Initial commit

ANW-URB/openvpn/easy-rsa/1.0/build-ca

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
+        chmod 0600 ca.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-dh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+#
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+#
+
+if test $KEY_DIR; then
+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+    echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-inter

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-inter <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-key <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+	chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key-pass

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Similar to build-key, but protect the private key
+# with a password.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-key-pass <name>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+	chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key-pkcs12

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+if test $# -ne 1; then
+        echo "usage: build-key-pkcs12 <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+        openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
+	chmod 0600 $1.key $1.p12
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key-server

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+if test $# -ne 1; then
+        echo "usage: build-key-server <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
+        chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-req

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Build a certificate signing request and private key.  Use this
+# when your root certificate and key is not available locally.
+#
+
+if test $# -ne 1; then
+    echo "usage: build-req <name>";
+    exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+    cd $KEY_DIR && \
+    openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+    echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-req-pass

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Like build-req, but protect your private key
+# with a password.
+#
+
+if test $# -ne 1; then
+    echo "usage: build-req-pass <name>";
+    exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+    cd $KEY_DIR && \
+    openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+    echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/clean-all

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+#
+
+d=$KEY_DIR
+
+if test $d; then
+	rm -rf $d
+	mkdir $d && \
+	chmod go-rwx $d && \
+	touch $d/index.txt && \
+	echo 01 >$d/serial
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/list-crl

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# list revoked certificates
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: list-crl <crlfile.pem>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl crl -text -noout -in $1
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/make-crl

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# generate a CRL
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: make-crl <crlfile.pem>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl ca -gencrl -out $1 -config $KEY_CONFIG
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/openssl.cnf

@@ -0,0 +1,255 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

ANW-URB/openvpn/easy-rsa/1.0/revoke-crt

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# revoke a certificate
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: revoke-crt <file.crt>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl ca -revoke $1 -config $KEY_CONFIG
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/revoke-full

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL=crl.pem
+RT=revoke-test.pem
+
+if test $# -ne 1; then
+        echo "usage: revoke-full <name>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR
+       rm -f $RT
+
+       # revoke key and generate a new CRL
+       openssl ca -revoke $1.crt -config $KEY_CONFIG
+
+       # generate a new CRL
+       openssl ca -gencrl -out $CRL -config $KEY_CONFIG
+       cat ca.crt $CRL >$RT
+    
+       # verify the revocation
+       openssl verify -CAfile $RT -crl_check $1.crt
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/sign-req

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+#
+
+if test $# -ne 1; then
+        echo "usage: sign-req <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/vars

@@ -0,0 +1,49 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export D=`pwd`
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=$D/openssl.cnf
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR=$D/keys
+
+# Issue rm -rf warning
+echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY=KG
+export KEY_PROVINCE=NA
+export KEY_CITY=BISHKEK
+export KEY_ORG="OpenVPN-TEST"
+export KEY_EMAIL="me@myhost.mydomain"

ANW-URB/openvpn/easy-rsa/2.0/Makefile

@@ -0,0 +1,13 @@
+
+DESTDIR=
+PREFIX=
+
+all:
+	echo "All done."
+	echo "Run make install DESTDIR=/usr/share/somewhere"
+
+install:
+	install -d "${DESTDIR}/${PREFIX}"
+	install -m 0755 build-* "${DESTDIR}/${PREFIX}"
+	install -m 0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
+	install -m 0644 openssl-0.9.6.cnf openssl-0.9.8.cnf openssl-1.0.0.cnf README vars "${DESTDIR}/${PREFIX}"

ANW-URB/openvpn/easy-rsa/2.0/build-ca

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --initca $*

ANW-URB/openvpn/easy-rsa/2.0/build-dh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+
+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
+    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/build-inter

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --inter $*

ANW-URB/openvpn/easy-rsa/2.0/build-key

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact $*

ANW-URB/openvpn/easy-rsa/2.0/build-key-pass

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Similar to build-key, but protect the private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pass $*

ANW-URB/openvpn/easy-rsa/2.0/build-key-pkcs12

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pkcs12 $*

ANW-URB/openvpn/easy-rsa/2.0/build-key-server

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --server $*

ANW-URB/openvpn/easy-rsa/2.0/build-req

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Build a certificate signing request and private key.  Use this
+# when your root certificate and key is not available locally.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr $*

ANW-URB/openvpn/easy-rsa/2.0/build-req-pass

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Like build-req, but protect your private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr --pass $*

ANW-URB/openvpn/easy-rsa/2.0/clean-all

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+
+if [ "$KEY_DIR" ]; then
+    rm -rf "$KEY_DIR"
+    mkdir "$KEY_DIR" && \
+	chmod go-rwx "$KEY_DIR" && \
+	touch "$KEY_DIR/index.txt" && \
+	echo 01 >"$KEY_DIR/serial"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/inherit-inter

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Build a new PKI which is rooted on an intermediate certificate generated
+# by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
+# have independent vars settings, and must use a different KEY_DIR directory
+# from the parent.  This tool can be used to generate arbitrary depth
+# certificate chains.
+#
+# To build an intermediate CA, follow the same steps for a regular PKI but
+# replace ./build-key or ./pkitool --initca with this script.
+
+# The EXPORT_CA file will contain the CA certificate chain and should be
+# referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
+# will only contain the local intermediate CA -- it's needed by the easy-rsa
+# scripts but not by OpenVPN directly.
+EXPORT_CA="export-ca.crt"
+
+if [ $# -ne 2 ]; then
+    echo "usage: $0 <parent-key-dir> <common-name>"
+    echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
+    echo "common-name: the common name of the intermediate certificate in the parent PKI"
+    exit 1;
+fi
+
+if [ "$KEY_DIR" ]; then
+    cp "$1/$2.crt" "$KEY_DIR/ca.crt"
+    cp "$1/$2.key" "$KEY_DIR/ca.key"
+
+    if [ -e "$1/$EXPORT_CA" ]; then
+	PARENT_CA="$1/$EXPORT_CA"
+    else
+	PARENT_CA="$1/ca.crt"
+    fi
+    cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
+    cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/keys/01.pem

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:02:28 2012 GMT
+            Not After : May 10 03:02:28 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix, CN=crl-test.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c5:ea:a1:09:d0:00:af:07:54:12:6c:96:83:dc:
+                    2a:6e:10:db:57:0c:a9:70:8e:cd:3a:d4:c7:cf:bc:
+                    f8:8e:88:85:9c:59:26:fe:94:93:78:a6:7e:48:41:
+                    ce:78:12:55:1c:18:60:93:66:ab:35:9b:10:60:67:
+                    48:6e:e5:ef:01:d6:2b:33:24:73:66:ba:50:5f:90:
+                    bc:05:95:1c:fd:9a:82:e4:41:81:bb:a8:45:c3:9a:
+                    09:a3:8b:7a:00:fe:00:9f:bd:cf:15:42:5b:53:38:
+                    0d:8d:b4:90:c9:26:f3:2b:aa:de:a4:e9:eb:1c:e4:
+                    ab:e7:a9:0a:85:e4:72:53:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                2E:44:CD:9A:53:C1:1D:BC:4C:4D:58:7F:52:62:AF:7B:AC:C9:FF:3A
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        27:8b:a6:82:17:72:9d:e5:31:b5:14:58:a1:40:93:15:50:47:
+        d6:73:ff:55:79:cb:bc:d6:e3:e5:d7:1b:5d:77:c8:ad:a4:1f:
+        f0:2a:a3:de:81:4f:58:87:b9:38:49:42:69:53:51:87:79:ba:
+        23:48:51:5d:b1:19:88:a0:6c:a2:1c:79:c3:7f:02:62:61:56:
+        3e:1f:73:ec:e6:d1:33:22:ed:3d:60:3a:35:a4:8c:07:88:cc:
+        25:b2:d8:2c:ac:db:47:a4:a6:72:30:e3:09:0c:0f:6d:bd:e7:
+        bf:b7:77:af:89:8e:89:cb:7e:23:6b:9d:42:7e:b3:22:d9:aa:
+        e0:67
+-----BEGIN CERTIFICATE-----
+MIIEITCCA4qgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDIyOFoXDTIyMDUxMDAzMDIyOFow
+fTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8x
+GDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMNY3JsLXRlc3Quc2l0
+ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
+qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
+o4IBfjCCAXowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
+QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFC5EzZpTwR28TE1Yf1Jir3usyf86MIHiBgNVHSMEgdowgdeAFIyl21Mh
+vV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQGEwJCUjELMAkGA1UECBMC
+U1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMhRGViaWFuIEZvciBBbGl4
+IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51eCBQcm9qZWN0czEbMBkG
+A1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZIhvcNAQkBFgxuby1tYWls
+QHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
+BaAwDQYJKoZIhvcNAQEFBQADgYEAJ4umghdyneUxtRRYoUCTFVBH1nP/VXnLvNbj
+5dcbXXfIraQf8Cqj3oFPWIe5OElCaVNRh3m6I0hRXbEZiKBsohx5w38CYmFWPh9z
+7ObRMyLtPWA6NaSMB4jMJbLYLKzbR6SmcjDjCQwPbb3nv7d3r4mOict+I2udQn6z
+Itmq4Gc=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/02.pem

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:03:25 2012 GMT
+            Not After : May 10 03:03:25 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=alix.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:cb:96:17:e9:b2:ad:89:cb:26:60:63:28:d2:77:
+                    6c:95:31:bd:79:96:b9:08:63:ec:44:07:c9:e5:b3:
+                    ba:31:8c:1e:4d:a1:ff:81:8d:fd:7e:e2:68:63:18:
+                    93:be:99:15:70:b1:5b:20:fe:0f:ab:19:21:2e:57:
+                    16:55:21:3e:f5:2c:98:3d:ac:d6:0b:3f:34:ee:8f:
+                    59:a2:f2:4a:94:ed:96:c2:41:93:e3:9d:ed:d0:fa:
+                    64:f4:d7:24:3c:03:98:bc:95:be:2c:3f:42:89:3f:
+                    b9:e5:1a:95:3c:2d:67:0a:84:60:17:7d:21:5f:a8:
+                    43:99:65:3f:b3:d8:06:1d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                E0:51:7A:02:09:11:E6:2F:5F:47:D9:2E:36:9D:9D:AF:7F:16:5F:74
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        6b:b8:50:42:30:27:87:e9:1e:0c:8d:c5:c0:fc:71:f4:70:41:
+        ee:45:09:ac:d2:2c:54:c7:d6:10:66:09:43:cd:8f:8e:75:9a:
+        61:b7:7b:45:10:fa:f4:15:73:6a:ca:01:0b:33:fc:a1:06:30:
+        c0:ff:10:5b:9d:5d:c1:2c:8d:a5:5f:f0:c2:ef:1c:49:e2:1f:
+        02:f3:fa:3b:cd:19:c3:a6:37:0b:0c:cb:af:b0:f8:24:8e:f9:
+        4d:36:82:89:2c:b8:84:a8:5d:5c:fb:f0:64:bd:04:f2:67:a2:
+        3c:d9:59:a0:81:f4:ad:f5:9d:ad:d5:14:48:e2:48:99:ed:41:
+        5e:31
+-----BEGIN CERTIFICATE-----
+MIIESTCCA7KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDMyNVoXDTIyMDUxMDAzMDMyNVow
+gaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4LnNpdGUxGzAZBgkq
+hkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYweTaH/gY39fuJoYxiT
+vpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2WwkGT453t0Ppk9Nck
+PAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMCAwEAAaOCAX4wggF6
+MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
+YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTg
+UXoCCRHmL19H2S42nZ2vfxZfdDCB4gYDVR0jBIHaMIHXgBSMpdtTIb1fYeFW7Xqb
+pQK9LiOqpqGBs6SBsDCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYD
+VQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1Z
+IENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRl
+YmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlggkA
+jmjimwbL0WUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqG
+SIb3DQEBBQUAA4GBAGu4UEIwJ4fpHgyNxcD8cfRwQe5FCazSLFTH1hBmCUPNj451
+mmG3e0UQ+vQVc2rKAQsz/KEGMMD/EFudXcEsjaVf8MLvHEniHwLz+jvNGcOmNwsM
+y6+w+CSO+U02goksuISoXVz78GS9BPJnojzZWaCB9K31na3VFEjiSJntQV4x
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/03.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:06:31 2012 GMT
+            Not After : May 10 03:06:31 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=vpn01.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a0:47:e1:23:fa:32:a3:cc:ee:e4:03:96:4c:84:
+                    c2:1e:05:2a:a8:b1:02:0c:b4:26:c5:54:ec:a0:85:
+                    3b:a2:a2:51:b8:85:9a:af:8e:50:fc:99:0a:5a:87:
+                    bf:02:f6:89:bd:04:44:fc:39:db:97:94:62:e8:e1:
+                    2f:c5:f9:dc:ce:2a:c0:63:b7:be:6c:41:7d:87:01:
+                    dd:f2:8b:b2:99:f6:a8:af:4e:11:0d:7b:e2:6e:82:
+                    ec:10:78:21:3c:09:85:c3:ab:b1:6d:14:74:c8:0a:
+                    8f:ec:80:80:b8:f6:a1:ef:dc:ba:7a:08:2b:c2:f5:
+                    77:af:93:d5:8d:1d:98:f2:85
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                91:38:28:A9:09:46:53:9E:E7:BC:29:77:F7:3B:25:92:08:6A:49:56
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+        72:65:d4:0d:49:25:77:e2:c1:6d:10:eb:21:6a:d8:33:e7:01:
+        b6:e5:25:dd:46:73:3f:65:91:16:46:dd:db:88:ed:97:2b:02:
+        6f:0e:f3:be:23:e0:38:80:93:5b:6c:85:e8:32:cc:2a:fc:d3:
+        23:c6:c1:66:52:d9:cf:d1:ab:7d:85:19:7a:a9:02:3a:f8:af:
+        74:97:bf:8d:73:92:b8:d4:18:48:b8:2a:a6:c1:5e:e2:6e:cc:
+        ea:91:ba:91:7c:39:21:4e:46:76:c8:4e:3f:98:a7:fc:f2:31:
+        e4:27:fa:c2:34:d5:7c:8a:94:63:c1:bb:b4:eb:7c:ce:21:00:
+        d5:72
+-----BEGIN CERTIFICATE-----
+MIIEMDCCA5mgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDYzMVoXDTIyMDUxMDAzMDYzMVow
+gaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4wMS5zaXRlMRswGQYJ
+KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6KiUbiFmq+OUPyZClqH
+vwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2qK9OEQ174m6C7BB4
+ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKFAgMBAAGjggFkMIIB
+YDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJE4KKkJRlOe57wpd/c7JZIIaklWMIHiBgNV
+HSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQG
+EwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMh
+RGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51
+eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZI
+hvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEF
+BQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAcmXUDUkld+LBbRDr
+IWrYM+cBtuUl3UZzP2WRFkbd24jtlysCbw7zviPgOICTW2yF6DLMKvzTI8bBZlLZ
+z9GrfYUZeqkCOvivdJe/jXOSuNQYSLgqpsFe4m7M6pG6kXw5IU5GdshOP5in/PIx
+5Cf6wjTVfIqUY8G7tOt8ziEA1XI=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/alix.site.crt

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:03:25 2012 GMT
+            Not After : May 10 03:03:25 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=alix.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:cb:96:17:e9:b2:ad:89:cb:26:60:63:28:d2:77:
+                    6c:95:31:bd:79:96:b9:08:63:ec:44:07:c9:e5:b3:
+                    ba:31:8c:1e:4d:a1:ff:81:8d:fd:7e:e2:68:63:18:
+                    93:be:99:15:70:b1:5b:20:fe:0f:ab:19:21:2e:57:
+                    16:55:21:3e:f5:2c:98:3d:ac:d6:0b:3f:34:ee:8f:
+                    59:a2:f2:4a:94:ed:96:c2:41:93:e3:9d:ed:d0:fa:
+                    64:f4:d7:24:3c:03:98:bc:95:be:2c:3f:42:89:3f:
+                    b9:e5:1a:95:3c:2d:67:0a:84:60:17:7d:21:5f:a8:
+                    43:99:65:3f:b3:d8:06:1d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                E0:51:7A:02:09:11:E6:2F:5F:47:D9:2E:36:9D:9D:AF:7F:16:5F:74
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        6b:b8:50:42:30:27:87:e9:1e:0c:8d:c5:c0:fc:71:f4:70:41:
+        ee:45:09:ac:d2:2c:54:c7:d6:10:66:09:43:cd:8f:8e:75:9a:
+        61:b7:7b:45:10:fa:f4:15:73:6a:ca:01:0b:33:fc:a1:06:30:
+        c0:ff:10:5b:9d:5d:c1:2c:8d:a5:5f:f0:c2:ef:1c:49:e2:1f:
+        02:f3:fa:3b:cd:19:c3:a6:37:0b:0c:cb:af:b0:f8:24:8e:f9:
+        4d:36:82:89:2c:b8:84:a8:5d:5c:fb:f0:64:bd:04:f2:67:a2:
+        3c:d9:59:a0:81:f4:ad:f5:9d:ad:d5:14:48:e2:48:99:ed:41:
+        5e:31
+-----BEGIN CERTIFICATE-----
+MIIESTCCA7KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDMyNVoXDTIyMDUxMDAzMDMyNVow
+gaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4LnNpdGUxGzAZBgkq
+hkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYweTaH/gY39fuJoYxiT
+vpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2WwkGT453t0Ppk9Nck
+PAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMCAwEAAaOCAX4wggF6
+MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
+YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTg
+UXoCCRHmL19H2S42nZ2vfxZfdDCB4gYDVR0jBIHaMIHXgBSMpdtTIb1fYeFW7Xqb
+pQK9LiOqpqGBs6SBsDCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYD
+VQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1Z
+IENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRl
+YmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlggkA
+jmjimwbL0WUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqG
+SIb3DQEBBQUAA4GBAGu4UEIwJ4fpHgyNxcD8cfRwQe5FCazSLFTH1hBmCUPNj451
+mmG3e0UQ+vQVc2rKAQsz/KEGMMD/EFudXcEsjaVf8MLvHEniHwLz+jvNGcOmNwsM
+y6+w+CSO+U02goksuISoXVz78GS9BPJnojzZWaCB9K31na3VFEjiSJntQV4x
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/alix.site.csr

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB5TCCAU4CAQAwgaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UE
+BxMJU2FvIFBhdWxvMSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBD
+SEFOR0UgSVQxFzAVBgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4
+LnNpdGUxGzAZBgkqhkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYwe
+TaH/gY39fuJoYxiTvpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2W
+wkGT453t0Ppk9NckPAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMC
+AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBACEP5T3w6bdqyF0aHZD3Tye0b02bL1S/
+x6phHacFHYA0SwDPU/Wd6jXmqWvgG0Iz6mtoKTcfYdPaWvqagykRB0PHIkKlf1he
+Y+hHJfnOzvUroUglF6a3tc6LDLU9GwBZ8u/H1Ox9U+vhstTkVB72735Q8L0FWAVa
+iE3D7xZX5Rjf
+-----END CERTIFICATE REQUEST-----

ANW-URB/openvpn/easy-rsa/2.0/keys/alix.site.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDLlhfpsq2JyyZgYyjSd2yVMb15lrkIY+xEB8nls7oxjB5Nof+B
+jf1+4mhjGJO+mRVwsVsg/g+rGSEuVxZVIT71LJg9rNYLPzTuj1mi8kqU7ZbCQZPj
+ne3Q+mT01yQ8A5i8lb4sP0KJP7nlGpU8LWcKhGAXfSFfqEOZZT+z2AYdQwIDAQAB
+AoGAFZ4fdepKMRqIPa3p1MdnmUQJ2ZJenXx2xxaIosJ93+sAAMBV8DzSkRmbegJP
+FesNcsTyZ0NzCHkHo/MNZQa9t3xSb3I5ZTg6CMe/QiXu09U56dIACNT9GhrfPpIZ
+ovllZtTPQwR4rcQnwTXxWTn6NCjiDFs/VvwaGAkU0rO3VlkCQQD5pGsMwKj9HPI7
+SM4tN6saNvLyPzE1rooF03zIpD4SwtwAsuHWT8LNiI4Th4f61q0uhn2G3bpjiriX
+f4wB4TxNAkEA0MVn/h3dghfy2GxvMbTbn7wbPcCGhQRXU5NwbdgOmqFDfpBa7+TS
+/xqqb0APFgBgKi0iuYpN/mH7gSpeCmFHzwJAXufd9qwr0oY1pMop79DREJdBR000
+1Ra0zEA5mUGvg4xm/TEEYGhUQ7UdZllJHdiNYDmq8SHMYVl0kcvgmzpYpQJAQqxo
+080x6tQ/KEMpF9TMtyzZ/lS4IU8LnJNfupTfxR5vccIkaKzJfdNETxdEOiCQlaeo
+iVzUH8OnEM85DVOYHQJBAOBvhg5bY9IjhZWEcdq/uY1XDTbaxNydeDLUO7imoQVd
+/rbaY+krV26ewmE6LUS2n6tIrGQG4FRlQtEp7I36htQ=
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/keys/ca.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8jCCA1ugAwIBAgIJAI5o4psGy9FlMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYD
+VQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UE
+ChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5M
+aW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJ
+KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwHhcNMTIwNTEyMDMwMTUzWhcNMjIwNTEw
+MDMwMTUzWjCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlT
+YW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1ZIENIQU5H
+RSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRlYmlhbiBG
+b3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfy
+rCmhOwZYqNTFrGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA
+4kjZcSlQZ7YrdNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAt
+YRmN0wIDAQABo4IBFjCCARIwHQYDVR0OBBYEFIyl21MhvV9h4VbtepulAr0uI6qm
+MIHiBgNVHSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQsw
+CQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgG
+A1UEChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQL
+Ew5MaW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRsw
+GQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBABVmoMWdupXUB2J5p3LI18icmItRPyPH5uBc
+8C2/7AuvOvsRjjjAOtiThBLshCa2YQ2kxlT/uQKVAHrJojzDjozF/NB4rjr74aqj
+GGrWIL8ATWUjNKQFJv32h16t+eUrmWJJUlS4L0oq+v/C96l2QMG8M5Z3nxuctWwO
+ObQ1wsVu
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfyrCmhOwZYqNTF
+rGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA4kjZcSlQZ7Yr
+dNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAtYRmN0wIDAQAB
+AoGBAIUrpfK2mxtSAPA2VMqe16oP/WSSD8BHm0auE7TzhhNDMphvfHnXf61G30MT
+9Dk3CyJmQtnG1GMPMxPVJNUiaO+aUVfOV1o38S9y9eSd34IX86MvzCsdwAkK120M
+/Mndf6G2TSLLTh351SBAKx1F3bAB5gohIIKMRUiWNd7edJxBAkEA5sfMVSt3isyK
+X3pToki/H+d0Ht3HZAQzjpCzy4lFymfMiywMlU/ujsTR0KpXXEtJAvC1S22hBGmX
+s/YPMGmLswJBAMJkic85d/Eld2xIsGZMvn/2hjQiJMd+akdvSO6p6Fq4IX8zFdXS
+yob1zyaaI8r9YZcBIBJjipeEgY29yVAKZWECQGhNnPhRcPH2iAOnEe2i217cCQt6
+SQfXLkYc+GXhYP2d9EBiZD2HptY39mxM0LcR/6moiQfSQJfx8XKQn0TOLykCQQCF
+3xEc2bnlI2U7+E8rFFz46QCBNKZZkJCGg3gZjH9MwpOm8rpt183L5cp0DiDqMVcc
+1BSPNWgDcqh5waK68X3hAkEAnnYmuNkKLTs25Zc2gRR/7OXgGc3sRdBnHiTT/dPr
+nGQ7npSSA01XZKJFSRFSgEFoBBiP3k5GcuS9Srr9gfHSJQ==
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl-test.site.crt

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:02:28 2012 GMT
+            Not After : May 10 03:02:28 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix, CN=crl-test.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c5:ea:a1:09:d0:00:af:07:54:12:6c:96:83:dc:
+                    2a:6e:10:db:57:0c:a9:70:8e:cd:3a:d4:c7:cf:bc:
+                    f8:8e:88:85:9c:59:26:fe:94:93:78:a6:7e:48:41:
+                    ce:78:12:55:1c:18:60:93:66:ab:35:9b:10:60:67:
+                    48:6e:e5:ef:01:d6:2b:33:24:73:66:ba:50:5f:90:
+                    bc:05:95:1c:fd:9a:82:e4:41:81:bb:a8:45:c3:9a:
+                    09:a3:8b:7a:00:fe:00:9f:bd:cf:15:42:5b:53:38:
+                    0d:8d:b4:90:c9:26:f3:2b:aa:de:a4:e9:eb:1c:e4:
+                    ab:e7:a9:0a:85:e4:72:53:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                2E:44:CD:9A:53:C1:1D:BC:4C:4D:58:7F:52:62:AF:7B:AC:C9:FF:3A
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        27:8b:a6:82:17:72:9d:e5:31:b5:14:58:a1:40:93:15:50:47:
+        d6:73:ff:55:79:cb:bc:d6:e3:e5:d7:1b:5d:77:c8:ad:a4:1f:
+        f0:2a:a3:de:81:4f:58:87:b9:38:49:42:69:53:51:87:79:ba:
+        23:48:51:5d:b1:19:88:a0:6c:a2:1c:79:c3:7f:02:62:61:56:
+        3e:1f:73:ec:e6:d1:33:22:ed:3d:60:3a:35:a4:8c:07:88:cc:
+        25:b2:d8:2c:ac:db:47:a4:a6:72:30:e3:09:0c:0f:6d:bd:e7:
+        bf:b7:77:af:89:8e:89:cb:7e:23:6b:9d:42:7e:b3:22:d9:aa:
+        e0:67
+-----BEGIN CERTIFICATE-----
+MIIEITCCA4qgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDIyOFoXDTIyMDUxMDAzMDIyOFow
+fTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8x
+GDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMNY3JsLXRlc3Quc2l0
+ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
+qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
+o4IBfjCCAXowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
+QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFC5EzZpTwR28TE1Yf1Jir3usyf86MIHiBgNVHSMEgdowgdeAFIyl21Mh
+vV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQGEwJCUjELMAkGA1UECBMC
+U1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMhRGViaWFuIEZvciBBbGl4
+IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51eCBQcm9qZWN0czEbMBkG
+A1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZIhvcNAQkBFgxuby1tYWls
+QHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
+BaAwDQYJKoZIhvcNAQEFBQADgYEAJ4umghdyneUxtRRYoUCTFVBH1nP/VXnLvNbj
+5dcbXXfIraQf8Cqj3oFPWIe5OElCaVNRh3m6I0hRXbEZiKBsohx5w38CYmFWPh9z
+7ObRMyLtPWA6NaSMB4jMJbLYLKzbR6SmcjDjCQwPbb3nv7d3r4mOict+I2udQn6z
+Itmq4Gc=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl-test.site.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBvTCCASYCAQAwfTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQH
+EwlTYW8gUGF1bG8xGDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMN
+Y3JsLXRlc3Quc2l0ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs06
+1MfPvPiOiIWcWSb+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBf
+kLwFlRz9moLkQYG7qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5Kvn
+qQqF5HJTjQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAsuPOQdbzTcvMTrZPpn9r
+Aqpi+vcLt1g1B5NF4qlw1MhJ2bavIimsQYhT/PM+i8722QJL+K7VJr0Y9VgRI2Rg
+qPUquHVsXkZQN3d0+q/YRK6W0WFJEJaF85gDzIlyNBNKuBJq9ADafRugDrz2xcM7
+cy0OZCunFhH3MdCqXdRqLrw=
+-----END CERTIFICATE REQUEST-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl-test.site.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
+qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
+AoGAZo88XiJciFbK2TVOFgx8LEct8oEMONi3PxpOZLcvMmVKn4ePbnM9rFLSs8zu
+GkidtA5p1VhptkChjuNWpKkgXbDBTRYbrUOnXrUgToW10C4E5ftztbcRQ847OE1G
+eMjznSd9SiLElV3REyY6BzTYciRo987MoBrtqi02EPDYbv0CQQDraopLMDQml1Kl
+1cluGuTJ8ZNxDKWkDfr5BvEMpn5v1W82k1dWLkJDMYIuKu76OfevxAibLpNL3Q06
+wLb8c4nTAkEA1zi2PaBAiPgDXPUl3LnDNrr4kjXc8KJZpmCf/kgKVc+pYppDsUiG
+wC4mWcVuerrankeLFbkOPW0GBjsrDVfxHwJAJDkMdm1AWP/Hs8Slbc+tjHUjXq23
+fvq3t0GeLXgg1ExfBGK/eX88quIfScNJai8pMV5UhKwx9eZZdsTYYxfUCQJAMvog
+2Fnzzz2HdmYukKiDX5xLsj4F1g1uVKVAYDdqE0c7pLpLXFuEZ1LHDK5h67oEfEcP
+35ZUlCIVsjYjjWaOGwJBAJC0swnzK5wdMDzzF+oqOnGs2EzptfuUQ9JlabffbL4Y
+9mbuCu12IDMLDmY73Dnk1BWzi8TyfTD2fEDU8seNl28=
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl.pem

@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBiTCB8zANBgkqhkiG9w0BAQQFADCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgT
+AlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxp
+eCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZ
+BgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFp
+bEBzaXRlFw0xMjA1MTIwMzAyMzhaFw0xMjA2MTEwMzAyMzhaMBQwEgIBARcNMTIw
+NTEyMDMwMjM4WjANBgkqhkiG9w0BAQQFAAOBgQAJRVAq3T2gjUsKSjg5dLuy3pGl
+jVguEybZuOJn80LX1a9Jha367CZVuuww6GX2EUBiFKxXS4BHsV56q2XJaUlWaCXb
+4pjHWNm5i/JW7VwtG1fConY2BRaJrVCXu8wazx6vzbxYNuyMwtaoUvvPaGlQxen5
+TMe+Qpp6nw8ppaHAPg==
+-----END X509 CRL-----

ANW-URB/openvpn/easy-rsa/2.0/keys/dh1024.pem

@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAKPTQ3STxQjGe+kIuQrOhyIXruP3ttLox+Zlieb9wRoblR8PNGyyUv7t
+4X/7Bk+vzrwkqUYwUX91Hm5GMBDqhuchk0iY9r+y7XucD69yct3ivF6oKqqNjQyN
+I2mpbMWKZTbSrfKKcd5NTOVDQUxpIIVRJhp2nfNW24jvHI4hIgjjAgEC
+-----END DH PARAMETERS-----

ANW-URB/openvpn/easy-rsa/2.0/keys/index.txt

@@ -0,0 +1,3 @@
+R	220510030228Z	120512030238Z	01	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix/CN=crl-test.site/emailAddress=no-mail@site
+V	220510030325Z		02	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=alix.site/emailAddress=no-mail@site
+V	220510030631Z		03	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=vpn01.site/emailAddress=no-mail@site

ANW-URB/openvpn/easy-rsa/2.0/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

ANW-URB/openvpn/easy-rsa/2.0/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

ANW-URB/openvpn/easy-rsa/2.0/keys/index.txt.old

@@ -0,0 +1,2 @@
+R	220510030228Z	120512030238Z	01	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix/CN=crl-test.site/emailAddress=no-mail@site
+V	220510030325Z		02	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=alix.site/emailAddress=no-mail@site

ANW-URB/openvpn/easy-rsa/2.0/keys/revoke-test.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIID8jCCA1ugAwIBAgIJAI5o4psGy9FlMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYD
+VQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UE
+ChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5M
+aW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJ
+KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwHhcNMTIwNTEyMDMwMTUzWhcNMjIwNTEw
+MDMwMTUzWjCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlT
+YW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1ZIENIQU5H
+RSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRlYmlhbiBG
+b3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfy
+rCmhOwZYqNTFrGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA
+4kjZcSlQZ7YrdNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAt
+YRmN0wIDAQABo4IBFjCCARIwHQYDVR0OBBYEFIyl21MhvV9h4VbtepulAr0uI6qm
+MIHiBgNVHSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQsw
+CQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgG
+A1UEChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQL
+Ew5MaW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRsw
+GQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBABVmoMWdupXUB2J5p3LI18icmItRPyPH5uBc
+8C2/7AuvOvsRjjjAOtiThBLshCa2YQ2kxlT/uQKVAHrJojzDjozF/NB4rjr74aqj
+GGrWIL8ATWUjNKQFJv32h16t+eUrmWJJUlS4L0oq+v/C96l2QMG8M5Z3nxuctWwO
+ObQ1wsVu
+-----END CERTIFICATE-----
+-----BEGIN X509 CRL-----
+MIIBiTCB8zANBgkqhkiG9w0BAQQFADCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgT
+AlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxp
+eCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZ
+BgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFp
+bEBzaXRlFw0xMjA1MTIwMzAyMzhaFw0xMjA2MTEwMzAyMzhaMBQwEgIBARcNMTIw
+NTEyMDMwMjM4WjANBgkqhkiG9w0BAQQFAAOBgQAJRVAq3T2gjUsKSjg5dLuy3pGl
+jVguEybZuOJn80LX1a9Jha367CZVuuww6GX2EUBiFKxXS4BHsV56q2XJaUlWaCXb
+4pjHWNm5i/JW7VwtG1fConY2BRaJrVCXu8wazx6vzbxYNuyMwtaoUvvPaGlQxen5
+TMe+Qpp6nw8ppaHAPg==
+-----END X509 CRL-----

ANW-URB/openvpn/easy-rsa/2.0/keys/serial

@@ -0,0 +1 @@
+04

ANW-URB/openvpn/easy-rsa/2.0/keys/serial.old

@@ -0,0 +1 @@
+03

ANW-URB/openvpn/easy-rsa/2.0/keys/vpn01.site.crt

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:06:31 2012 GMT
+            Not After : May 10 03:06:31 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=vpn01.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a0:47:e1:23:fa:32:a3:cc:ee:e4:03:96:4c:84:
+                    c2:1e:05:2a:a8:b1:02:0c:b4:26:c5:54:ec:a0:85:
+                    3b:a2:a2:51:b8:85:9a:af:8e:50:fc:99:0a:5a:87:
+                    bf:02:f6:89:bd:04:44:fc:39:db:97:94:62:e8:e1:
+                    2f:c5:f9:dc:ce:2a:c0:63:b7:be:6c:41:7d:87:01:
+                    dd:f2:8b:b2:99:f6:a8:af:4e:11:0d:7b:e2:6e:82:
+                    ec:10:78:21:3c:09:85:c3:ab:b1:6d:14:74:c8:0a:
+                    8f:ec:80:80:b8:f6:a1:ef:dc:ba:7a:08:2b:c2:f5:
+                    77:af:93:d5:8d:1d:98:f2:85
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                91:38:28:A9:09:46:53:9E:E7:BC:29:77:F7:3B:25:92:08:6A:49:56
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+        72:65:d4:0d:49:25:77:e2:c1:6d:10:eb:21:6a:d8:33:e7:01:
+        b6:e5:25:dd:46:73:3f:65:91:16:46:dd:db:88:ed:97:2b:02:
+        6f:0e:f3:be:23:e0:38:80:93:5b:6c:85:e8:32:cc:2a:fc:d3:
+        23:c6:c1:66:52:d9:cf:d1:ab:7d:85:19:7a:a9:02:3a:f8:af:
+        74:97:bf:8d:73:92:b8:d4:18:48:b8:2a:a6:c1:5e:e2:6e:cc:
+        ea:91:ba:91:7c:39:21:4e:46:76:c8:4e:3f:98:a7:fc:f2:31:
+        e4:27:fa:c2:34:d5:7c:8a:94:63:c1:bb:b4:eb:7c:ce:21:00:
+        d5:72
+-----BEGIN CERTIFICATE-----
+MIIEMDCCA5mgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDYzMVoXDTIyMDUxMDAzMDYzMVow
+gaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4wMS5zaXRlMRswGQYJ
+KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6KiUbiFmq+OUPyZClqH
+vwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2qK9OEQ174m6C7BB4
+ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKFAgMBAAGjggFkMIIB
+YDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJE4KKkJRlOe57wpd/c7JZIIaklWMIHiBgNV
+HSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQG
+EwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMh
+RGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51
+eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZI
+hvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEF
+BQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAcmXUDUkld+LBbRDr
+IWrYM+cBtuUl3UZzP2WRFkbd24jtlysCbw7zviPgOICTW2yF6DLMKvzTI8bBZlLZ
+z9GrfYUZeqkCOvivdJe/jXOSuNQYSLgqpsFe4m7M6pG6kXw5IU5GdshOP5in/PIx
+5Cf6wjTVfIqUY8G7tOt8ziEA1XI=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/vpn01.site.csr

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB5jCCAU8CAQAwgaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UE
+BxMJU2FvIFBhdWxvMSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBD
+SEFOR0UgSVQxFzAVBgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4w
+MS5zaXRlMRswGQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6Ki
+UbiFmq+OUPyZClqHvwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2
+qK9OEQ174m6C7BB4ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKF
+AgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAYmNnggH95U2iVGt8Ef123jYY5I79b
+T4I9PxUOvqhLaHy7C55XR612TKop48D4SuyXif7LescwEvvOlawYXLnGnbIIpQe5
+BnlJ6BBd9WJ72DWrKSXev7zwj+eWG7tjXXLLXsWQGyF9zUJmp2X14PaaGKrY8m7J
+lsFjBJb1btOzoQ==
+-----END CERTIFICATE REQUEST-----

ANW-URB/openvpn/easy-rsa/2.0/keys/vpn01.site.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCgR+Ej+jKjzO7kA5ZMhMIeBSqosQIMtCbFVOyghTuiolG4hZqv
+jlD8mQpah78C9om9BET8OduXlGLo4S/F+dzOKsBjt75sQX2HAd3yi7KZ9qivThEN
+e+JuguwQeCE8CYXDq7FtFHTICo/sgIC49qHv3Lp6CCvC9Xevk9WNHZjyhQIDAQAB
+AoGASf2ks2UW54L9bQky4xQOQKmF7eX42kB3/XSc3+VhiEyCiTo0FIMQY+uKWgx8
+YzPIlhdYeU+ETc9UcckysqQMB+2x8+wyB9SFe0AIsHqXUVlW1lPgaDRqIwHWzJjY
+Z51qRT+EehH4c65Lec+jTAiVj5HMQCFHIfANR5tN1MkuMakCQQDLs5PlS48cOgve
+2DHWoIHr6Lgh4dQ9Puq2Gy29tFUpVV2FfZ+dCkx8GX4CX07Yoz1YSkHDb3etHQrD
+dVb2RMArAkEAyW5yLwlyqLJHwvLt+8Lo8EwLDTEIoj8yq2ks7F/vRXFPvpUzPWpD
+/Z9eTfULUDoY28O4apUbLSXc16QF1C0QDwJAXy9qzJqiJO563YbowwH9s97rK+n6
+4yOjSbUpipvZr5bUPKyXCSrm0paW60Td8x1UbQ1F7a0InzwS64LJQAqgQQJAW9v5
+SIgXeOUsorPkYb7GOeeD1rU4ybzmX5MsQHOTi2icRD6ISoaukPffqs+IJEMKWRZN
+gJWU+ibdKp4LZnJScwJAfpHZTB2GLuPBd/zU+R0pJF3JE2Ktv7+PKl44dl49+P4R
+L6KsiC6E5kaVdF8LCZaKY/4UIRCKFZw876rnzEjGTw==
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/list-crl

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# list revoked certificates
+
+CRL="${1:-crl.pem}"
+
+if [ "$KEY_DIR" ]; then
+    cd "$KEY_DIR" && \
+	$OPENSSL crl -text -noout -in "$CRL"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf

@@ -0,0 +1,265 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

ANW-URB/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf

@@ -0,0 +1,290 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

ANW-URB/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

@@ -0,0 +1,285 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

ANW-URB/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf-old-copy

@@ -0,0 +1,285 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

ANW-URB/openvpn/easy-rsa/2.0/openssl.cnf

@@ -0,0 +1,285 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

ANW-URB/openvpn/easy-rsa/2.0/pkitool

@@ -0,0 +1,379 @@
+#!/bin/sh
+
+#  OpenVPN -- An application to securely tunnel IP networks
+#             over a single TCP/UDP port, with support for SSL/TLS-based
+#             session authentication and key exchange,
+#             packet encryption, packet authentication, and
+#             packet compression.
+#
+#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License version 2
+#  as published by the Free Software Foundation.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program (see the file COPYING included with this
+#  distribution); if not, write to the Free Software Foundation, Inc.,
+#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# pkitool is a front-end for the openssl tool.
+
+# Calling scripts can set the certificate organizational 
+# unit with the KEY_OU environmental variable. 
+
+# Calling scripts can also set the KEY_NAME environmental
+# variable to set the "name" X509 subject field.
+
+PROGNAME=pkitool
+VERSION=2.0
+DEBUG=0
+
+die()
+{
+    local m="$1"
+
+    echo "$m" >&2
+    exit 1
+}
+
+need_vars()
+{
+    echo '  Please edit the vars script to reflect your configuration,'
+    echo '  then source it with "source ./vars".'
+    echo '  Next, to start with a fresh PKI configuration and to delete any'
+    echo '  previous certificates and keys, run "./clean-all".'
+    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
+}
+
+usage()
+{
+    echo "$PROGNAME $VERSION"
+    echo "Usage: $PROGNAME [options...] [common-name]"
+    echo "Options:"
+    echo "  --batch    : batch mode (default)"
+    echo "  --keysize  : Set keysize"
+    echo "      size   : size (default=1024)"
+    echo "  --interact : interactive mode"
+    echo "  --server   : build server cert"
+    echo "  --initca   : build root CA"
+    echo "  --inter    : build intermediate CA"
+    echo "  --pass     : encrypt private key with password"
+    echo "  --csr      : only generate a CSR, do not sign"
+    echo "  --sign     : sign an existing CSR"
+    echo "  --pkcs12   : generate a combined PKCS#12 file"
+    echo "  --pkcs11   : generate certificate on PKCS#11 token"
+    echo "      lib    : PKCS#11 library"
+    echo "      slot   : PKCS#11 slot"
+    echo "      id     : PKCS#11 object id (hex string)"
+    echo "      label  : PKCS#11 object label"
+    echo "Standalone options:"
+    echo "  --pkcs11-slots   : list PKCS#11 slots"
+    echo "      lib    : PKCS#11 library"
+    echo "  --pkcs11-objects : list PKCS#11 token objects"
+    echo "      lib    : PKCS#11 library"
+    echo "      slot   : PKCS#11 slot"
+    echo "  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!"
+    echo "      lib    : PKCS#11 library"
+    echo "      slot   : PKCS#11 slot"
+    echo "      label  : PKCS#11 token label"
+    echo "Notes:"
+    need_vars
+    echo "  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
+    echo "Generated files and corresponding OpenVPN directives:"
+    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
+    echo "  ca.crt     -> root certificate (--ca)"
+    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
+    echo "  .crt files -> client/server certificates (--cert)"
+    echo "  .key files -> private keys, keep secure (--key)"
+    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
+    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
+    echo "Examples:"
+    echo "  $PROGNAME --initca          -> Build root certificate"
+    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
+    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
+    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
+    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
+    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS#12 format"
+    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
+    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
+    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
+    echo "                               Also see ./inherit-inter script."
+    echo "  $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
+    echo "                              -> Build \"client5\" certificate/key in PKCS#11 token"
+    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
+    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
+    echo "  [edit vars with your site-specific info]"
+    echo "  source ./vars"
+    echo "  ./clean-all"
+    echo "  ./build-dh     -> takes a long time, consider backgrounding"
+    echo "  ./$PROGNAME --initca"
+    echo "  ./$PROGNAME --server myserver"
+    echo "  ./$PROGNAME client1"
+    echo "  ./$PROGNAME --pass client2"
+    echo "Typical usage for adding client cert to existing PKI:"
+    echo "  source ./vars"
+    echo "  ./$PROGNAME client-new"
+}
+
+# Set tool defaults
+[ -n "$OPENSSL" ] || export OPENSSL="openssl"
+[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
+[ -n "$GREP" ] || export GREP="grep"
+
+# Set defaults
+DO_REQ="1"
+REQ_EXT=""
+DO_CA="1"
+CA_EXT=""
+DO_P12="0"
+DO_P11="0"
+DO_ROOT="0"
+NODES_REQ="-nodes"
+NODES_P12=""
+BATCH="-batch"
+CA="ca"
+# must be set or errors of openssl.cnf
+PKCS11_MODULE_PATH="dummy"
+PKCS11_PIN="dummy"
+
+# Process options
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --keysize  ) KEY_SIZE=$2
+		     shift;;
+	--server   ) REQ_EXT="$REQ_EXT -extensions server"
+	             CA_EXT="$CA_EXT -extensions server" ;;
+	--batch    ) BATCH="-batch" ;;
+	--interact ) BATCH="" ;;
+        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
+        --initca   ) DO_ROOT="1" ;;
+	--pass     ) NODES_REQ="" ;;
+        --csr      ) DO_CA="0" ;;
+        --sign     ) DO_REQ="0" ;;
+        --pkcs12   ) DO_P12="1" ;;
+	--pkcs11   ) DO_P11="1"
+	             PKCS11_MODULE_PATH="$2"
+		     PKCS11_SLOT="$3"
+		     PKCS11_ID="$4"
+		     PKCS11_LABEL="$5"
+		     shift 4;;
+
+	# standalone
+	--pkcs11-init)
+	             PKCS11_MODULE_PATH="$2"
+	             PKCS11_SLOT="$3"
+	             PKCS11_LABEL="$4"
+		     if [ -z "$PKCS11_LABEL" ]; then
+		       die "Please specify library name, slot and label"
+		     fi
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+		     	--label "$PKCS11_LABEL" &&
+			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+		     exit $?;;
+	--pkcs11-slots)
+	             PKCS11_MODULE_PATH="$2"
+		     if [ -z "$PKCS11_MODULE_PATH" ]; then
+		       die "Please specify library name"
+		     fi
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+		     exit 0;;
+	--pkcs11-objects)
+	             PKCS11_MODULE_PATH="$2"
+	             PKCS11_SLOT="$3"
+		     if [ -z "$PKCS11_SLOT" ]; then
+		       die "Please specify library name and slot"
+		     fi
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+		     exit 0;;
+
+        --help|--usage)
+                    usage
+                    exit ;;
+        --version)
+                    echo "$PROGNAME $VERSION"
+                    exit ;;
+	# errors
+	--*        ) die "$PROGNAME: unknown option: $1" ;;
+	*          ) break ;;
+    esac
+    shift   
+done
+
+if ! [ -z "$BATCH" ]; then
+	if $OPENSSL version | grep 0.9.6 > /dev/null; then
+		die "Batch mode is unsupported in openssl<0.9.7"
+	fi
+fi
+
+if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
+	die "PKCS#11 and PKCS#12 cannot be specified together"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+	if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
+		die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
+	fi
+fi
+
+# If we are generating pkcs12, only encrypt the final step
+if [ $DO_P12 -eq 1 ]; then
+    NODES_P12="$NODES_REQ"
+    NODES_REQ="-nodes"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+	if [ -z "$PKCS11_LABEL" ]; then
+		die "PKCS#11 arguments incomplete"
+	fi
+fi
+
+# If undefined, set default key expiration intervals
+if [ -z "$KEY_EXPIRE" ]; then
+    KEY_EXPIRE=3650
+fi
+if [ -z "$CA_EXPIRE" ]; then
+    CA_EXPIRE=3650
+fi
+
+# Set organizational unit to empty string if undefined
+if [ -z "$KEY_OU" ]; then
+    KEY_OU=""
+fi
+
+# Set X509 Name string to empty string if undefined
+if [ -z "$KEY_NAME" ]; then
+    KEY_NAME=""
+fi
+
+# Set KEY_CN, FN
+if [ $DO_ROOT -eq 1 ]; then
+    if [ -z "$KEY_CN" ]; then
+	if [ "$1" ]; then
+	    KEY_CN="$1"
+	elif [ "$KEY_ORG" ]; then
+	    KEY_CN="$KEY_ORG CA"
+	fi
+    fi
+    if [ $BATCH ] && [ "$KEY_CN" ]; then
+	echo "Using CA Common Name:" "$KEY_CN"
+    fi
+    FN="$KEY_CN"
+elif [ $BATCH ] && [ "$KEY_CN" ]; then
+    echo "Using Common Name:" "$KEY_CN"
+    FN="$KEY_CN"
+    if [ "$1" ]; then
+	FN="$1"
+    fi
+else
+    if [ $# -ne 1 ]; then
+	usage
+	exit 1
+    else
+	KEY_CN="$1"
+    fi
+    FN="$KEY_CN"
+fi
+
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
+
+# Show parameters (debugging)
+if [ $DEBUG -eq 1 ]; then
+    echo DO_REQ $DO_REQ
+    echo REQ_EXT $REQ_EXT
+    echo DO_CA $DO_CA
+    echo CA_EXT $CA_EXT
+    echo NODES_REQ $NODES_REQ
+    echo NODES_P12 $NODES_P12
+    echo DO_P12 $DO_P12
+    echo KEY_CN $KEY_CN
+    echo BATCH $BATCH
+    echo DO_ROOT $DO_ROOT
+    echo KEY_EXPIRE $KEY_EXPIRE
+    echo CA_EXPIRE $CA_EXPIRE
+    echo KEY_OU $KEY_OU
+    echo KEY_NAME $KEY_NAME
+    echo DO_P11 $DO_P11
+    echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
+    echo PKCS11_SLOT $PKCS11_SLOT
+    echo PKCS11_ID $PKCS11_ID
+    echo PKCS11_LABEL $PKCS11_LABEL
+fi
+
+# Make sure ./vars was sourced beforehand
+if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
+    cd "$KEY_DIR"
+
+    # Make sure $KEY_CONFIG points to the correct version
+    # of openssl.cnf
+    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+	:
+    else
+	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
+        echo "version of openssl.cnf: $KEY_CONFIG"
+	echo "The correct version should have a comment that says: easy-rsa version 2.x";
+	exit 1;
+    fi
+
+    # Build root CA
+    if [ $DO_ROOT -eq 1 ]; then
+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
+	    chmod 0600 "$CA.key"
+    else        
+        # Make sure CA key/cert is available
+	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
+	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
+		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
+		echo "Try $PROGNAME --initca to build a root certificate/key."
+		exit 1
+	    fi
+	fi
+
+	# Generate key for PKCS#11 token
+	PKCS11_ARGS=
+	if [ $DO_P11 -eq 1 ]; then
+	        stty -echo
+	        echo -n "User PIN: "
+	        read -r PKCS11_PIN
+	        stty echo
+		export PKCS11_PIN
+
+		echo "Generating key pair on PKCS#11 token..."
+		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+			--login --pin "$PKCS11_PIN" \
+			--key-type rsa:1024 \
+			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
+		PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
+	fi
+
+        # Build cert/key
+	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
+	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
+	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
+	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
+	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
+	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
+	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
+
+	# Load certificate into PKCS#11 token
+	if [ $DO_P11 -eq 1 ]; then
+		$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
+		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
+			--login --pin "$PKCS11_PIN" \
+			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
+		[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
+	fi
+
+    fi
+
+# Need definitions
+else
+    need_vars
+fi

ANW-URB/openvpn/easy-rsa/2.0/revoke-full

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL="crl.pem"
+RT="revoke-test.pem"
+
+if [ $# -ne 1 ]; then
+    echo "usage: revoke-full <cert-name-base>";
+    exit 1
+fi
+
+if [ "$KEY_DIR" ]; then
+    cd "$KEY_DIR"
+    rm -f "$RT"
+
+    # set defaults
+    export KEY_CN=""
+    export KEY_OU=""
+    export KEY_NAME=""
+
+    # revoke key and generate a new CRL
+    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+
+    # generate a new CRL -- try to be compatible with
+    # intermediate PKIs
+    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+    if [ -e export-ca.crt ]; then
+	cat export-ca.crt "$CRL" >"$RT"
+    else
+	cat ca.crt "$CRL" >"$RT"
+    fi
+    
+    # verify the revocation
+    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/sign-req

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --sign $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-ca

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --initca $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-dh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+
+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
+    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-inter

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --inter $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-key

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-key-pass

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Similar to build-key, but protect the private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pass $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-key-pkcs12

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pkcs12 $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-key-server

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --server $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-req

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Build a certificate signing request and private key.  Use this
+# when your root certificate and key is not available locally.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/build-req-pass

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Like build-req, but protect your private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr --pass $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/clean-all

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+
+if [ "$KEY_DIR" ]; then
+    rm -rf "$KEY_DIR"
+    mkdir "$KEY_DIR" && \
+	chmod go-rwx "$KEY_DIR" && \
+	touch "$KEY_DIR/index.txt" && \
+	echo 01 >"$KEY_DIR/serial"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/tmp/file

@@ -0,0 +1 @@
+./openssl-1.0.0.cnf

ANW-URB/openvpn/easy-rsa/2.0/tmp/inherit-inter

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Build a new PKI which is rooted on an intermediate certificate generated
+# by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
+# have independent vars settings, and must use a different KEY_DIR directory
+# from the parent.  This tool can be used to generate arbitrary depth
+# certificate chains.
+#
+# To build an intermediate CA, follow the same steps for a regular PKI but
+# replace ./build-key or ./pkitool --initca with this script.
+
+# The EXPORT_CA file will contain the CA certificate chain and should be
+# referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
+# will only contain the local intermediate CA -- it's needed by the easy-rsa
+# scripts but not by OpenVPN directly.
+EXPORT_CA="export-ca.crt"
+
+if [ $# -ne 2 ]; then
+    echo "usage: $0 <parent-key-dir> <common-name>"
+    echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
+    echo "common-name: the common name of the intermediate certificate in the parent PKI"
+    exit 1;
+fi
+
+if [ "$KEY_DIR" ]; then
+    cp "$1/$2.crt" "$KEY_DIR/ca.crt"
+    cp "$1/$2.key" "$KEY_DIR/ca.key"
+
+    if [ -e "$1/$EXPORT_CA" ]; then
+	PARENT_CA="$1/$EXPORT_CA"
+    else
+	PARENT_CA="$1/ca.crt"
+    fi
+    cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
+    cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/tmp/list-crl

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# list revoked certificates
+
+CRL="${1:-crl.pem}"
+
+if [ "$KEY_DIR" ]; then
+    cd "$KEY_DIR" && \
+	$OPENSSL crl -text -noout -in "$CRL"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/tmp/openssl-0.9.6.cnf

@@ -0,0 +1,265 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

ANW-URB/openvpn/easy-rsa/2.0/tmp/openssl-1.0.0.cnf

@@ -0,0 +1,285 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

ANW-URB/openvpn/easy-rsa/2.0/tmp/pkitool

@@ -0,0 +1,379 @@
+#!/bin/sh
+
+#  OpenVPN -- An application to securely tunnel IP networks
+#             over a single TCP/UDP port, with support for SSL/TLS-based
+#             session authentication and key exchange,
+#             packet encryption, packet authentication, and
+#             packet compression.
+#
+#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License version 2
+#  as published by the Free Software Foundation.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program (see the file COPYING included with this
+#  distribution); if not, write to the Free Software Foundation, Inc.,
+#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# pkitool is a front-end for the openssl tool.
+
+# Calling scripts can set the certificate organizational 
+# unit with the KEY_OU environmental variable. 
+
+# Calling scripts can also set the KEY_NAME environmental
+# variable to set the "name" X509 subject field.
+
+PROGNAME=pkitool
+VERSION=2.0
+DEBUG=0
+
+die()
+{
+    local m="$1"
+
+    echo "$m" >&2
+    exit 1
+}
+
+need_vars()
+{
+    echo '  Please edit the vars script to reflect your configuration,'
+    echo '  then source it with "source ./vars".'
+    echo '  Next, to start with a fresh PKI configuration and to delete any'
+    echo '  previous certificates and keys, run "./clean-all".'
+    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
+}
+
+usage()
+{
+    echo "$PROGNAME $VERSION"
+    echo "Usage: $PROGNAME [options...] [common-name]"
+    echo "Options:"
+    echo "  --batch    : batch mode (default)"
+    echo "  --keysize  : Set keysize"
+    echo "      size   : size (default=1024)"
+    echo "  --interact : interactive mode"
+    echo "  --server   : build server cert"
+    echo "  --initca   : build root CA"
+    echo "  --inter    : build intermediate CA"
+    echo "  --pass     : encrypt private key with password"
+    echo "  --csr      : only generate a CSR, do not sign"
+    echo "  --sign     : sign an existing CSR"
+    echo "  --pkcs12   : generate a combined PKCS#12 file"
+    echo "  --pkcs11   : generate certificate on PKCS#11 token"
+    echo "      lib    : PKCS#11 library"
+    echo "      slot   : PKCS#11 slot"
+    echo "      id     : PKCS#11 object id (hex string)"
+    echo "      label  : PKCS#11 object label"
+    echo "Standalone options:"
+    echo "  --pkcs11-slots   : list PKCS#11 slots"
+    echo "      lib    : PKCS#11 library"
+    echo "  --pkcs11-objects : list PKCS#11 token objects"
+    echo "      lib    : PKCS#11 library"
+    echo "      slot   : PKCS#11 slot"
+    echo "  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!"
+    echo "      lib    : PKCS#11 library"
+    echo "      slot   : PKCS#11 slot"
+    echo "      label  : PKCS#11 token label"
+    echo "Notes:"
+    need_vars
+    echo "  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
+    echo "Generated files and corresponding OpenVPN directives:"
+    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
+    echo "  ca.crt     -> root certificate (--ca)"
+    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
+    echo "  .crt files -> client/server certificates (--cert)"
+    echo "  .key files -> private keys, keep secure (--key)"
+    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
+    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
+    echo "Examples:"
+    echo "  $PROGNAME --initca          -> Build root certificate"
+    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
+    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
+    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
+    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
+    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS#12 format"
+    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
+    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
+    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
+    echo "                               Also see ./inherit-inter script."
+    echo "  $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
+    echo "                              -> Build \"client5\" certificate/key in PKCS#11 token"
+    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
+    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
+    echo "  [edit vars with your site-specific info]"
+    echo "  source ./vars"
+    echo "  ./clean-all"
+    echo "  ./build-dh     -> takes a long time, consider backgrounding"
+    echo "  ./$PROGNAME --initca"
+    echo "  ./$PROGNAME --server myserver"
+    echo "  ./$PROGNAME client1"
+    echo "  ./$PROGNAME --pass client2"
+    echo "Typical usage for adding client cert to existing PKI:"
+    echo "  source ./vars"
+    echo "  ./$PROGNAME client-new"
+}
+
+# Set tool defaults
+[ -n "$OPENSSL" ] || export OPENSSL="openssl"
+[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
+[ -n "$GREP" ] || export GREP="grep"
+
+# Set defaults
+DO_REQ="1"
+REQ_EXT=""
+DO_CA="1"
+CA_EXT=""
+DO_P12="0"
+DO_P11="0"
+DO_ROOT="0"
+NODES_REQ="-nodes"
+NODES_P12=""
+BATCH="-batch"
+CA="ca"
+# must be set or errors of openssl.cnf
+PKCS11_MODULE_PATH="dummy"
+PKCS11_PIN="dummy"
+
+# Process options
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --keysize  ) KEY_SIZE=$2
+		     shift;;
+	--server   ) REQ_EXT="$REQ_EXT -extensions server"
+	             CA_EXT="$CA_EXT -extensions server" ;;
+	--batch    ) BATCH="-batch" ;;
+	--interact ) BATCH="" ;;
+        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
+        --initca   ) DO_ROOT="1" ;;
+	--pass     ) NODES_REQ="" ;;
+        --csr      ) DO_CA="0" ;;
+        --sign     ) DO_REQ="0" ;;
+        --pkcs12   ) DO_P12="1" ;;
+	--pkcs11   ) DO_P11="1"
+	             PKCS11_MODULE_PATH="$2"
+		     PKCS11_SLOT="$3"
+		     PKCS11_ID="$4"
+		     PKCS11_LABEL="$5"
+		     shift 4;;
+
+	# standalone
+	--pkcs11-init)
+	             PKCS11_MODULE_PATH="$2"
+	             PKCS11_SLOT="$3"
+	             PKCS11_LABEL="$4"
+		     if [ -z "$PKCS11_LABEL" ]; then
+		       die "Please specify library name, slot and label"
+		     fi
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+		     	--label "$PKCS11_LABEL" &&
+			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+		     exit $?;;
+	--pkcs11-slots)
+	             PKCS11_MODULE_PATH="$2"
+		     if [ -z "$PKCS11_MODULE_PATH" ]; then
+		       die "Please specify library name"
+		     fi
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+		     exit 0;;
+	--pkcs11-objects)
+	             PKCS11_MODULE_PATH="$2"
+	             PKCS11_SLOT="$3"
+		     if [ -z "$PKCS11_SLOT" ]; then
+		       die "Please specify library name and slot"
+		     fi
+		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+		     exit 0;;
+
+        --help|--usage)
+                    usage
+                    exit ;;
+        --version)
+                    echo "$PROGNAME $VERSION"
+                    exit ;;
+	# errors
+	--*        ) die "$PROGNAME: unknown option: $1" ;;
+	*          ) break ;;
+    esac
+    shift   
+done
+
+if ! [ -z "$BATCH" ]; then
+	if $OPENSSL version | grep 0.9.6 > /dev/null; then
+		die "Batch mode is unsupported in openssl<0.9.7"
+	fi
+fi
+
+if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
+	die "PKCS#11 and PKCS#12 cannot be specified together"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+	if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
+		die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
+	fi
+fi
+
+# If we are generating pkcs12, only encrypt the final step
+if [ $DO_P12 -eq 1 ]; then
+    NODES_P12="$NODES_REQ"
+    NODES_REQ="-nodes"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+	if [ -z "$PKCS11_LABEL" ]; then
+		die "PKCS#11 arguments incomplete"
+	fi
+fi
+
+# If undefined, set default key expiration intervals
+if [ -z "$KEY_EXPIRE" ]; then
+    KEY_EXPIRE=3650
+fi
+if [ -z "$CA_EXPIRE" ]; then
+    CA_EXPIRE=3650
+fi
+
+# Set organizational unit to empty string if undefined
+if [ -z "$KEY_OU" ]; then
+    KEY_OU=""
+fi
+
+# Set X509 Name string to empty string if undefined
+if [ -z "$KEY_NAME" ]; then
+    KEY_NAME=""
+fi
+
+# Set KEY_CN, FN
+if [ $DO_ROOT -eq 1 ]; then
+    if [ -z "$KEY_CN" ]; then
+	if [ "$1" ]; then
+	    KEY_CN="$1"
+	elif [ "$KEY_ORG" ]; then
+	    KEY_CN="$KEY_ORG CA"
+	fi
+    fi
+    if [ $BATCH ] && [ "$KEY_CN" ]; then
+	echo "Using CA Common Name:" "$KEY_CN"
+    fi
+    FN="$KEY_CN"
+elif [ $BATCH ] && [ "$KEY_CN" ]; then
+    echo "Using Common Name:" "$KEY_CN"
+    FN="$KEY_CN"
+    if [ "$1" ]; then
+	FN="$1"
+    fi
+else
+    if [ $# -ne 1 ]; then
+	usage
+	exit 1
+    else
+	KEY_CN="$1"
+    fi
+    FN="$KEY_CN"
+fi
+
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
+
+# Show parameters (debugging)
+if [ $DEBUG -eq 1 ]; then
+    echo DO_REQ $DO_REQ
+    echo REQ_EXT $REQ_EXT
+    echo DO_CA $DO_CA
+    echo CA_EXT $CA_EXT
+    echo NODES_REQ $NODES_REQ
+    echo NODES_P12 $NODES_P12
+    echo DO_P12 $DO_P12
+    echo KEY_CN $KEY_CN
+    echo BATCH $BATCH
+    echo DO_ROOT $DO_ROOT
+    echo KEY_EXPIRE $KEY_EXPIRE
+    echo CA_EXPIRE $CA_EXPIRE
+    echo KEY_OU $KEY_OU
+    echo KEY_NAME $KEY_NAME
+    echo DO_P11 $DO_P11
+    echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
+    echo PKCS11_SLOT $PKCS11_SLOT
+    echo PKCS11_ID $PKCS11_ID
+    echo PKCS11_LABEL $PKCS11_LABEL
+fi
+
+# Make sure ./vars was sourced beforehand
+if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
+    cd "$KEY_DIR"
+
+    # Make sure $KEY_CONFIG points to the correct version
+    # of openssl.cnf
+    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+	:
+    else
+	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
+        echo "version of openssl.cnf: $KEY_CONFIG"
+	echo "The correct version should have a comment that says: easy-rsa version 2.x";
+	exit 1;
+    fi
+
+    # Build root CA
+    if [ $DO_ROOT -eq 1 ]; then
+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
+	    chmod 0600 "$CA.key"
+    else        
+        # Make sure CA key/cert is available
+	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
+	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
+		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
+		echo "Try $PROGNAME --initca to build a root certificate/key."
+		exit 1
+	    fi
+	fi
+
+	# Generate key for PKCS#11 token
+	PKCS11_ARGS=
+	if [ $DO_P11 -eq 1 ]; then
+	        stty -echo
+	        echo -n "User PIN: "
+	        read -r PKCS11_PIN
+	        stty echo
+		export PKCS11_PIN
+
+		echo "Generating key pair on PKCS#11 token..."
+		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+			--login --pin "$PKCS11_PIN" \
+			--key-type rsa:1024 \
+			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
+		PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
+	fi
+
+        # Build cert/key
+	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
+	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
+	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
+	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
+	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
+	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
+	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
+
+	# Load certificate into PKCS#11 token
+	if [ $DO_P11 -eq 1 ]; then
+		$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
+		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
+			--login --pin "$PKCS11_PIN" \
+			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
+		[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
+	fi
+
+    fi
+
+# Need definitions
+else
+    need_vars
+fi

ANW-URB/openvpn/easy-rsa/2.0/tmp/revoke-full

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL="crl.pem"
+RT="revoke-test.pem"
+
+if [ $# -ne 1 ]; then
+    echo "usage: revoke-full <cert-name-base>";
+    exit 1
+fi
+
+if [ "$KEY_DIR" ]; then
+    cd "$KEY_DIR"
+    rm -f "$RT"
+
+    # set defaults
+    export KEY_CN=""
+    export KEY_OU=""
+    export KEY_NAME=""
+
+    # revoke key and generate a new CRL
+    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+
+    # generate a new CRL -- try to be compatible with
+    # intermediate PKIs
+    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+    if [ -e export-ca.crt ]; then
+	cat export-ca.crt "$CRL" >"$RT"
+    else
+	cat ca.crt "$CRL" >"$RT"
+    fi
+    
+    # verify the revocation
+    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/tmp/sign-req

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --sign $*

ANW-URB/openvpn/easy-rsa/2.0/tmp/vars

@@ -0,0 +1,74 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL=mail@host.domain
+export KEY_CN=changeme
+export KEY_NAME=changeme
+export KEY_OU=changeme
+export PKCS11_MODULE_PATH=changeme
+export PKCS11_PIN=1234

ANW-URB/openvpn/easy-rsa/2.0/tmp/whichopensslcnf

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+cnf="$1/openssl.cnf"
+if [ "$OPENSSL" ]; then
+	if $OPENSSL version | grep 0.9.6 > /dev/null; then
+		cnf="$1/openssl-0.9.6.cnf"
+	elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
+                cnf="$1/openssl-1.0.0.cnf"
+	else
+		cnf="$1/openssl.cnf"
+	fi
+fi
+
+echo $cnf
+
+if [ ! -r $cnf ]; then
+    echo "**************************************************************" >&2
+    echo "  No $cnf file could be found" >&2
+    echo "  Further invocations will fail" >&2
+    echo "**************************************************************" >&2
+fi 
+
+exit 0

ANW-URB/openvpn/easy-rsa/2.0/vars

@@ -0,0 +1,86 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+BASE_DIR=/etc/openvpn
+export EASY_RSA="${BASE_DIR}/easy-rsa/2.0"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="${BASE_DIR}/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+##export KEY_PROVINCE="CA"
+##export KEY_CITY="SanFrancisco"
+##export KEY_ORG="Fort-Funston"
+##export KEY_EMAIL="me@myhost.mydomain"
+##export KEY_EMAIL=mail@host.domain
+export KEY_CN=changeme
+export KEY_NAME=changeme
+##export KEY_OU=changeme
+export PKCS11_MODULE_PATH=changeme
+export PKCS11_PIN=1234
+
+export KEY_COUNTRY=DE
+export KEY_PROVINCE=Berlin
+export KEY_CITY=Berlin
+export KEY_ORG="o.open"
+export KEY_OU="Netzwerk Services"
+export KEY_EMAIL="argus@oopen.de"
+
+

ANW-URB/openvpn/easy-rsa/2.0/whichopensslcnf

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+cnf="$1/openssl.cnf"
+
+if [ "$OPENSSL" ]; then
+	if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]" > /dev/null; then
+		cnf="$1/openssl-0.9.6.cnf"
+	elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]" > /dev/null; then
+		cnf="$1/openssl-0.9.8.cnf"
+	elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
+                cnf="$1/openssl-1.0.0.cnf"
+	else
+		cnf="$1/openssl.cnf"
+	fi
+fi
+
+echo $cnf
+
+if [ ! -r $cnf ]; then
+    echo "**************************************************************" >&2
+    echo "  No $cnf file could be found" >&2
+    echo "  Further invocations will fail" >&2
+    echo "**************************************************************" >&2
+fi
+
+exit 0