files"
50
+mkdir -p $clientdir
51
+cp "${clientname}.crt" "$clientdir/${clientname}-${vpn}.crt"
52
+cp "${clientname}.key" "$clientdir/${clientname}-${vpn}.key"
53
+echo "Copying ca and ta"
54
+cd "/etc/openvpn/${vpn}"
55
+cp ca.crt "$clientdir/ca-${vpn}.crt"
56
+cp ta.key "$clientdir/ta-${vpn}.key"
57
+echo "Creating client-${vpn}.conf"
58
+cd $clientsdir
59
+sed "s/%%client%%/${clientname}/g" client.conf > "$clientdir/${clientname}.conf"
60
+echo "Creating ${clientname}.tar.bz2"
61
+cd $clientdir
62
+tar cfj "${clientname}.tar.bz2" *
63
+echo "Creating symlink"
64
+ln -s "$clientdir${clientname}.tar.bz2" "$clientslinkdir${clientname}.tar.bz2"
65
+echo "Adding apache user"
66
+echo -e "<Files ${clientname}.tar.bz2>\n\tRequire user ${clientname} ovpn-root\n</Files>" >> $clientslinkdir'.htaccess'
67
+htpasswd -b "/var/vpn/${vpn}/.htpasswd" ${clientname} ${pass}
68
+echo "mkclient completed"
69
+exit 0

+ 62
- 0
mkvpn Voir le fichier

@@ -0,0 +1,62 @@
1
+#! /usr/bin/env sh
2
+if [ $# -ne 1 ]
3
+then
4
+    echo "Usage: $0 vpnname" 1>&2
5
+    exit 1
6
+fi
7
+
8
+vpn="vpn_$1"
9
+ovpndir="/etc/openvpn"
10
+ovpndirconf="${ovpndir}/${vpn}"
11
+webdir="/var/vpn/${vpn}"
12
+if [ -d "${ovpndirconf}" ] || [ -d "${webdir}" ]
13
+then
14
+    echo "VPN already exists" 1>&2
15
+    exit 2
16
+fi
17
+echo "Creating OpenVPN configuration"
18
+cd "${ovpndir}"
19
+echo -n "VPN port: "
20
+read vpnport
21
+echo -n "VPN IP range: "
22
+read vpniprange
23
+sed "s/%%VPNNAME%%/${vpn}/g" sampleconf > "${vpn}.conf"
24
+sed "s/%%VPNPORT%%/${vpnport}/g" -i "${vpn}.conf"
25
+sed "s/%%VPNIPRANGE%%/${vpniprange}/g" -i "${vpn}.conf"
26
+cp -r sampleconfdir "${ovpndirconf}"
27
+cd "${ovpndirconf}"
28
+sed "s/%%VPNNAME%%/${vpn}/g" -i clients/client.conf
29
+sed "s/%%VPNPORT%%/${vpnport}/g" -i clients/client.conf
30
+cd "easy-rsa"
31
+editor vars
32
+. ./vars
33
+export KEY_OU="${KEY_ORG}"
34
+export KEY_CN="${KEY_ORG}"
35
+export KEY_NAME="${KEY_ORG}"
36
+./clean-all
37
+./build-ca
38
+./build-key-server server
39
+./build-dh
40
+openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config openssl.cnf
41
+unset KEY_OU
42
+unset KEY_CN
43
+unset KEY_NAME
44
+chmod 710 keys
45
+cd keys
46
+openvpn --genkey --secret ta.key
47
+cp dh*.pem ../../
48
+cp ca.crt ../../
49
+cp ta.key ../../
50
+cp server.crt ../../
51
+cp server.key ../../
52
+cd "${ovpndir}"
53
+chown -R root:ovpn-manager "${vpn}" "${vpn}.conf"
54
+
55
+echo "Creating web configuration"
56
+mkdir "${webdir}"
57
+cd "${webdir}"
58
+echo "AuthUserFile ${webdir}/.htpasswd" >> .htaccess
59
+echo "AuthType Basic" >> .htaccess
60
+echo "AuthName \"${vpn}\"" >> .htaccess
61
+echo "Require user ovpn-root" >> .htaccess
62
+cp ../.htpasswd .

+ 35
- 0
rmclient Voir le fichier

@@ -0,0 +1,35 @@
1
+#!/bin/bash
2
+if [ $# != 1 ]
3
+then
4
+	echo "Usage: rmclient clientname"
5
+	exit 1
6
+else
7
+	cd /etc/openvpn/easy-rsa/2.0/keys
8
+	clientsdir="/etc/openvpn/clients/"
9
+	clientdir="$clientsdir$1/"
10
+	clientsrmdir="/etc/openvpn/rmclients/"
11
+	clientslinkdir="/var/vpn/clients/"
12
+	if ! [ -a "$1.crt" ] && ! [ -a "$1.csr" ] && ! [ -a "$1.key" ] && ! [ -a $clientslinkdir"$1.tar.bz2" ] && ! [ -d $clientdir ]
13
+	then
14
+		echo "Client $1 does not exist"
15
+		exit 2
16
+	fi
17
+
18
+	cd ..
19
+	source ./vars
20
+	./revoke-full "$1"
21
+	cd keys
22
+	mkdir -p $clientsrmdir
23
+
24
+	if [ -d $clientdir ]
25
+	then
26
+		mv $clientdir $clientsrmdir
27
+	else
28
+		echo "Client dir does not exist"
29
+	fi
30
+
31
+	htpasswd -D $clientslinkdir'.htpasswd' $1
32
+
33
+	echo "rmclient completed"
34
+	exit 0
35
+fi

+ 35
- 0
sampleconf Voir le fichier

@@ -0,0 +1,35 @@
1
+# Serveur TCP/443
2
+mode server
3
+proto tcp-server
4
+port %%VPNPORT%%
5
+dev tun
6
+client-to-client
7
+
8
+# Cles et certificats
9
+ca /etc/openvpn/%%VPNNAME%%/ca.crt
10
+cert /etc/openvpn/%%VPNNAME%%/server.crt
11
+key /etc/openvpn/%%VPNNAME%%/server.key
12
+dh /etc/openvpn/%%VPNNAME%%/dh1024.pem
13
+tls-auth /etc/openvpn/%%VPNNAME%%/ta.key 1
14
+
15
+key-direction 0
16
+cipher AES-256-CBC
17
+crl-verify /etc/openvpn/%%VPNNAME%%/easy-rsa/keys/crl.pem
18
+client-config-dir /etc/openvpn/%%VPNNAME%%/clientsconf
19
+
20
+# Reseau
21
+server %%VPNIPRANGE%% 255.255.255.0
22
+keepalive 10 120
23
+
24
+# Securite
25
+user www-data
26
+group ovpn-manager
27
+persist-key
28
+persist-tun
29
+comp-lzo
30
+
31
+# Log
32
+verb 1
33
+mute 20
34
+status /var/vpn/status-%%VPNNAME%%
35
+#log-append /var/log/openvpn-%%VPNNAME%%.log

+ 22
- 0
sampleconfdir/clients/client.conf Voir le fichier

@@ -0,0 +1,22 @@
1
+# Client
2
+client
3
+dev tun
4
+proto tcp-client
5
+remote 178.170.113.82 %%VPNPORT%%
6
+resolv-retry infinite
7
+cipher AES-256-CBC
8
+
9
+# Cles
10
+ca ca-%%VPNNAME%%.crt
11
+cert %%client%%-%%VPNNAME%%.crt
12
+key %%client%%-%%VPNNAME%%.key
13
+tls-auth ta-%%VPNNAME%%.key 1
14
+key-direction 1
15
+
16
+# Securite
17
+nobind
18
+persist-key
19
+persist-tun
20
+comp-lzo
21
+verb 3
22
+

+ 13
- 0
sampleconfdir/easy-rsa/Makefile Voir le fichier

@@ -0,0 +1,13 @@
1
+
2
+DESTDIR=
3
+PREFIX=
4
+
5
+all:
6
+	echo "All done."
7
+	echo "Run make install DESTDIR=/usr/share/somewhere"
8
+
9
+install:
10
+	install -d "${DESTDIR}/${PREFIX}"
11
+	install -m 0755 build-* "${DESTDIR}/${PREFIX}"
12
+	install -m 0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
13
+	install -m 0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"

BIN
sampleconfdir/easy-rsa/README.gz Voir le fichier


+ 8
- 0
sampleconfdir/easy-rsa/build-ca Voir le fichier

@@ -0,0 +1,8 @@
1
+#!/bin/bash
2
+
3
+#
4
+# Build a root certificate
5
+#
6
+
7
+export EASY_RSA="${EASY_RSA:-.}"
8
+"$EASY_RSA/pkitool" --interact --initca $*

+ 11
- 0
sampleconfdir/easy-rsa/build-dh Voir le fichier

@@ -0,0 +1,11 @@
1
+#!/bin/bash
2
+
3
+# Build Diffie-Hellman parameters for the server side
4
+# of an SSL/TLS connection.
5
+
6
+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
7
+    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
8
+else
9
+    echo 'Please source the vars script first (i.e. "source ./vars")'
10
+    echo 'Make sure you have edited it to reflect your configuration.'
11
+fi

+ 7
- 0
sampleconfdir/easy-rsa/build-inter Voir le fichier

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+
3
+# Make an intermediate CA certificate/private key pair using a locally generated
4
+# root certificate.
5
+
6
+export EASY_RSA="${EASY_RSA:-.}"
7
+"$EASY_RSA/pkitool" --interact --inter $*

+ 7
- 0
sampleconfdir/easy-rsa/build-key Voir le fichier

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+
3
+# Make a certificate/private key pair using a locally generated
4
+# root certificate.
5
+
6
+export EASY_RSA="${EASY_RSA:-.}"
7
+"$EASY_RSA/pkitool" --interact $*

+ 7
- 0
sampleconfdir/easy-rsa/build-key-pass Voir le fichier

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+
3
+# Similar to build-key, but protect the private key
4
+# with a password.
5
+
6
+export EASY_RSA="${EASY_RSA:-.}"
7
+"$EASY_RSA/pkitool" --interact --pass $*

+ 8
- 0
sampleconfdir/easy-rsa/build-key-pkcs12 Voir le fichier

@@ -0,0 +1,8 @@
1
+#!/bin/bash
2
+
3
+# Make a certificate/private key pair using a locally generated
4
+# root certificate and convert it to a PKCS #12 file including the
5
+# the CA certificate as well.
6
+
7
+export EASY_RSA="${EASY_RSA:-.}"
8
+"$EASY_RSA/pkitool" --interact --pkcs12 $*

+ 10
- 0
sampleconfdir/easy-rsa/build-key-server Voir le fichier

@@ -0,0 +1,10 @@
1
+#!/bin/bash
2
+
3
+# Make a certificate/private key pair using a locally generated
4
+# root certificate.
5
+#
6
+# Explicitly set nsCertType to server using the "server"
7
+# extension in the openssl.cnf file.
8
+
9
+export EASY_RSA="${EASY_RSA:-.}"
10
+"$EASY_RSA/pkitool" --interact --server $*

+ 7
- 0
sampleconfdir/easy-rsa/build-req Voir le fichier

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+
3
+# Build a certificate signing request and private key.  Use this
4
+# when your root certificate and key is not available locally.
5
+
6
+export EASY_RSA="${EASY_RSA:-.}"
7
+"$EASY_RSA/pkitool" --interact --csr $*

+ 7
- 0
sampleconfdir/easy-rsa/build-req-pass Voir le fichier

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+
3
+# Like build-req, but protect your private key
4
+# with a password.
5
+
6
+export EASY_RSA="${EASY_RSA:-.}"
7
+"$EASY_RSA/pkitool" --interact --csr --pass $*

+ 16
- 0
sampleconfdir/easy-rsa/clean-all Voir le fichier

@@ -0,0 +1,16 @@
1
+#!/bin/bash
2
+
3
+# Initialize the $KEY_DIR directory.
4
+# Note that this script does a
5
+# rm -rf on $KEY_DIR so be careful!
6
+
7
+if [ "$KEY_DIR" ]; then
8
+    rm -rf "$KEY_DIR"
9
+    mkdir "$KEY_DIR" && \
10
+	chmod go-rwx "$KEY_DIR" && \
11
+	touch "$KEY_DIR/index.txt" && \
12
+	echo 01 >"$KEY_DIR/serial"
13
+else
14
+    echo 'Please source the vars script first (i.e. "source ./vars")'
15
+    echo 'Make sure you have edited it to reflect your configuration.'
16
+fi

+ 39
- 0
sampleconfdir/easy-rsa/inherit-inter Voir le fichier

@@ -0,0 +1,39 @@
1
+#!/bin/bash
2
+
3
+# Build a new PKI which is rooted on an intermediate certificate generated
4
+# by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
5
+# have independent vars settings, and must use a different KEY_DIR directory
6
+# from the parent.  This tool can be used to generate arbitrary depth
7
+# certificate chains.
8
+#
9
+# To build an intermediate CA, follow the same steps for a regular PKI but
10
+# replace ./build-key or ./pkitool --initca with this script.
11
+
12
+# The EXPORT_CA file will contain the CA certificate chain and should be
13
+# referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
14
+# will only contain the local intermediate CA -- it's needed by the easy-rsa
15
+# scripts but not by OpenVPN directly.
16
+EXPORT_CA="export-ca.crt"
17
+
18
+if [ $# -ne 2 ]; then
19
+    echo "usage: $0 <parent-key-dir> <common-name>"
20
+    echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
21
+    echo "common-name: the common name of the intermediate certificate in the parent PKI"
22
+    exit 1;
23
+fi
24
+
25
+if [ "$KEY_DIR" ]; then
26
+    cp "$1/$2.crt" "$KEY_DIR/ca.crt"
27
+    cp "$1/$2.key" "$KEY_DIR/ca.key"
28
+
29
+    if [ -e "$1/$EXPORT_CA" ]; then
30
+	PARENT_CA="$1/$EXPORT_CA"
31
+    else
32
+	PARENT_CA="$1/ca.crt"
33
+    fi
34
+    cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
35
+    cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
36
+else
37
+    echo 'Please source the vars script first (i.e. "source ./vars")'
38
+    echo 'Make sure you have edited it to reflect your configuration.'
39
+fi

+ 10
- 0
sampleconfdir/easy-rsa/keys/crl.pem Voir le fichier

@@ -0,0 +1,10 @@
1
+-----BEGIN X509 CRL-----
2
+MIIBTTCBtzANBgkqhkiG9w0BAQQFADByMQswCQYDVQQGEwJGUjELMAkGA1UECBMC
3
+SUYxDjAMBgNVBAcTBVBhcmlzMQ8wDQYDVQQKEwZydGhvbmkxEjAQBgNVBAMTCXJ0
4
+aG9uaSBDQTEhMB8GCSqGSIb3DQEJARYScm9iNTc1MzBAZ21haWwuY29tFw0xNDAz
5
+MTYyMDM1NDFaFw0xNDA0MTUyMDM1NDFaMBQwEgIBBBcNMTQwMzE2MjAzNTQxWjAN
6
+BgkqhkiG9w0BAQQFAAOBgQCOq4LkaddbzY4a/2dW8mBmLJzI8FYTIL9f/YtRN+Mq
7
+Zv4Sv+yCrhnOqDFiAFaaJIlR3SE55dlX4BZoF0h6qXj/3Q77KBqfDyocR90t1NIR
8
+R32nuUFo/eGMLU3Jzbxgm/8ZEWxH5R9U5FkKb8ajFAvgJWBpUu72UA2DTRe/rneu
9
+Og==
10
+-----END X509 CRL-----

+ 0
- 0
sampleconfdir/easy-rsa/keys/index.txt Voir le fichier


+ 10
- 0
sampleconfdir/easy-rsa/keys/revoke-test.pem Voir le fichier

@@ -0,0 +1,10 @@
1
+-----BEGIN X509 CRL-----
2
+MIIBTTCBtzANBgkqhkiG9w0BAQQFADByMQswCQYDVQQGEwJGUjELMAkGA1UECBMC
3
+SUYxDjAMBgNVBAcTBVBhcmlzMQ8wDQYDVQQKEwZydGhvbmkxEjAQBgNVBAMTCXJ0
4
+aG9uaSBDQTEhMB8GCSqGSIb3DQEJARYScm9iNTc1MzBAZ21haWwuY29tFw0xNDAz
5
+MTYyMDM1NDFaFw0xNDA0MTUyMDM1NDFaMBQwEgIBBBcNMTQwMzE2MjAzNTQxWjAN
6
+BgkqhkiG9w0BAQQFAAOBgQCOq4LkaddbzY4a/2dW8mBmLJzI8FYTIL9f/YtRN+Mq
7
+Zv4Sv+yCrhnOqDFiAFaaJIlR3SE55dlX4BZoF0h6qXj/3Q77KBqfDyocR90t1NIR
8
+R32nuUFo/eGMLU3Jzbxgm/8ZEWxH5R9U5FkKb8ajFAvgJWBpUu72UA2DTRe/rneu
9
+Og==
10
+-----END X509 CRL-----

+ 1
- 0
sampleconfdir/easy-rsa/keys/serial Voir le fichier

@@ -0,0 +1 @@
1
+01

+ 13
- 0
sampleconfdir/easy-rsa/list-crl Voir le fichier

@@ -0,0 +1,13 @@
1
+#!/bin/bash
2
+
3
+# list revoked certificates
4
+
5
+CRL="${1:-crl.pem}"
6
+
7
+if [ "$KEY_DIR" ]; then
8
+    cd "$KEY_DIR" && \
9
+	$OPENSSL crl -text -noout -in "$CRL"
10
+else
11
+    echo 'Please source the vars script first (i.e. "source ./vars")'
12
+    echo 'Make sure you have edited it to reflect your configuration.'
13
+fi

BIN
sampleconfdir/easy-rsa/openssl-0.9.6.cnf.gz Voir le fichier


+ 291
- 0
sampleconfdir/easy-rsa/openssl.cnf Voir le fichier

@@ -0,0 +1,291 @@
1
+# For use with easy-rsa version 2.0
2
+
3
+#
4
+# OpenSSL example configuration file.
5
+# This is mostly being used for generation of certificate requests.
6
+#
7
+
8
+# This definition stops the following lines choking if HOME isn't
9
+# defined.
10
+HOME			= .
11
+RANDFILE		= $ENV::HOME/.rnd
12
+openssl_conf		= openssl_init
13
+
14
+[ openssl_init ]
15
+# Extra OBJECT IDENTIFIER info:
16
+#oid_file		= $ENV::HOME/.oid
17
+oid_section		= new_oids
18
+engines                 = engine_section
19
+
20
+# To use this configuration file with the "-extfile" option of the
21
+# "openssl x509" utility, name here the section containing the
22
+# X.509v3 extensions to use:
23
+# extensions		= 
24
+# (Alternatively, use a configuration file that has only
25
+# X.509v3 extensions in its main [= default] section.)
26
+
27
+[ new_oids ]
28
+
29
+# We can add new OIDs in here for use by 'ca' and 'req'.
30
+# Add a simple OID like this:
31
+# testoid1=1.2.3.4
32
+# Or use config file substitution like this:
33
+# testoid2=${testoid1}.5.6
34
+
35
+####################################################################
36
+[ ca ]
37
+default_ca	= CA_default		# The default ca section
38
+
39
+####################################################################
40
+[ CA_default ]
41
+
42
+dir		= $ENV::KEY_DIR		# Where everything is kept
43
+certs		= $dir			# Where the issued certs are kept
44
+crl_dir		= $dir			# Where the issued crl are kept
45
+database	= $dir/index.txt	# database index file.
46
+new_certs_dir	= $dir			# default place for new certs.
47
+
48
+certificate	= $dir/ca.crt	 	# The CA certificate
49
+serial		= $dir/serial 		# The current serial number
50
+crl		= $dir/crl.pem 		# The current CRL
51
+private_key	= $dir/ca.key	 	# The private key
52
+RANDFILE	= $dir/.rand		# private random number file
53
+
54
+x509_extensions	= usr_cert		# The extentions to add to the cert
55
+
56
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
57
+# so this is commented out by default to leave a V1 CRL.
58
+# crl_extensions	= crl_ext
59
+
60
+default_days	= 3650			# how long to certify for
61
+default_crl_days= 30			# how long before next CRL
62
+default_md	= md5			# which md to use.
63
+preserve	= no			# keep passed DN ordering
64
+
65
+# A few difference way of specifying how similar the request should look
66
+# For type CA, the listed attributes must be the same, and the optional
67
+# and supplied fields are just that :-)
68
+policy		= policy_anything
69
+
70
+# For the CA policy
71
+[ policy_match ]
72
+countryName		= match
73
+stateOrProvinceName	= match
74
+organizationName	= match
75
+organizationalUnitName	= optional
76
+commonName		= supplied
77
+name			= optional
78
+emailAddress		= optional
79
+
80
+# For the 'anything' policy
81
+# At this point in time, you must list all acceptable 'object'
82
+# types.
83
+[ policy_anything ]
84
+countryName		= optional
85
+stateOrProvinceName	= optional
86
+localityName		= optional
87
+organizationName	= optional
88
+organizationalUnitName	= optional
89
+commonName		= supplied
90
+name			= optional
91
+emailAddress		= optional
92
+
93
+####################################################################
94
+[ req ]
95
+default_bits		= $ENV::KEY_SIZE
96
+default_keyfile 	= privkey.pem
97
+distinguished_name	= req_distinguished_name
98
+attributes		= req_attributes
99
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
100
+
101
+# Passwords for private keys if not present they will be prompted for
102
+# input_password = secret
103
+# output_password = secret
104
+
105
+# This sets a mask for permitted string types. There are several options. 
106
+# default: PrintableString, T61String, BMPString.
107
+# pkix	 : PrintableString, BMPString.
108
+# utf8only: only UTF8Strings.
109
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
110
+# MASK:XXXX a literal mask value.
111
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
112
+# so use this option with caution!
113
+string_mask = nombstr
114
+
115
+# req_extensions = v3_req # The extensions to add to a certificate request
116
+
117
+[ req_distinguished_name ]
118
+countryName			= Country Name (2 letter code)
119
+countryName_default		= $ENV::KEY_COUNTRY
120
+countryName_min			= 2
121
+countryName_max			= 2
122
+
123
+stateOrProvinceName		= State or Province Name (full name)
124
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
125
+
126
+localityName			= Locality Name (eg, city)
127
+localityName_default		= $ENV::KEY_CITY
128
+
129
+0.organizationName		= Organization Name (eg, company)
130
+0.organizationName_default	= $ENV::KEY_ORG
131
+
132
+# we can do this but it is not needed normally :-)
133
+#1.organizationName		= Second Organization Name (eg, company)
134
+#1.organizationName_default	= World Wide Web Pty Ltd
135
+
136
+organizationalUnitName		= Organizational Unit Name (eg, section)
137
+#organizationalUnitName_default	=
138
+
139
+commonName			= Common Name (eg, your name or your server\'s hostname)
140
+commonName_max			= 64
141
+
142
+name				= Name
143
+name_max			= 64
144
+
145
+emailAddress			= Email Address
146
+emailAddress_default		= $ENV::KEY_EMAIL
147
+emailAddress_max		= 40
148
+
149
+# JY -- added for batch mode
150
+organizationalUnitName_default = $ENV::KEY_OU
151
+commonName_default = $ENV::KEY_CN
152
+name_default = $ENV::KEY_NAME
153
+
154
+# SET-ex3			= SET extension number 3
155
+
156
+[ req_attributes ]
157
+challengePassword		= A challenge password
158
+challengePassword_min		= 4
159
+challengePassword_max		= 20
160
+
161
+unstructuredName		= An optional company name
162
+
163
+[ usr_cert ]
164
+
165
+# These extensions are added when 'ca' signs a request.
166
+
167
+# This goes against PKIX guidelines but some CAs do it and some software
168
+# requires this to avoid interpreting an end user certificate as a CA.
169
+
170
+basicConstraints=CA:FALSE
171
+
172
+# Here are some examples of the usage of nsCertType. If it is omitted
173
+# the certificate can be used for anything *except* object signing.
174
+
175
+# This is OK for an SSL server.
176
+# nsCertType			= server
177
+
178
+# For an object signing certificate this would be used.
179
+# nsCertType = objsign
180
+
181
+# For normal client use this is typical
182
+# nsCertType = client, email
183
+
184
+# and for everything including object signing:
185
+# nsCertType = client, email, objsign
186
+
187
+# This is typical in keyUsage for a client certificate.
188
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
189
+
190
+# This will be displayed in Netscape's comment listbox.
191
+nsComment			= "Easy-RSA Generated Certificate"
192
+
193
+# PKIX recommendations harmless if included in all certificates.
194
+subjectKeyIdentifier=hash
195
+authorityKeyIdentifier=keyid,issuer:always
196
+extendedKeyUsage=clientAuth
197
+keyUsage = digitalSignature
198
+
199
+# This stuff is for subjectAltName and issuerAltname.
200
+# Import the email address.
201
+# subjectAltName=email:copy
202
+
203
+# Copy subject details
204
+# issuerAltName=issuer:copy
205
+
206
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
207
+#nsBaseUrl
208
+#nsRevocationUrl
209
+#nsRenewalUrl
210
+#nsCaPolicyUrl
211
+#nsSslServerName
212
+
213
+[ server ]
214
+
215
+# JY ADDED -- Make a cert with nsCertType set to "server"
216
+basicConstraints=CA:FALSE
217
+nsCertType			= server
218
+nsComment			= "Easy-RSA Generated Server Certificate"
219
+subjectKeyIdentifier=hash
220
+authorityKeyIdentifier=keyid,issuer:always
221
+extendedKeyUsage=serverAuth
222
+keyUsage = digitalSignature, keyEncipherment
223
+
224
+[ v3_req ]
225
+
226
+# Extensions to add to a certificate request
227
+
228
+basicConstraints = CA:FALSE
229
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
230
+
231
+[ v3_ca ]
232
+
233
+
234
+# Extensions for a typical CA
235
+
236
+
237
+# PKIX recommendation.
238
+
239
+subjectKeyIdentifier=hash
240
+
241
+authorityKeyIdentifier=keyid:always,issuer:always
242
+
243
+# This is what PKIX recommends but some broken software chokes on critical
244
+# extensions.
245
+#basicConstraints = critical,CA:true
246
+# So we do this instead.
247
+basicConstraints = CA:true
248
+
249
+# Key usage: this is typical for a CA certificate. However since it will
250
+# prevent it being used as an test self-signed certificate it is best
251
+# left out by default.
252
+# keyUsage = cRLSign, keyCertSign
253
+
254
+# Some might want this also
255
+# nsCertType = sslCA, emailCA
256
+
257
+# Include email address in subject alt name: another PKIX recommendation
258
+# subjectAltName=email:copy
259
+# Copy issuer details
260
+# issuerAltName=issuer:copy
261
+
262
+# DER hex encoding of an extension: beware experts only!
263
+# obj=DER:02:03
264
+# Where 'obj' is a standard or added object
265
+# You can even override a supported extension:
266
+# basicConstraints= critical, DER:30:03:01:01:FF
267
+
268
+[ crl_ext ]
269
+
270
+# CRL extensions.
271
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
272
+
273
+# issuerAltName=issuer:copy
274
+authorityKeyIdentifier=keyid:always,issuer:always
275
+
276
+[ engine_section ]
277
+#
278
+# If you are using PKCS#11
279
+# Install engine_pkcs11 of opensc (www.opensc.org)
280
+# And uncomment the following
281
+# verify that dynamic_path points to the correct location
282
+#
283
+#pkcs11 = pkcs11_section
284
+
285
+[ pkcs11_section ]
286
+engine_id = pkcs11
287
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
288
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
289
+PIN = $ENV::PKCS11_PIN
290
+init = 0
291
+

+ 373
- 0
sampleconfdir/easy-rsa/pkitool Voir le fichier

@@ -0,0 +1,373 @@
1
+#!/bin/sh
2
+
3
+#  OpenVPN -- An application to securely tunnel IP networks
4
+#             over a single TCP/UDP port, with support for SSL/TLS-based
5
+#             session authentication and key exchange,
6
+#             packet encryption, packet authentication, and
7
+#             packet compression.
8
+#
9
+#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
+#
11
+#  This program is free software; you can redistribute it and/or modify
12
+#  it under the terms of the GNU General Public License version 2
13
+#  as published by the Free Software Foundation.
14
+#
15
+#  This program is distributed in the hope that it will be useful,
16
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
17
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
+#  GNU General Public License for more details.
19
+#
20
+#  You should have received a copy of the GNU General Public License
21
+#  along with this program (see the file COPYING included with this
22
+#  distribution); if not, write to the Free Software Foundation, Inc.,
23
+#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
24
+
25
+# pkitool is a front-end for the openssl tool.
26
+
27
+# Calling scripts can set the certificate organizational 
28
+# unit with the KEY_OU environmental variable. 
29
+
30
+# Calling scripts can also set the KEY_NAME environmental
31
+# variable to set the "name" X509 subject field.
32
+
33
+PROGNAME=pkitool
34
+VERSION=2.0
35
+DEBUG=0
36
+
37
+die()
38
+{
39
+    local m="$1"
40
+
41
+    echo "$m" >&2
42
+    exit 1
43
+}
44
+
45
+need_vars()
46
+{
47
+    echo '  Please edit the vars script to reflect your configuration,'
48
+    echo '  then source it with "source ./vars".'
49
+    echo '  Next, to start with a fresh PKI configuration and to delete any'
50
+    echo '  previous certificates and keys, run "./clean-all".'
51
+    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
52
+}
53
+
54
+usage()
55
+{
56
+    echo "$PROGNAME $VERSION"
57
+    echo "Usage: $PROGNAME [options...] [common-name]"
58
+    echo "Options:"
59
+    echo "  --batch    : batch mode (default)"
60
+    echo "  --keysize  : Set keysize"
61
+    echo "      size   : size (default=1024)"
62
+    echo "  --interact : interactive mode"
63
+    echo "  --server   : build server cert"
64
+    echo "  --initca   : build root CA"
65
+    echo "  --inter    : build intermediate CA"
66
+    echo "  --pass     : encrypt private key with password"
67
+    echo "  --csr      : only generate a CSR, do not sign"
68
+    echo "  --sign     : sign an existing CSR"
69
+    echo "  --pkcs12   : generate a combined PKCS#12 file"
70
+    echo "  --pkcs11   : generate certificate on PKCS#11 token"
71
+    echo "      lib    : PKCS#11 library"
72
+    echo "      slot   : PKCS#11 slot"
73
+    echo "      id     : PKCS#11 object id (hex string)"
74
+    echo "      label  : PKCS#11 object label"
75
+    echo "Standalone options:"
76
+    echo "  --pkcs11-slots   : list PKCS#11 slots"
77
+    echo "      lib    : PKCS#11 library"
78
+    echo "  --pkcs11-objects : list PKCS#11 token objects"
79
+    echo "      lib    : PKCS#11 library"
80
+    echo "      slot   : PKCS#11 slot"
81
+    echo "  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!"
82
+    echo "      lib    : PKCS#11 library"
83
+    echo "      slot   : PKCS#11 slot"
84
+    echo "      label  : PKCS#11 token label"
85
+    echo "Notes:"
86
+    need_vars
87
+    echo "  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
88
+    echo "Generated files and corresponding OpenVPN directives:"
89
+    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
90
+    echo "  ca.crt     -> root certificate (--ca)"
91
+    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
92
+    echo "  .crt files -> client/server certificates (--cert)"
93
+    echo "  .key files -> private keys, keep secure (--key)"
94
+    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
95
+    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
96
+    echo "Examples:"
97
+    echo "  $PROGNAME --initca          -> Build root certificate"
98
+    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
99
+    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
100
+    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
101
+    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
102
+    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS#12 format"
103
+    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
104
+    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
105
+    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
106
+    echo "                               Also see ./inherit-inter script."
107
+    echo "  $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
108
+    echo "                              -> Build \"client5\" certificate/key in PKCS#11 token"
109
+    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
110
+    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
111
+    echo "  [edit vars with your site-specific info]"
112
+    echo "  source ./vars"
113
+    echo "  ./clean-all"
114
+    echo "  ./build-dh     -> takes a long time, consider backgrounding"
115
+    echo "  ./$PROGNAME --initca"
116
+    echo "  ./$PROGNAME --server myserver"
117
+    echo "  ./$PROGNAME client1"
118
+    echo "  ./$PROGNAME --pass client2"
119
+    echo "Typical usage for adding client cert to existing PKI:"
120
+    echo "  source ./vars"
121
+    echo "  ./$PROGNAME client-new"
122
+}
123
+
124
+# Set tool defaults
125
+[ -n "$OPENSSL" ] || export OPENSSL="openssl"
126
+[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
127
+[ -n "$GREP" ] || export GREP="grep"
128
+
129
+# Set defaults
130
+DO_REQ="1"
131
+REQ_EXT=""
132
+DO_CA="1"
133
+CA_EXT=""
134
+DO_P12="0"
135
+DO_P11="0"
136
+DO_ROOT="0"
137
+NODES_REQ="-nodes"
138
+NODES_P12=""
139
+BATCH="-batch"
140
+CA="ca"
141
+# must be set or errors of openssl.cnf
142
+PKCS11_MODULE_PATH="dummy"
143
+PKCS11_PIN="dummy"
144
+
145
+# Process options
146
+while [ $# -gt 0 ]; do
147
+    case "$1" in
148
+        --keysize  ) KEY_SIZE=$2
149
+		     shift;;
150
+	--server   ) REQ_EXT="$REQ_EXT -extensions server"
151
+	             CA_EXT="$CA_EXT -extensions server" ;;
152
+	--batch    ) BATCH="-batch" ;;
153
+	--interact ) BATCH="" ;;
154
+        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
155
+        --initca   ) DO_ROOT="1" ;;
156
+	--pass     ) NODES_REQ="" ;;
157
+        --csr      ) DO_CA="0" ;;
158
+        --sign     ) DO_REQ="0" ;;
159
+        --pkcs12   ) DO_P12="1" ;;
160
+	--pkcs11   ) DO_P11="1"
161
+	             PKCS11_MODULE_PATH="$2"
162
+		     PKCS11_SLOT="$3"
163
+		     PKCS11_ID="$4"
164
+		     PKCS11_LABEL="$5"
165
+		     shift 4;;
166
+
167
+	# standalone
168
+	--pkcs11-init)
169
+	             PKCS11_MODULE_PATH="$2"
170
+	             PKCS11_SLOT="$3"
171
+	             PKCS11_LABEL="$4"
172
+		     if [ -z "$PKCS11_LABEL" ]; then
173
+		       die "Please specify library name, slot and label"
174
+		     fi
175
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
176
+		     	--label "$PKCS11_LABEL" &&
177
+			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
178
+		     exit $?;;
179
+	--pkcs11-slots)
180
+	             PKCS11_MODULE_PATH="$2"
181
+		     if [ -z "$PKCS11_MODULE_PATH" ]; then
182
+		       die "Please specify library name"
183
+		     fi
184
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
185
+		     exit 0;;
186
+	--pkcs11-objects)
187
+	             PKCS11_MODULE_PATH="$2"
188
+	             PKCS11_SLOT="$3"
189
+		     if [ -z "$PKCS11_SLOT" ]; then
190
+		       die "Please specify library name and slot"
191
+		     fi
192
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
193
+		     exit 0;;
194
+
195
+	# errors
196
+	--*        ) die "$PROGNAME: unknown option: $1" ;;
197
+	*          ) break ;;
198
+    esac
199
+    shift   
200
+done
201
+
202
+if ! [ -z "$BATCH" ]; then
203
+	if $OPENSSL version | grep 0.9.6 > /dev/null; then
204
+		die "Batch mode is unsupported in openssl<0.9.7"
205
+	fi
206
+fi
207
+
208
+if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
209
+	die "PKCS#11 and PKCS#12 cannot be specified together"
210
+fi
211
+
212
+if [ $DO_P11 -eq 1 ]; then
213
+	if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
214
+		die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
215
+	fi
216
+fi
217
+
218
+# If we are generating pkcs12, only encrypt the final step
219
+if [ $DO_P12 -eq 1 ]; then
220
+    NODES_P12="$NODES_REQ"
221
+    NODES_REQ="-nodes"
222
+fi
223
+
224
+if [ $DO_P11 -eq 1 ]; then
225
+	if [ -z "$PKCS11_LABEL" ]; then
226
+		die "PKCS#11 arguments incomplete"
227
+	fi
228
+fi
229
+
230
+# If undefined, set default key expiration intervals
231
+if [ -z "$KEY_EXPIRE" ]; then
232
+    KEY_EXPIRE=3650
233
+fi
234
+if [ -z "$CA_EXPIRE" ]; then
235
+    CA_EXPIRE=3650
236
+fi
237
+
238
+# Set organizational unit to empty string if undefined
239
+if [ -z "$KEY_OU" ]; then
240
+    KEY_OU=""
241
+fi
242
+
243
+# Set X509 Name string to empty string if undefined
244
+if [ -z "$KEY_NAME" ]; then
245
+    KEY_NAME=""
246
+fi
247
+
248
+# Set KEY_CN, FN
249
+if [ $DO_ROOT -eq 1 ]; then
250
+    if [ -z "$KEY_CN" ]; then
251
+	if [ "$1" ]; then
252
+	    KEY_CN="$1"
253
+	elif [ "$KEY_ORG" ]; then
254
+	    KEY_CN="$KEY_ORG CA"
255
+	fi
256
+    fi
257
+    if [ $BATCH ] && [ "$KEY_CN" ]; then
258
+	echo "Using CA Common Name:" "$KEY_CN"
259
+    fi
260
+    FN="$KEY_CN"
261
+elif [ $BATCH ] && [ "$KEY_CN" ]; then
262
+    echo "Using Common Name:" "$KEY_CN"
263
+    FN="$KEY_CN"
264
+    if [ "$1" ]; then
265
+	FN="$1"
266
+    fi
267
+else
268
+    if [ $# -ne 1 ]; then
269
+	usage
270
+	exit 1
271
+    else
272
+	KEY_CN="$1"
273
+    fi
274
+    FN="$KEY_CN"
275
+fi
276
+
277
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
278
+
279
+# Show parameters (debugging)
280
+if [ $DEBUG -eq 1 ]; then
281
+    echo DO_REQ $DO_REQ
282
+    echo REQ_EXT $REQ_EXT
283
+    echo DO_CA $DO_CA
284
+    echo CA_EXT $CA_EXT
285
+    echo NODES_REQ $NODES_REQ
286
+    echo NODES_P12 $NODES_P12
287
+    echo DO_P12 $DO_P12
288
+    echo KEY_CN $KEY_CN
289
+    echo BATCH $BATCH
290
+    echo DO_ROOT $DO_ROOT
291
+    echo KEY_EXPIRE $KEY_EXPIRE
292
+    echo CA_EXPIRE $CA_EXPIRE
293
+    echo KEY_OU $KEY_OU
294
+    echo KEY_NAME $KEY_NAME
295
+    echo DO_P11 $DO_P11
296
+    echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
297
+    echo PKCS11_SLOT $PKCS11_SLOT
298
+    echo PKCS11_ID $PKCS11_ID
299
+    echo PKCS11_LABEL $PKCS11_LABEL
300
+fi
301
+
302
+# Make sure ./vars was sourced beforehand
303
+if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
304
+    cd "$KEY_DIR"
305
+
306
+    # Make sure $KEY_CONFIG points to the correct version
307
+    # of openssl.cnf
308
+    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
309
+	:
310
+    else
311
+	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
312
+        echo "version of openssl.cnf: $KEY_CONFIG"
313
+	echo "The correct version should have a comment that says: easy-rsa version 2.x";
314
+	exit 1;
315
+    fi
316
+
317
+    # Build root CA
318
+    if [ $DO_ROOT -eq 1 ]; then
319
+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
320
+	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
321
+	    chmod 0600 "$CA.key"
322
+    else        
323
+        # Make sure CA key/cert is available
324
+	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
325
+	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
326
+		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
327
+		echo "Try $PROGNAME --initca to build a root certificate/key."
328
+		exit 1
329
+	    fi
330
+	fi
331
+
332
+	# Generate key for PKCS#11 token
333
+	PKCS11_ARGS=
334
+	if [ $DO_P11 -eq 1 ]; then
335
+	        stty -echo
336
+	        echo -n "User PIN: "
337
+	        read -r PKCS11_PIN
338
+	        stty echo
339
+		export PKCS11_PIN
340
+
341
+		echo "Generating key pair on PKCS#11 token..."
342
+		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
343
+			--login --pin "$PKCS11_PIN" \
344
+			--key-type rsa:1024 \
345
+			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
346
+		PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
347
+	fi
348
+
349
+        # Build cert/key
350
+	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
351
+	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
352
+	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
353
+	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
354
+	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
355
+	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
356
+	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
357
+	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
358
+
359
+	# Load certificate into PKCS#11 token
360
+	if [ $DO_P11 -eq 1 ]; then
361
+		$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
362
+		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
363
+			--login --pin "$PKCS11_PIN" \
364
+			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
365
+		[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
366
+	fi
367
+
368
+    fi
369
+
370
+# Need definitions
371
+else
372
+    need_vars
373
+fi

+ 40
- 0
sampleconfdir/easy-rsa/revoke-full Voir le fichier

@@ -0,0 +1,40 @@
1
+#!/bin/bash
2
+
3
+# revoke a certificate, regenerate CRL,
4
+# and verify revocation
5
+
6
+CRL="crl.pem"
7
+RT="revoke-test.pem"
8
+
9
+if [ $# -ne 1 ]; then
10
+    echo "usage: revoke-full <cert-name-base>";
11
+    exit 1
12
+fi
13
+
14
+if [ "$KEY_DIR" ]; then
15
+    cd "$KEY_DIR"
16
+    rm -f "$RT"
17
+
18
+    # set defaults
19
+    export KEY_CN=""
20
+    export KEY_OU=""
21
+    export KEY_NAME=""
22
+
23
+    # revoke key and generate a new CRL
24
+    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
25
+
26
+    # generate a new CRL -- try to be compatible with
27
+    # intermediate PKIs
28
+    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
29
+    if [ -e export-ca.crt ]; then
30
+	cat export-ca.crt "$CRL" >"$RT"
31
+    else
32
+	cat ca.crt "$CRL" >"$RT"
33
+    fi
34
+    
35
+    # verify the revocation
36
+    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
37
+else
38
+    echo 'Please source the vars script first (i.e. "source ./vars")'
39
+    echo 'Make sure you have edited it to reflect your configuration.'
40
+fi

+ 7
- 0
sampleconfdir/easy-rsa/sign-req Voir le fichier

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+
3
+# Sign a certificate signing request (a .csr file)
4
+# with a local root certificate and key.
5
+
6
+export EASY_RSA="${EASY_RSA:-.}"
7
+"$EASY_RSA/pkitool" --interact --sign $*

+ 68
- 0
sampleconfdir/easy-rsa/vars Voir le fichier

@@ -0,0 +1,68 @@
1
+# easy-rsa parameter settings
2
+# These are the default values for fields
3
+# which will be placed in the certificate.
4
+# Don't leave any of these fields blank.
5
+export KEY_COUNTRY="FR"
6
+export KEY_PROVINCE="IF"
7
+export KEY_CITY="Paris"
8
+export KEY_ORG="rthoni"
9
+export KEY_EMAIL="root@rthoni.com"
10
+
11
+# NOTE: If you installed from an RPM,
12
+# don't edit this file in place in
13
+# /usr/share/openvpn/easy-rsa --
14
+# instead, you should copy the whole
15
+# easy-rsa directory to another location
16
+# (such as /etc/openvpn) so that your
17
+# edits will not be wiped out by a future
18
+# OpenVPN package upgrade.
19
+
20
+# This variable should point to
21
+# the top level of the easy-rsa
22
+# tree.
23
+export EASY_RSA="`pwd`"
24
+
25
+#
26
+# This variable should point to
27
+# the requested executables
28
+#
29
+export OPENSSL="openssl"
30
+export PKCS11TOOL="pkcs11-tool"
31
+export GREP="grep"
32
+
33
+
34
+# This variable should point to
35
+# the openssl.cnf file included
36
+# with easy-rsa.
37
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
38
+
39
+# Edit this variable to point to
40
+# your soon-to-be-created key
41
+# directory.
42
+#
43
+# WARNING: clean-all will do
44
+# a rm -rf on this directory
45
+# so make sure you define
46
+# it correctly!
47
+export KEY_DIR="$EASY_RSA/keys"
48
+
49
+# Issue rm -rf warning
50
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
51
+
52
+# PKCS11 fixes
53
+export PKCS11_MODULE_PATH="dummy"
54
+export PKCS11_PIN="dummy"
55
+
56
+# Increase this to 2048 if you
57
+# are paranoid.  This will slow
58
+# down TLS negotiation performance
59
+# as well as the one-time DH parms
60
+# generation process.
61
+export KEY_SIZE=1024
62
+
63
+# In how many days should the root CA key expire?
64
+export CA_EXPIRE=3650
65
+
66
+# In how many days should certificates expire?
67
+export KEY_EXPIRE=3650
68
+

+ 13
- 0
sampleconfdir/easy-rsa/whichopensslcnf Voir le fichier

@@ -0,0 +1,13 @@
1
+#!/bin/sh
2
+
3
+if [ "$OPENSSL" ]; then
4
+	if $OPENSSL version | grep 0.9.6 > /dev/null; then
5
+		echo "$1/openssl-0.9.6.cnf"
6
+	else
7
+		echo "$1/openssl.cnf"
8
+	fi
9
+else
10
+	echo "$1/openssl.cnf"
11
+fi
12
+
13
+exit 0

Chargement…
Annuler
Enregistrer