o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ANW-KM/openvpn/easy-rsa/.externals Normal file
View File

@ -0,0 +1 @@
./2.0 http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0

13
ANW-KM/openvpn/easy-rsa/2.0/Makefile Normal file
View File

@ -0,0 +1,13 @@
DESTDIR=
PREFIX=
all:
echo "All done."
echo "Run make install DESTDIR=/usr/share/somewhere"
install:
install -c --directory "${DESTDIR}/${PREFIX}"
install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}"
install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"

BIN
ANW-KM/openvpn/easy-rsa/2.0/README.gz Normal file
View File

Binary file not shown.

8
ANW-KM/openvpn/easy-rsa/2.0/build-ca Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
#
# Build a root certificate
#
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --initca $*

11
ANW-KM/openvpn/easy-rsa/2.0/build-dh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
ANW-KM/openvpn/easy-rsa/2.0/build-inter Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --inter $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-key Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-key-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Similar to build-key, but protect the private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pass $*

8
ANW-KM/openvpn/easy-rsa/2.0/build-key-pkcs12 Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pkcs12 $*

10
ANW-KM/openvpn/easy-rsa/2.0/build-key-server Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --server $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-req-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Like build-req, but protect your private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr --pass $*

16
ANW-KM/openvpn/easy-rsa/2.0/clean-all Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

39
ANW-KM/openvpn/easy-rsa/2.0/inherit-inter Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# Build a new PKI which is rooted on an intermediate certificate generated
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
# have independent vars settings, and must use a different KEY_DIR directory
# from the parent. This tool can be used to generate arbitrary depth
# certificate chains.
#
# To build an intermediate CA, follow the same steps for a regular PKI but
# replace ./build-key or ./pkitool --initca with this script.
# The EXPORT_CA file will contain the CA certificate chain and should be
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
# will only contain the local intermediate CA -- it's needed by the easy-rsa
# scripts but not by OpenVPN directly.
EXPORT_CA="export-ca.crt"
if [ $# -ne 2 ]; then
echo "usage: $0 <parent-key-dir> <common-name>"
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
echo "common-name: the common name of the intermediate certificate in the parent PKI"
exit 1;
fi
if [ "$KEY_DIR" ]; then
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA"
else
PARENT_CA="$1/ca.crt"
fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

13
ANW-KM/openvpn/easy-rsa/2.0/list-crl Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# list revoked certificates
CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

BIN
ANW-KM/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf.gz Normal file
View File

Binary file not shown.

285
ANW-KM/openvpn/easy-rsa/2.0/openssl.cnf Executable file
View File

@ -0,0 +1,285 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

353
ANW-KM/openvpn/easy-rsa/2.0/pkitool Executable file
View File

@ -0,0 +1,353 @@
#!/bin/sh
# OpenVPN -- An application to securely tunnel IP networks
# over a single TCP/UDP port, with support for SSL/TLS-based
# session authentication and key exchange,
# packet encryption, packet authentication, and
# packet compression.
#
# Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program (see the file COPYING included with this
# distribution); if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# pkitool is a front-end for the openssl tool.
# Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable.
PROGNAME=pkitool
VERSION=2.0
DEBUG=0
die()
{
local m="$1"
echo "$m" >&2
exit 1
}
need_vars()
{
echo ' Please edit the vars script to reflect your configuration,'
echo ' then source it with "source ./vars".'
echo ' Next, to start with a fresh PKI configuration and to delete any'
echo ' previous certificates and keys, run "./clean-all".'
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}
usage()
{
echo "$PROGNAME $VERSION"
echo "Usage: $PROGNAME [options...] [common-name]"
echo "Options:"
echo " --batch : batch mode (default)"
echo " --keysize : Set keysize"
echo " size : size (default=1024)"
echo " --interact : interactive mode"
echo " --server : build server cert"
echo " --initca : build root CA"
echo " --inter : build intermediate CA"
echo " --pass : encrypt private key with password"
echo " --csr : only generate a CSR, do not sign"
echo " --sign : sign an existing CSR"
echo " --pkcs12 : generate a combined PKCS#12 file"
echo " --pkcs11 : generate certificate on PKCS#11 token"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " id : PKCS#11 object id (hex string)"
echo " label : PKCS#11 object label"
echo "Standalone options:"
echo " --pkcs11-slots : list PKCS#11 slots"
echo " lib : PKCS#11 library"
echo " --pkcs11-objects : list PKCS#11 token objects"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " label : PKCS#11 token label"
echo "Notes:"
need_vars
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
echo "Generated files and corresponding OpenVPN directives:"
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
echo " ca.crt -> root certificate (--ca)"
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
echo " .crt files -> client/server certificates (--cert)"
echo " .key files -> private keys, keep secure (--key)"
echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
echo "Examples:"
echo " $PROGNAME --initca -> Build root certificate"
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
echo " Also see ./inherit-inter script."
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
echo " [edit vars with your site-specific info]"
echo " source ./vars"
echo " ./clean-all"
echo " ./build-dh -> takes a long time, consider backgrounding"
echo " ./$PROGNAME --initca"
echo " ./$PROGNAME --server myserver"
echo " ./$PROGNAME client1"
echo " ./$PROGNAME --pass client2"
echo "Typical usage for adding client cert to existing PKI:"
echo " source ./vars"
echo " ./$PROGNAME client-new"
}
# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"
# Process options
while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
# standalone
--pkcs11-init)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;;
--pkcs11-slots)
PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;;
--pkcs11-objects)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;;
# errors
--* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;;
esac
shift
done
if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7"
fi
fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together"
fi
if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi
fi
# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ"
NODES_REQ="-nodes"
fi
if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete"
fi
fi
# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
CA_EXPIRE=3650
fi
# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
KEY_OU=""
fi
# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" $KEY_CN
fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
echo "Using Common Name:" $KEY_CN
else
if [ $# -ne 1 ]; then
usage
exit 1
else
KEY_CN="$1"
fi
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
echo DO_REQ $DO_REQ
echo REQ_EXT $REQ_EXT
echo DO_CA $DO_CA
echo CA_EXT $CA_EXT
echo NODES_REQ $NODES_REQ
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU
echo DO_P11 $DO_P11
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
echo PKCS11_SLOT $PKCS11_SLOT
echo PKCS11_ID $PKCS11_ID
echo PKCS11_LABEL $PKCS11_LABEL
fi
# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
cd "$KEY_DIR"
# Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
:
else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1;
fi
# Build root CA
if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key"
else
# Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1
fi
fi
# Generate key for PKCS#11 token
PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then
stty -echo
echo -n "User PIN: "
read -r PKCS11_PIN
stty echo
export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
-in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
-in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
fi
fi
# Need definitions
else
need_vars
fi

39
ANW-KM/openvpn/easy-rsa/2.0/revoke-full Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL="crl.pem"
RT="revoke-test.pem"
if [ $# -ne 1 ]; then
echo "usage: revoke-full <common-name>";
exit 1
fi
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR"
rm -f "$RT"
# set defaults
export KEY_CN=""
export KEY_OU=""
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
# generate a new CRL -- try to be compatible with
# intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT"
else
cat ca.crt "$CRL" >"$RT"
fi
# verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
ANW-KM/openvpn/easy-rsa/2.0/sign-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --sign $*

74
ANW-KM/openvpn/easy-rsa/2.0/vars Executable file
View File

@ -0,0 +1,74 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
#export EASY_RSA="`pwd`"
BASE_DIR=/etc/openvpn
export EASY_RSA="${BASE_DIR}/easy-rsa/2.0"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
#export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="${BASE_DIR}/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=10950
# In how many days should certificates expire?
export KEY_EXPIRE=10950
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
#export KEY_COUNTRY="US"
#export KEY_PROVINCE="CA"
#export KEY_CITY="SanFrancisco"
#export KEY_ORG="Fort-Funston"
#export KEY_EMAIL="me@myhost.mydomain"
export KEY_COUNTRY=DE
export KEY_PROVINCE=Berlin
export KEY_CITY=Berlin
export KEY_ORG="o.open"
export KEY_ORG_UN="network services"
export KEY_EMAIL="argus@oopen.de"

13
ANW-KM/openvpn/easy-rsa/2.0/whichopensslcnf Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
if [ "$OPENSSL" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
echo "$1/openssl-0.9.6.cnf"
else
echo "$1/openssl.cnf"
fi
else
echo "$1/openssl.cnf"
fi
exit 0

BIN
ANW-KM/openvpn/easy-rsa/README.gz Normal file
View File

Binary file not shown.

13
ANW-KM/openvpn/easy-rsa/build-ca Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
#
# Build a root certificate
#
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
chmod 0600 ca.key
else
echo you must define KEY_DIR
fi

12
ANW-KM/openvpn/easy-rsa/build-dh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
#
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
#
if test $KEY_DIR; then
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo you must define KEY_DIR
fi

19
ANW-KM/openvpn/easy-rsa/build-inter Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-inter <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

20
ANW-KM/openvpn/easy-rsa/build-key Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-key <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

20
ANW-KM/openvpn/easy-rsa/build-key-pass Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Similar to build-key, but protect the private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-key-pass <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

21
ANW-KM/openvpn/easy-rsa/build-key-pkcs12 Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
if test $# -ne 1; then
echo "usage: build-key-pkcs12 <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
chmod 0600 $1.key $1.p12
else
echo you must define KEY_DIR
fi

22
ANW-KM/openvpn/easy-rsa/build-key-server Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
if test $# -ne 1; then
echo "usage: build-key-server <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/build-req Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
#
if test $# -ne 1; then
echo "usage: build-req <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/build-req-pass Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Like build-req, but protect your private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-req-pass <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

19
ANW-KM/openvpn/easy-rsa/clean-all Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
#
d=$KEY_DIR
if test $d; then
rm -rf $d
mkdir $d && \
chmod go-rwx $d && \
touch $d/index.txt && \
echo 01 >$d/serial
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/list-crl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# list revoked certificates
#
#
if test $# -ne 1; then
echo "usage: list-crl <crlfile.pem>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl crl -text -noout -in $1
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/make-crl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# generate a CRL
#
#
if test $# -ne 1; then
echo "usage: make-crl <crlfile.pem>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -gencrl -out $1 -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

255
ANW-KM/openvpn/easy-rsa/openssl.cnf Normal file
View File

@ -0,0 +1,255 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::KEY_ORG_UN
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

18
ANW-KM/openvpn/easy-rsa/revoke-crt Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# revoke a certificate
#
#
if test $# -ne 1; then
echo "usage: revoke-crt <file.crt>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -revoke $1 -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

29
ANW-KM/openvpn/easy-rsa/revoke-full Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL=crl.pem
RT=revoke-test.pem
if test $# -ne 1; then
echo "usage: revoke-full <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR
rm -f $RT
# revoke key and generate a new CRL
openssl ca -revoke $1.crt -config $KEY_CONFIG
# generate a new CRL
openssl ca -gencrl -out $CRL -config $KEY_CONFIG
cat ca.crt $CRL >$RT
# verify the revocation
openssl verify -CAfile $RT -crl_check $1.crt
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/sign-req Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
#
if test $# -ne 1; then
echo "usage: sign-req <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

59
ANW-KM/openvpn/easy-rsa/vars Normal file
View File

@ -0,0 +1,59 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
## export D=`pwd`
BASE_DIR=/etc/openvpn
export D=${BASE_DIR}/easy-rsa
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
## export KEY_DIR=$D/keys
export KEY_DIR=${BASE_DIR}/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_COUNTRY=DE
export KEY_PROVINCE=Berlin
export KEY_CITY=Berlin
export KEY_ORG="o.open"
export KEY_ORG_UN="network services"
export KEY_EMAIL="argus@oopen.de"