Update ANW-URB openvpn
This commit is contained in:
parent
a8ad08b139
commit
52e51a5ceb
@ -1,6 +0,0 @@
|
||||
ifconfig-push 10.1.132.2 255.255.255.0
|
||||
push "route 192.168.132.0 255.255.255.0 10.1.132.1"
|
||||
push "route 192.168.133.0 255.255.255.0 10.1.132.1"
|
||||
push "route 172.16.132.0 255.255.255.0 10.1.132.1"
|
||||
iroute 192.168.63.0 255.255.255.0
|
||||
iroute 192.168.64.0 255.255.255.0
|
||||
@ -1,4 +0,0 @@
|
||||
ifconfig-push 10.0.132.3 255.255.255.0
|
||||
push "route 172.16.132.0 255.255.255.0"
|
||||
#push "route 192.168.1.0 255.255.255.0"
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
ifconfig-push 10.0.132.4 255.255.255.0
|
||||
#push "route 192.168.1.0 255.255.255.0"
|
||||
Binary file not shown.
@ -1,13 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a root certificate
|
||||
#
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
|
||||
chmod 0600 ca.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,12 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build Diffie-Hellman parameters for the server side
|
||||
# of an SSL/TLS connection.
|
||||
#
|
||||
|
||||
if test $KEY_DIR; then
|
||||
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,19 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make an intermediate CA certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-inter <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,20 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
|
||||
chmod 0600 $1.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,20 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Similar to build-key, but protect the private key
|
||||
# with a password.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key-pass <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
|
||||
chmod 0600 $1.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,21 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate and convert it to a PKCS #12 file including the
|
||||
# the CA certificate as well.
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key-pkcs12 <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
|
||||
openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
|
||||
chmod 0600 $1.key $1.p12
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,22 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
# Explicitly set nsCertType to server using the "server"
|
||||
# extension in the openssl.cnf file.
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-key-server <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
|
||||
chmod 0600 $1.key
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a certificate signing request and private key. Use this
|
||||
# when your root certificate and key is not available locally.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-req <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Like build-req, but protect your private key
|
||||
# with a password.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: build-req-pass <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,19 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Initialize the $KEY_DIR directory.
|
||||
# Note that this script does a
|
||||
# rm -rf on $KEY_DIR so be careful!
|
||||
#
|
||||
|
||||
d=$KEY_DIR
|
||||
|
||||
if test $d; then
|
||||
rm -rf $d
|
||||
mkdir $d && \
|
||||
chmod go-rwx $d && \
|
||||
touch $d/index.txt && \
|
||||
echo 01 >$d/serial
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# list revoked certificates
|
||||
#
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: list-crl <crlfile.pem>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl crl -text -noout -in $1
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# generate a CRL
|
||||
#
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: make-crl <crlfile.pem>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl ca -gencrl -out $1 -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,255 +0,0 @@
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_match
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "OpenSSL Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# revoke a certificate
|
||||
#
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: revoke-crt <file.crt>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl ca -revoke $1 -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,29 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# revoke a certificate, regenerate CRL,
|
||||
# and verify revocation
|
||||
|
||||
CRL=crl.pem
|
||||
RT=revoke-test.pem
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: revoke-full <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR
|
||||
rm -f $RT
|
||||
|
||||
# revoke key and generate a new CRL
|
||||
openssl ca -revoke $1.crt -config $KEY_CONFIG
|
||||
|
||||
# generate a new CRL
|
||||
openssl ca -gencrl -out $CRL -config $KEY_CONFIG
|
||||
cat ca.crt $CRL >$RT
|
||||
|
||||
# verify the revocation
|
||||
openssl verify -CAfile $RT -crl_check $1.crt
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Sign a certificate signing request (a .csr file)
|
||||
# with a local root certificate and key.
|
||||
#
|
||||
|
||||
if test $# -ne 1; then
|
||||
echo "usage: sign-req <name>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $KEY_DIR; then
|
||||
cd $KEY_DIR && \
|
||||
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
|
||||
else
|
||||
echo you must define KEY_DIR
|
||||
fi
|
||||
@ -1,49 +0,0 @@
|
||||
# easy-rsa parameter settings
|
||||
|
||||
# NOTE: If you installed from an RPM,
|
||||
# don't edit this file in place in
|
||||
# /usr/share/openvpn/easy-rsa --
|
||||
# instead, you should copy the whole
|
||||
# easy-rsa directory to another location
|
||||
# (such as /etc/openvpn) so that your
|
||||
# edits will not be wiped out by a future
|
||||
# OpenVPN package upgrade.
|
||||
|
||||
# This variable should point to
|
||||
# the top level of the easy-rsa
|
||||
# tree.
|
||||
export D=`pwd`
|
||||
|
||||
# This variable should point to
|
||||
# the openssl.cnf file included
|
||||
# with easy-rsa.
|
||||
export KEY_CONFIG=$D/openssl.cnf
|
||||
|
||||
# Edit this variable to point to
|
||||
# your soon-to-be-created key
|
||||
# directory.
|
||||
#
|
||||
# WARNING: clean-all will do
|
||||
# a rm -rf on this directory
|
||||
# so make sure you define
|
||||
# it correctly!
|
||||
export KEY_DIR=$D/keys
|
||||
|
||||
# Issue rm -rf warning
|
||||
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
|
||||
|
||||
# Increase this to 2048 if you
|
||||
# are paranoid. This will slow
|
||||
# down TLS negotiation performance
|
||||
# as well as the one-time DH parms
|
||||
# generation process.
|
||||
export KEY_SIZE=1024
|
||||
|
||||
# These are the default values for fields
|
||||
# which will be placed in the certificate.
|
||||
# Don't leave any of these fields blank.
|
||||
export KEY_COUNTRY=KG
|
||||
export KEY_PROVINCE=NA
|
||||
export KEY_CITY=BISHKEK
|
||||
export KEY_ORG="OpenVPN-TEST"
|
||||
export KEY_EMAIL="me@myhost.mydomain"
|
||||
@ -1,13 +0,0 @@
|
||||
|
||||
DESTDIR=
|
||||
PREFIX=
|
||||
|
||||
all:
|
||||
echo "All done."
|
||||
echo "Run make install DESTDIR=/usr/share/somewhere"
|
||||
|
||||
install:
|
||||
install -d "${DESTDIR}/${PREFIX}"
|
||||
install -m 0755 build-* "${DESTDIR}/${PREFIX}"
|
||||
install -m 0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
|
||||
install -m 0644 openssl-0.9.6.cnf openssl-0.9.8.cnf openssl-1.0.0.cnf README vars "${DESTDIR}/${PREFIX}"
|
||||
Binary file not shown.
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a root certificate
|
||||
#
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --initca $*
|
||||
@ -1,11 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build Diffie-Hellman parameters for the server side
|
||||
# of an SSL/TLS connection.
|
||||
|
||||
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
|
||||
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make an intermediate CA certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --inter $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Similar to build-key, but protect the private key
|
||||
# with a password.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --pass $*
|
||||
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate and convert it to a PKCS #12 file including the
|
||||
# the CA certificate as well.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --pkcs12 $*
|
||||
@ -1,10 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
# Explicitly set nsCertType to server using the "server"
|
||||
# extension in the openssl.cnf file.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --server $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build a certificate signing request and private key. Use this
|
||||
# when your root certificate and key is not available locally.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --csr $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Like build-req, but protect your private key
|
||||
# with a password.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --csr --pass $*
|
||||
@ -1,16 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Initialize the $KEY_DIR directory.
|
||||
# Note that this script does a
|
||||
# rm -rf on $KEY_DIR so be careful!
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
rm -rf "$KEY_DIR"
|
||||
mkdir "$KEY_DIR" && \
|
||||
chmod go-rwx "$KEY_DIR" && \
|
||||
touch "$KEY_DIR/index.txt" && \
|
||||
echo 01 >"$KEY_DIR/serial"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,39 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build a new PKI which is rooted on an intermediate certificate generated
|
||||
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
|
||||
# have independent vars settings, and must use a different KEY_DIR directory
|
||||
# from the parent. This tool can be used to generate arbitrary depth
|
||||
# certificate chains.
|
||||
#
|
||||
# To build an intermediate CA, follow the same steps for a regular PKI but
|
||||
# replace ./build-key or ./pkitool --initca with this script.
|
||||
|
||||
# The EXPORT_CA file will contain the CA certificate chain and should be
|
||||
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
|
||||
# will only contain the local intermediate CA -- it's needed by the easy-rsa
|
||||
# scripts but not by OpenVPN directly.
|
||||
EXPORT_CA="export-ca.crt"
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "usage: $0 <parent-key-dir> <common-name>"
|
||||
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
|
||||
echo "common-name: the common name of the intermediate certificate in the parent PKI"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
|
||||
cp "$1/$2.key" "$KEY_DIR/ca.key"
|
||||
|
||||
if [ -e "$1/$EXPORT_CA" ]; then
|
||||
PARENT_CA="$1/$EXPORT_CA"
|
||||
else
|
||||
PARENT_CA="$1/ca.crt"
|
||||
fi
|
||||
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
|
||||
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,76 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
Validity
|
||||
Not Before: May 12 03:02:28 2012 GMT
|
||||
Not After : May 10 03:02:28 2022 GMT
|
||||
Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix, CN=crl-test.site/emailAddress=no-mail@site
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:c5:ea:a1:09:d0:00:af:07:54:12:6c:96:83:dc:
|
||||
2a:6e:10:db:57:0c:a9:70:8e:cd:3a:d4:c7:cf:bc:
|
||||
f8:8e:88:85:9c:59:26:fe:94:93:78:a6:7e:48:41:
|
||||
ce:78:12:55:1c:18:60:93:66:ab:35:9b:10:60:67:
|
||||
48:6e:e5:ef:01:d6:2b:33:24:73:66:ba:50:5f:90:
|
||||
bc:05:95:1c:fd:9a:82:e4:41:81:bb:a8:45:c3:9a:
|
||||
09:a3:8b:7a:00:fe:00:9f:bd:cf:15:42:5b:53:38:
|
||||
0d:8d:b4:90:c9:26:f3:2b:aa:de:a4:e9:eb:1c:e4:
|
||||
ab:e7:a9:0a:85:e4:72:53:8d
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Cert Type:
|
||||
SSL Server
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Server Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
2E:44:CD:9A:53:C1:1D:BC:4C:4D:58:7F:52:62:AF:7B:AC:C9:FF:3A
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
|
||||
DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
serial:8E:68:E2:9B:06:CB:D1:65
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
27:8b:a6:82:17:72:9d:e5:31:b5:14:58:a1:40:93:15:50:47:
|
||||
d6:73:ff:55:79:cb:bc:d6:e3:e5:d7:1b:5d:77:c8:ad:a4:1f:
|
||||
f0:2a:a3:de:81:4f:58:87:b9:38:49:42:69:53:51:87:79:ba:
|
||||
23:48:51:5d:b1:19:88:a0:6c:a2:1c:79:c3:7f:02:62:61:56:
|
||||
3e:1f:73:ec:e6:d1:33:22:ed:3d:60:3a:35:a4:8c:07:88:cc:
|
||||
25:b2:d8:2c:ac:db:47:a4:a6:72:30:e3:09:0c:0f:6d:bd:e7:
|
||||
bf:b7:77:af:89:8e:89:cb:7e:23:6b:9d:42:7e:b3:22:d9:aa:
|
||||
e0:67
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEITCCA4qgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
|
||||
CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
|
||||
biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
|
||||
amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
|
||||
ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDIyOFoXDTIyMDUxMDAzMDIyOFow
|
||||
fTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8x
|
||||
GDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMNY3JsLXRlc3Quc2l0
|
||||
ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqGSIb3DQEBAQUA
|
||||
A4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
|
||||
lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
|
||||
qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
|
||||
o4IBfjCCAXowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
|
||||
QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
|
||||
VR0OBBYEFC5EzZpTwR28TE1Yf1Jir3usyf86MIHiBgNVHSMEgdowgdeAFIyl21Mh
|
||||
vV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQGEwJCUjELMAkGA1UECBMC
|
||||
U1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMhRGViaWFuIEZvciBBbGl4
|
||||
IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51eCBQcm9qZWN0czEbMBkG
|
||||
A1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZIhvcNAQkBFgxuby1tYWls
|
||||
QHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
|
||||
BaAwDQYJKoZIhvcNAQEFBQADgYEAJ4umghdyneUxtRRYoUCTFVBH1nP/VXnLvNbj
|
||||
5dcbXXfIraQf8Cqj3oFPWIe5OElCaVNRh3m6I0hRXbEZiKBsohx5w38CYmFWPh9z
|
||||
7ObRMyLtPWA6NaSMB4jMJbLYLKzbR6SmcjDjCQwPbb3nv7d3r4mOict+I2udQn6z
|
||||
Itmq4Gc=
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,76 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 2 (0x2)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
Validity
|
||||
Not Before: May 12 03:03:25 2012 GMT
|
||||
Not After : May 10 03:03:25 2022 GMT
|
||||
Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=alix.site/emailAddress=no-mail@site
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:cb:96:17:e9:b2:ad:89:cb:26:60:63:28:d2:77:
|
||||
6c:95:31:bd:79:96:b9:08:63:ec:44:07:c9:e5:b3:
|
||||
ba:31:8c:1e:4d:a1:ff:81:8d:fd:7e:e2:68:63:18:
|
||||
93:be:99:15:70:b1:5b:20:fe:0f:ab:19:21:2e:57:
|
||||
16:55:21:3e:f5:2c:98:3d:ac:d6:0b:3f:34:ee:8f:
|
||||
59:a2:f2:4a:94:ed:96:c2:41:93:e3:9d:ed:d0:fa:
|
||||
64:f4:d7:24:3c:03:98:bc:95:be:2c:3f:42:89:3f:
|
||||
b9:e5:1a:95:3c:2d:67:0a:84:60:17:7d:21:5f:a8:
|
||||
43:99:65:3f:b3:d8:06:1d:43
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Cert Type:
|
||||
SSL Server
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Server Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
E0:51:7A:02:09:11:E6:2F:5F:47:D9:2E:36:9D:9D:AF:7F:16:5F:74
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
|
||||
DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
serial:8E:68:E2:9B:06:CB:D1:65
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
6b:b8:50:42:30:27:87:e9:1e:0c:8d:c5:c0:fc:71:f4:70:41:
|
||||
ee:45:09:ac:d2:2c:54:c7:d6:10:66:09:43:cd:8f:8e:75:9a:
|
||||
61:b7:7b:45:10:fa:f4:15:73:6a:ca:01:0b:33:fc:a1:06:30:
|
||||
c0:ff:10:5b:9d:5d:c1:2c:8d:a5:5f:f0:c2:ef:1c:49:e2:1f:
|
||||
02:f3:fa:3b:cd:19:c3:a6:37:0b:0c:cb:af:b0:f8:24:8e:f9:
|
||||
4d:36:82:89:2c:b8:84:a8:5d:5c:fb:f0:64:bd:04:f2:67:a2:
|
||||
3c:d9:59:a0:81:f4:ad:f5:9d:ad:d5:14:48:e2:48:99:ed:41:
|
||||
5e:31
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIESTCCA7KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
|
||||
CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
|
||||
biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
|
||||
amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
|
||||
ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDMyNVoXDTIyMDUxMDAzMDMyNVow
|
||||
gaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
|
||||
MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
|
||||
BgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4LnNpdGUxGzAZBgkq
|
||||
hkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
|
||||
gYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYweTaH/gY39fuJoYxiT
|
||||
vpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2WwkGT453t0Ppk9Nck
|
||||
PAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMCAwEAAaOCAX4wggF6
|
||||
MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
|
||||
YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTg
|
||||
UXoCCRHmL19H2S42nZ2vfxZfdDCB4gYDVR0jBIHaMIHXgBSMpdtTIb1fYeFW7Xqb
|
||||
pQK9LiOqpqGBs6SBsDCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYD
|
||||
VQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1Z
|
||||
IENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRl
|
||||
YmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlggkA
|
||||
jmjimwbL0WUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqG
|
||||
SIb3DQEBBQUAA4GBAGu4UEIwJ4fpHgyNxcD8cfRwQe5FCazSLFTH1hBmCUPNj451
|
||||
mmG3e0UQ+vQVc2rKAQsz/KEGMMD/EFudXcEsjaVf8MLvHEniHwLz+jvNGcOmNwsM
|
||||
y6+w+CSO+U02goksuISoXVz78GS9BPJnojzZWaCB9K31na3VFEjiSJntQV4x
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,74 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 3 (0x3)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
Validity
|
||||
Not Before: May 12 03:06:31 2012 GMT
|
||||
Not After : May 10 03:06:31 2022 GMT
|
||||
Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=vpn01.site/emailAddress=no-mail@site
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:a0:47:e1:23:fa:32:a3:cc:ee:e4:03:96:4c:84:
|
||||
c2:1e:05:2a:a8:b1:02:0c:b4:26:c5:54:ec:a0:85:
|
||||
3b:a2:a2:51:b8:85:9a:af:8e:50:fc:99:0a:5a:87:
|
||||
bf:02:f6:89:bd:04:44:fc:39:db:97:94:62:e8:e1:
|
||||
2f:c5:f9:dc:ce:2a:c0:63:b7:be:6c:41:7d:87:01:
|
||||
dd:f2:8b:b2:99:f6:a8:af:4e:11:0d:7b:e2:6e:82:
|
||||
ec:10:78:21:3c:09:85:c3:ab:b1:6d:14:74:c8:0a:
|
||||
8f:ec:80:80:b8:f6:a1:ef:dc:ba:7a:08:2b:c2:f5:
|
||||
77:af:93:d5:8d:1d:98:f2:85
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
91:38:28:A9:09:46:53:9E:E7:BC:29:77:F7:3B:25:92:08:6A:49:56
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
|
||||
DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
serial:8E:68:E2:9B:06:CB:D1:65
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Client Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
72:65:d4:0d:49:25:77:e2:c1:6d:10:eb:21:6a:d8:33:e7:01:
|
||||
b6:e5:25:dd:46:73:3f:65:91:16:46:dd:db:88:ed:97:2b:02:
|
||||
6f:0e:f3:be:23:e0:38:80:93:5b:6c:85:e8:32:cc:2a:fc:d3:
|
||||
23:c6:c1:66:52:d9:cf:d1:ab:7d:85:19:7a:a9:02:3a:f8:af:
|
||||
74:97:bf:8d:73:92:b8:d4:18:48:b8:2a:a6:c1:5e:e2:6e:cc:
|
||||
ea:91:ba:91:7c:39:21:4e:46:76:c8:4e:3f:98:a7:fc:f2:31:
|
||||
e4:27:fa:c2:34:d5:7c:8a:94:63:c1:bb:b4:eb:7c:ce:21:00:
|
||||
d5:72
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEMDCCA5mgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
|
||||
CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
|
||||
biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
|
||||
amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
|
||||
ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDYzMVoXDTIyMDUxMDAzMDYzMVow
|
||||
gaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
|
||||
MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
|
||||
BgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4wMS5zaXRlMRswGQYJ
|
||||
KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
||||
AoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6KiUbiFmq+OUPyZClqH
|
||||
vwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2qK9OEQ174m6C7BB4
|
||||
ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKFAgMBAAGjggFkMIIB
|
||||
YDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQg
|
||||
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJE4KKkJRlOe57wpd/c7JZIIaklWMIHiBgNV
|
||||
HSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQG
|
||||
EwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMh
|
||||
RGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51
|
||||
eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZI
|
||||
hvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEF
|
||||
BQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAcmXUDUkld+LBbRDr
|
||||
IWrYM+cBtuUl3UZzP2WRFkbd24jtlysCbw7zviPgOICTW2yF6DLMKvzTI8bBZlLZ
|
||||
z9GrfYUZeqkCOvivdJe/jXOSuNQYSLgqpsFe4m7M6pG6kXw5IU5GdshOP5in/PIx
|
||||
5Cf6wjTVfIqUY8G7tOt8ziEA1XI=
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,76 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 2 (0x2)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
Validity
|
||||
Not Before: May 12 03:03:25 2012 GMT
|
||||
Not After : May 10 03:03:25 2022 GMT
|
||||
Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=alix.site/emailAddress=no-mail@site
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:cb:96:17:e9:b2:ad:89:cb:26:60:63:28:d2:77:
|
||||
6c:95:31:bd:79:96:b9:08:63:ec:44:07:c9:e5:b3:
|
||||
ba:31:8c:1e:4d:a1:ff:81:8d:fd:7e:e2:68:63:18:
|
||||
93:be:99:15:70:b1:5b:20:fe:0f:ab:19:21:2e:57:
|
||||
16:55:21:3e:f5:2c:98:3d:ac:d6:0b:3f:34:ee:8f:
|
||||
59:a2:f2:4a:94:ed:96:c2:41:93:e3:9d:ed:d0:fa:
|
||||
64:f4:d7:24:3c:03:98:bc:95:be:2c:3f:42:89:3f:
|
||||
b9:e5:1a:95:3c:2d:67:0a:84:60:17:7d:21:5f:a8:
|
||||
43:99:65:3f:b3:d8:06:1d:43
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Cert Type:
|
||||
SSL Server
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Server Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
E0:51:7A:02:09:11:E6:2F:5F:47:D9:2E:36:9D:9D:AF:7F:16:5F:74
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
|
||||
DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
serial:8E:68:E2:9B:06:CB:D1:65
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
6b:b8:50:42:30:27:87:e9:1e:0c:8d:c5:c0:fc:71:f4:70:41:
|
||||
ee:45:09:ac:d2:2c:54:c7:d6:10:66:09:43:cd:8f:8e:75:9a:
|
||||
61:b7:7b:45:10:fa:f4:15:73:6a:ca:01:0b:33:fc:a1:06:30:
|
||||
c0:ff:10:5b:9d:5d:c1:2c:8d:a5:5f:f0:c2:ef:1c:49:e2:1f:
|
||||
02:f3:fa:3b:cd:19:c3:a6:37:0b:0c:cb:af:b0:f8:24:8e:f9:
|
||||
4d:36:82:89:2c:b8:84:a8:5d:5c:fb:f0:64:bd:04:f2:67:a2:
|
||||
3c:d9:59:a0:81:f4:ad:f5:9d:ad:d5:14:48:e2:48:99:ed:41:
|
||||
5e:31
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIESTCCA7KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
|
||||
CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
|
||||
biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
|
||||
amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
|
||||
ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDMyNVoXDTIyMDUxMDAzMDMyNVow
|
||||
gaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
|
||||
MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
|
||||
BgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4LnNpdGUxGzAZBgkq
|
||||
hkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
|
||||
gYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYweTaH/gY39fuJoYxiT
|
||||
vpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2WwkGT453t0Ppk9Nck
|
||||
PAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMCAwEAAaOCAX4wggF6
|
||||
MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
|
||||
YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTg
|
||||
UXoCCRHmL19H2S42nZ2vfxZfdDCB4gYDVR0jBIHaMIHXgBSMpdtTIb1fYeFW7Xqb
|
||||
pQK9LiOqpqGBs6SBsDCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYD
|
||||
VQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1Z
|
||||
IENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRl
|
||||
YmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlggkA
|
||||
jmjimwbL0WUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqG
|
||||
SIb3DQEBBQUAA4GBAGu4UEIwJ4fpHgyNxcD8cfRwQe5FCazSLFTH1hBmCUPNj451
|
||||
mmG3e0UQ+vQVc2rKAQsz/KEGMMD/EFudXcEsjaVf8MLvHEniHwLz+jvNGcOmNwsM
|
||||
y6+w+CSO+U02goksuISoXVz78GS9BPJnojzZWaCB9K31na3VFEjiSJntQV4x
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,13 +0,0 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIB5TCCAU4CAQAwgaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UE
|
||||
BxMJU2FvIFBhdWxvMSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBD
|
||||
SEFOR0UgSVQxFzAVBgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4
|
||||
LnNpdGUxGzAZBgkqhkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0B
|
||||
AQEFAAOBjQAwgYkCgYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYwe
|
||||
TaH/gY39fuJoYxiTvpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2W
|
||||
wkGT453t0Ppk9NckPAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMC
|
||||
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBACEP5T3w6bdqyF0aHZD3Tye0b02bL1S/
|
||||
x6phHacFHYA0SwDPU/Wd6jXmqWvgG0Iz6mtoKTcfYdPaWvqagykRB0PHIkKlf1he
|
||||
Y+hHJfnOzvUroUglF6a3tc6LDLU9GwBZ8u/H1Ox9U+vhstTkVB72735Q8L0FWAVa
|
||||
iE3D7xZX5Rjf
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
@ -1,15 +0,0 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQDLlhfpsq2JyyZgYyjSd2yVMb15lrkIY+xEB8nls7oxjB5Nof+B
|
||||
jf1+4mhjGJO+mRVwsVsg/g+rGSEuVxZVIT71LJg9rNYLPzTuj1mi8kqU7ZbCQZPj
|
||||
ne3Q+mT01yQ8A5i8lb4sP0KJP7nlGpU8LWcKhGAXfSFfqEOZZT+z2AYdQwIDAQAB
|
||||
AoGAFZ4fdepKMRqIPa3p1MdnmUQJ2ZJenXx2xxaIosJ93+sAAMBV8DzSkRmbegJP
|
||||
FesNcsTyZ0NzCHkHo/MNZQa9t3xSb3I5ZTg6CMe/QiXu09U56dIACNT9GhrfPpIZ
|
||||
ovllZtTPQwR4rcQnwTXxWTn6NCjiDFs/VvwaGAkU0rO3VlkCQQD5pGsMwKj9HPI7
|
||||
SM4tN6saNvLyPzE1rooF03zIpD4SwtwAsuHWT8LNiI4Th4f61q0uhn2G3bpjiriX
|
||||
f4wB4TxNAkEA0MVn/h3dghfy2GxvMbTbn7wbPcCGhQRXU5NwbdgOmqFDfpBa7+TS
|
||||
/xqqb0APFgBgKi0iuYpN/mH7gSpeCmFHzwJAXufd9qwr0oY1pMop79DREJdBR000
|
||||
1Ra0zEA5mUGvg4xm/TEEYGhUQ7UdZllJHdiNYDmq8SHMYVl0kcvgmzpYpQJAQqxo
|
||||
080x6tQ/KEMpF9TMtyzZ/lS4IU8LnJNfupTfxR5vccIkaKzJfdNETxdEOiCQlaeo
|
||||
iVzUH8OnEM85DVOYHQJBAOBvhg5bY9IjhZWEcdq/uY1XDTbaxNydeDLUO7imoQVd
|
||||
/rbaY+krV26ewmE6LUS2n6tIrGQG4FRlQtEp7I36htQ=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@ -1,24 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8jCCA1ugAwIBAgIJAI5o4psGy9FlMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYD
|
||||
VQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UE
|
||||
ChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5M
|
||||
aW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJ
|
||||
KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwHhcNMTIwNTEyMDMwMTUzWhcNMjIwNTEw
|
||||
MDMwMTUzWjCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlT
|
||||
YW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1ZIENIQU5H
|
||||
RSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRlYmlhbiBG
|
||||
b3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqG
|
||||
SIb3DQEBAQUAA4GNADCBiQKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfy
|
||||
rCmhOwZYqNTFrGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA
|
||||
4kjZcSlQZ7YrdNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAt
|
||||
YRmN0wIDAQABo4IBFjCCARIwHQYDVR0OBBYEFIyl21MhvV9h4VbtepulAr0uI6qm
|
||||
MIHiBgNVHSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQsw
|
||||
CQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgG
|
||||
A1UEChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQL
|
||||
Ew5MaW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRsw
|
||||
GQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTAMBgNVHRMEBTAD
|
||||
AQH/MA0GCSqGSIb3DQEBBQUAA4GBABVmoMWdupXUB2J5p3LI18icmItRPyPH5uBc
|
||||
8C2/7AuvOvsRjjjAOtiThBLshCa2YQ2kxlT/uQKVAHrJojzDjozF/NB4rjr74aqj
|
||||
GGrWIL8ATWUjNKQFJv32h16t+eUrmWJJUlS4L0oq+v/C96l2QMG8M5Z3nxuctWwO
|
||||
ObQ1wsVu
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,15 +0,0 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXgIBAAKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfyrCmhOwZYqNTF
|
||||
rGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA4kjZcSlQZ7Yr
|
||||
dNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAtYRmN0wIDAQAB
|
||||
AoGBAIUrpfK2mxtSAPA2VMqe16oP/WSSD8BHm0auE7TzhhNDMphvfHnXf61G30MT
|
||||
9Dk3CyJmQtnG1GMPMxPVJNUiaO+aUVfOV1o38S9y9eSd34IX86MvzCsdwAkK120M
|
||||
/Mndf6G2TSLLTh351SBAKx1F3bAB5gohIIKMRUiWNd7edJxBAkEA5sfMVSt3isyK
|
||||
X3pToki/H+d0Ht3HZAQzjpCzy4lFymfMiywMlU/ujsTR0KpXXEtJAvC1S22hBGmX
|
||||
s/YPMGmLswJBAMJkic85d/Eld2xIsGZMvn/2hjQiJMd+akdvSO6p6Fq4IX8zFdXS
|
||||
yob1zyaaI8r9YZcBIBJjipeEgY29yVAKZWECQGhNnPhRcPH2iAOnEe2i217cCQt6
|
||||
SQfXLkYc+GXhYP2d9EBiZD2HptY39mxM0LcR/6moiQfSQJfx8XKQn0TOLykCQQCF
|
||||
3xEc2bnlI2U7+E8rFFz46QCBNKZZkJCGg3gZjH9MwpOm8rpt183L5cp0DiDqMVcc
|
||||
1BSPNWgDcqh5waK68X3hAkEAnnYmuNkKLTs25Zc2gRR/7OXgGc3sRdBnHiTT/dPr
|
||||
nGQ7npSSA01XZKJFSRFSgEFoBBiP3k5GcuS9Srr9gfHSJQ==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@ -1,76 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
Validity
|
||||
Not Before: May 12 03:02:28 2012 GMT
|
||||
Not After : May 10 03:02:28 2022 GMT
|
||||
Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix, CN=crl-test.site/emailAddress=no-mail@site
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:c5:ea:a1:09:d0:00:af:07:54:12:6c:96:83:dc:
|
||||
2a:6e:10:db:57:0c:a9:70:8e:cd:3a:d4:c7:cf:bc:
|
||||
f8:8e:88:85:9c:59:26:fe:94:93:78:a6:7e:48:41:
|
||||
ce:78:12:55:1c:18:60:93:66:ab:35:9b:10:60:67:
|
||||
48:6e:e5:ef:01:d6:2b:33:24:73:66:ba:50:5f:90:
|
||||
bc:05:95:1c:fd:9a:82:e4:41:81:bb:a8:45:c3:9a:
|
||||
09:a3:8b:7a:00:fe:00:9f:bd:cf:15:42:5b:53:38:
|
||||
0d:8d:b4:90:c9:26:f3:2b:aa:de:a4:e9:eb:1c:e4:
|
||||
ab:e7:a9:0a:85:e4:72:53:8d
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Cert Type:
|
||||
SSL Server
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Server Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
2E:44:CD:9A:53:C1:1D:BC:4C:4D:58:7F:52:62:AF:7B:AC:C9:FF:3A
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
|
||||
DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
serial:8E:68:E2:9B:06:CB:D1:65
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
27:8b:a6:82:17:72:9d:e5:31:b5:14:58:a1:40:93:15:50:47:
|
||||
d6:73:ff:55:79:cb:bc:d6:e3:e5:d7:1b:5d:77:c8:ad:a4:1f:
|
||||
f0:2a:a3:de:81:4f:58:87:b9:38:49:42:69:53:51:87:79:ba:
|
||||
23:48:51:5d:b1:19:88:a0:6c:a2:1c:79:c3:7f:02:62:61:56:
|
||||
3e:1f:73:ec:e6:d1:33:22:ed:3d:60:3a:35:a4:8c:07:88:cc:
|
||||
25:b2:d8:2c:ac:db:47:a4:a6:72:30:e3:09:0c:0f:6d:bd:e7:
|
||||
bf:b7:77:af:89:8e:89:cb:7e:23:6b:9d:42:7e:b3:22:d9:aa:
|
||||
e0:67
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEITCCA4qgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
|
||||
CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
|
||||
biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
|
||||
amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
|
||||
ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDIyOFoXDTIyMDUxMDAzMDIyOFow
|
||||
fTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8x
|
||||
GDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMNY3JsLXRlc3Quc2l0
|
||||
ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqGSIb3DQEBAQUA
|
||||
A4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
|
||||
lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
|
||||
qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
|
||||
o4IBfjCCAXowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
|
||||
QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
|
||||
VR0OBBYEFC5EzZpTwR28TE1Yf1Jir3usyf86MIHiBgNVHSMEgdowgdeAFIyl21Mh
|
||||
vV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQGEwJCUjELMAkGA1UECBMC
|
||||
U1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMhRGViaWFuIEZvciBBbGl4
|
||||
IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51eCBQcm9qZWN0czEbMBkG
|
||||
A1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZIhvcNAQkBFgxuby1tYWls
|
||||
QHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
|
||||
BaAwDQYJKoZIhvcNAQEFBQADgYEAJ4umghdyneUxtRRYoUCTFVBH1nP/VXnLvNbj
|
||||
5dcbXXfIraQf8Cqj3oFPWIe5OElCaVNRh3m6I0hRXbEZiKBsohx5w38CYmFWPh9z
|
||||
7ObRMyLtPWA6NaSMB4jMJbLYLKzbR6SmcjDjCQwPbb3nv7d3r4mOict+I2udQn6z
|
||||
Itmq4Gc=
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,12 +0,0 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIBvTCCASYCAQAwfTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQH
|
||||
EwlTYW8gUGF1bG8xGDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMN
|
||||
Y3JsLXRlc3Quc2l0ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0G
|
||||
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs06
|
||||
1MfPvPiOiIWcWSb+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBf
|
||||
kLwFlRz9moLkQYG7qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5Kvn
|
||||
qQqF5HJTjQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAsuPOQdbzTcvMTrZPpn9r
|
||||
Aqpi+vcLt1g1B5NF4qlw1MhJ2bavIimsQYhT/PM+i8722QJL+K7VJr0Y9VgRI2Rg
|
||||
qPUquHVsXkZQN3d0+q/YRK6W0WFJEJaF85gDzIlyNBNKuBJq9ADafRugDrz2xcM7
|
||||
cy0OZCunFhH3MdCqXdRqLrw=
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
@ -1,15 +0,0 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
|
||||
lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
|
||||
qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
|
||||
AoGAZo88XiJciFbK2TVOFgx8LEct8oEMONi3PxpOZLcvMmVKn4ePbnM9rFLSs8zu
|
||||
GkidtA5p1VhptkChjuNWpKkgXbDBTRYbrUOnXrUgToW10C4E5ftztbcRQ847OE1G
|
||||
eMjznSd9SiLElV3REyY6BzTYciRo987MoBrtqi02EPDYbv0CQQDraopLMDQml1Kl
|
||||
1cluGuTJ8ZNxDKWkDfr5BvEMpn5v1W82k1dWLkJDMYIuKu76OfevxAibLpNL3Q06
|
||||
wLb8c4nTAkEA1zi2PaBAiPgDXPUl3LnDNrr4kjXc8KJZpmCf/kgKVc+pYppDsUiG
|
||||
wC4mWcVuerrankeLFbkOPW0GBjsrDVfxHwJAJDkMdm1AWP/Hs8Slbc+tjHUjXq23
|
||||
fvq3t0GeLXgg1ExfBGK/eX88quIfScNJai8pMV5UhKwx9eZZdsTYYxfUCQJAMvog
|
||||
2Fnzzz2HdmYukKiDX5xLsj4F1g1uVKVAYDdqE0c7pLpLXFuEZ1LHDK5h67oEfEcP
|
||||
35ZUlCIVsjYjjWaOGwJBAJC0swnzK5wdMDzzF+oqOnGs2EzptfuUQ9JlabffbL4Y
|
||||
9mbuCu12IDMLDmY73Dnk1BWzi8TyfTD2fEDU8seNl28=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@ -1,11 +0,0 @@
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBiTCB8zANBgkqhkiG9w0BAQQFADCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgT
|
||||
AlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxp
|
||||
eCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZ
|
||||
BgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFp
|
||||
bEBzaXRlFw0xMjA1MTIwMzAyMzhaFw0xMjA2MTEwMzAyMzhaMBQwEgIBARcNMTIw
|
||||
NTEyMDMwMjM4WjANBgkqhkiG9w0BAQQFAAOBgQAJRVAq3T2gjUsKSjg5dLuy3pGl
|
||||
jVguEybZuOJn80LX1a9Jha367CZVuuww6GX2EUBiFKxXS4BHsV56q2XJaUlWaCXb
|
||||
4pjHWNm5i/JW7VwtG1fConY2BRaJrVCXu8wazx6vzbxYNuyMwtaoUvvPaGlQxen5
|
||||
TMe+Qpp6nw8ppaHAPg==
|
||||
-----END X509 CRL-----
|
||||
@ -1,5 +0,0 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIGHAoGBAKPTQ3STxQjGe+kIuQrOhyIXruP3ttLox+Zlieb9wRoblR8PNGyyUv7t
|
||||
4X/7Bk+vzrwkqUYwUX91Hm5GMBDqhuchk0iY9r+y7XucD69yct3ivF6oKqqNjQyN
|
||||
I2mpbMWKZTbSrfKKcd5NTOVDQUxpIIVRJhp2nfNW24jvHI4hIgjjAgEC
|
||||
-----END DH PARAMETERS-----
|
||||
@ -1,3 +0,0 @@
|
||||
R 220510030228Z 120512030238Z 01 unknown /C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix/CN=crl-test.site/emailAddress=no-mail@site
|
||||
V 220510030325Z 02 unknown /C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=alix.site/emailAddress=no-mail@site
|
||||
V 220510030631Z 03 unknown /C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=vpn01.site/emailAddress=no-mail@site
|
||||
@ -1 +0,0 @@
|
||||
unique_subject = yes
|
||||
@ -1 +0,0 @@
|
||||
unique_subject = yes
|
||||
@ -1,2 +0,0 @@
|
||||
R 220510030228Z 120512030238Z 01 unknown /C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix/CN=crl-test.site/emailAddress=no-mail@site
|
||||
V 220510030325Z 02 unknown /C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=alix.site/emailAddress=no-mail@site
|
||||
@ -1,35 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8jCCA1ugAwIBAgIJAI5o4psGy9FlMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYD
|
||||
VQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UE
|
||||
ChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5M
|
||||
aW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJ
|
||||
KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwHhcNMTIwNTEyMDMwMTUzWhcNMjIwNTEw
|
||||
MDMwMTUzWjCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlT
|
||||
YW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1ZIENIQU5H
|
||||
RSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRlYmlhbiBG
|
||||
b3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqG
|
||||
SIb3DQEBAQUAA4GNADCBiQKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfy
|
||||
rCmhOwZYqNTFrGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA
|
||||
4kjZcSlQZ7YrdNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAt
|
||||
YRmN0wIDAQABo4IBFjCCARIwHQYDVR0OBBYEFIyl21MhvV9h4VbtepulAr0uI6qm
|
||||
MIHiBgNVHSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQsw
|
||||
CQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgG
|
||||
A1UEChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQL
|
||||
Ew5MaW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRsw
|
||||
GQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTAMBgNVHRMEBTAD
|
||||
AQH/MA0GCSqGSIb3DQEBBQUAA4GBABVmoMWdupXUB2J5p3LI18icmItRPyPH5uBc
|
||||
8C2/7AuvOvsRjjjAOtiThBLshCa2YQ2kxlT/uQKVAHrJojzDjozF/NB4rjr74aqj
|
||||
GGrWIL8ATWUjNKQFJv32h16t+eUrmWJJUlS4L0oq+v/C96l2QMG8M5Z3nxuctWwO
|
||||
ObQ1wsVu
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBiTCB8zANBgkqhkiG9w0BAQQFADCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgT
|
||||
AlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxp
|
||||
eCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZ
|
||||
BgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFp
|
||||
bEBzaXRlFw0xMjA1MTIwMzAyMzhaFw0xMjA2MTEwMzAyMzhaMBQwEgIBARcNMTIw
|
||||
NTEyMDMwMjM4WjANBgkqhkiG9w0BAQQFAAOBgQAJRVAq3T2gjUsKSjg5dLuy3pGl
|
||||
jVguEybZuOJn80LX1a9Jha367CZVuuww6GX2EUBiFKxXS4BHsV56q2XJaUlWaCXb
|
||||
4pjHWNm5i/JW7VwtG1fConY2BRaJrVCXu8wazx6vzbxYNuyMwtaoUvvPaGlQxen5
|
||||
TMe+Qpp6nw8ppaHAPg==
|
||||
-----END X509 CRL-----
|
||||
@ -1 +0,0 @@
|
||||
04
|
||||
@ -1 +0,0 @@
|
||||
03
|
||||
@ -1,74 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 3 (0x3)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
Validity
|
||||
Not Before: May 12 03:06:31 2012 GMT
|
||||
Not After : May 10 03:06:31 2022 GMT
|
||||
Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=vpn01.site/emailAddress=no-mail@site
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:a0:47:e1:23:fa:32:a3:cc:ee:e4:03:96:4c:84:
|
||||
c2:1e:05:2a:a8:b1:02:0c:b4:26:c5:54:ec:a0:85:
|
||||
3b:a2:a2:51:b8:85:9a:af:8e:50:fc:99:0a:5a:87:
|
||||
bf:02:f6:89:bd:04:44:fc:39:db:97:94:62:e8:e1:
|
||||
2f:c5:f9:dc:ce:2a:c0:63:b7:be:6c:41:7d:87:01:
|
||||
dd:f2:8b:b2:99:f6:a8:af:4e:11:0d:7b:e2:6e:82:
|
||||
ec:10:78:21:3c:09:85:c3:ab:b1:6d:14:74:c8:0a:
|
||||
8f:ec:80:80:b8:f6:a1:ef:dc:ba:7a:08:2b:c2:f5:
|
||||
77:af:93:d5:8d:1d:98:f2:85
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
91:38:28:A9:09:46:53:9E:E7:BC:29:77:F7:3B:25:92:08:6A:49:56
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
|
||||
DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
|
||||
serial:8E:68:E2:9B:06:CB:D1:65
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Client Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
72:65:d4:0d:49:25:77:e2:c1:6d:10:eb:21:6a:d8:33:e7:01:
|
||||
b6:e5:25:dd:46:73:3f:65:91:16:46:dd:db:88:ed:97:2b:02:
|
||||
6f:0e:f3:be:23:e0:38:80:93:5b:6c:85:e8:32:cc:2a:fc:d3:
|
||||
23:c6:c1:66:52:d9:cf:d1:ab:7d:85:19:7a:a9:02:3a:f8:af:
|
||||
74:97:bf:8d:73:92:b8:d4:18:48:b8:2a:a6:c1:5e:e2:6e:cc:
|
||||
ea:91:ba:91:7c:39:21:4e:46:76:c8:4e:3f:98:a7:fc:f2:31:
|
||||
e4:27:fa:c2:34:d5:7c:8a:94:63:c1:bb:b4:eb:7c:ce:21:00:
|
||||
d5:72
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEMDCCA5mgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
|
||||
CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
|
||||
biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
|
||||
amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
|
||||
ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDYzMVoXDTIyMDUxMDAzMDYzMVow
|
||||
gaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
|
||||
MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
|
||||
BgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4wMS5zaXRlMRswGQYJ
|
||||
KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
||||
AoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6KiUbiFmq+OUPyZClqH
|
||||
vwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2qK9OEQ174m6C7BB4
|
||||
ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKFAgMBAAGjggFkMIIB
|
||||
YDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQg
|
||||
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJE4KKkJRlOe57wpd/c7JZIIaklWMIHiBgNV
|
||||
HSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQG
|
||||
EwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMh
|
||||
RGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51
|
||||
eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZI
|
||||
hvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEF
|
||||
BQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAcmXUDUkld+LBbRDr
|
||||
IWrYM+cBtuUl3UZzP2WRFkbd24jtlysCbw7zviPgOICTW2yF6DLMKvzTI8bBZlLZ
|
||||
z9GrfYUZeqkCOvivdJe/jXOSuNQYSLgqpsFe4m7M6pG6kXw5IU5GdshOP5in/PIx
|
||||
5Cf6wjTVfIqUY8G7tOt8ziEA1XI=
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,13 +0,0 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIB5jCCAU8CAQAwgaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UE
|
||||
BxMJU2FvIFBhdWxvMSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBD
|
||||
SEFOR0UgSVQxFzAVBgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4w
|
||||
MS5zaXRlMRswGQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcN
|
||||
AQEBBQADgY0AMIGJAoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6Ki
|
||||
UbiFmq+OUPyZClqHvwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2
|
||||
qK9OEQ174m6C7BB4ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKF
|
||||
AgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAYmNnggH95U2iVGt8Ef123jYY5I79b
|
||||
T4I9PxUOvqhLaHy7C55XR612TKop48D4SuyXif7LescwEvvOlawYXLnGnbIIpQe5
|
||||
BnlJ6BBd9WJ72DWrKSXev7zwj+eWG7tjXXLLXsWQGyF9zUJmp2X14PaaGKrY8m7J
|
||||
lsFjBJb1btOzoQ==
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
@ -1,15 +0,0 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICWwIBAAKBgQCgR+Ej+jKjzO7kA5ZMhMIeBSqosQIMtCbFVOyghTuiolG4hZqv
|
||||
jlD8mQpah78C9om9BET8OduXlGLo4S/F+dzOKsBjt75sQX2HAd3yi7KZ9qivThEN
|
||||
e+JuguwQeCE8CYXDq7FtFHTICo/sgIC49qHv3Lp6CCvC9Xevk9WNHZjyhQIDAQAB
|
||||
AoGASf2ks2UW54L9bQky4xQOQKmF7eX42kB3/XSc3+VhiEyCiTo0FIMQY+uKWgx8
|
||||
YzPIlhdYeU+ETc9UcckysqQMB+2x8+wyB9SFe0AIsHqXUVlW1lPgaDRqIwHWzJjY
|
||||
Z51qRT+EehH4c65Lec+jTAiVj5HMQCFHIfANR5tN1MkuMakCQQDLs5PlS48cOgve
|
||||
2DHWoIHr6Lgh4dQ9Puq2Gy29tFUpVV2FfZ+dCkx8GX4CX07Yoz1YSkHDb3etHQrD
|
||||
dVb2RMArAkEAyW5yLwlyqLJHwvLt+8Lo8EwLDTEIoj8yq2ks7F/vRXFPvpUzPWpD
|
||||
/Z9eTfULUDoY28O4apUbLSXc16QF1C0QDwJAXy9qzJqiJO563YbowwH9s97rK+n6
|
||||
4yOjSbUpipvZr5bUPKyXCSrm0paW60Td8x1UbQ1F7a0InzwS64LJQAqgQQJAW9v5
|
||||
SIgXeOUsorPkYb7GOeeD1rU4ybzmX5MsQHOTi2icRD6ISoaukPffqs+IJEMKWRZN
|
||||
gJWU+ibdKp4LZnJScwJAfpHZTB2GLuPBd/zU+R0pJF3JE2Ktv7+PKl44dl49+P4R
|
||||
L6KsiC6E5kaVdF8LCZaKY/4UIRCKFZw876rnzEjGTw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@ -1,13 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# list revoked certificates
|
||||
|
||||
CRL="${1:-crl.pem}"
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cd "$KEY_DIR" && \
|
||||
$OPENSSL crl -text -noout -in "$CRL"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,265 +0,0 @@
|
||||
# For use with easy-rsa version 2.0
|
||||
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
@ -1,290 +0,0 @@
|
||||
# For use with easy-rsa version 2.0
|
||||
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
||||
@ -1,285 +0,0 @@
|
||||
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
|
||||
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
||||
@ -1,285 +0,0 @@
|
||||
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
|
||||
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
||||
@ -1,285 +0,0 @@
|
||||
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
|
||||
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
||||
@ -1,379 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# OpenVPN -- An application to securely tunnel IP networks
|
||||
# over a single TCP/UDP port, with support for SSL/TLS-based
|
||||
# session authentication and key exchange,
|
||||
# packet encryption, packet authentication, and
|
||||
# packet compression.
|
||||
#
|
||||
# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License version 2
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program (see the file COPYING included with this
|
||||
# distribution); if not, write to the Free Software Foundation, Inc.,
|
||||
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
# pkitool is a front-end for the openssl tool.
|
||||
|
||||
# Calling scripts can set the certificate organizational
|
||||
# unit with the KEY_OU environmental variable.
|
||||
|
||||
# Calling scripts can also set the KEY_NAME environmental
|
||||
# variable to set the "name" X509 subject field.
|
||||
|
||||
PROGNAME=pkitool
|
||||
VERSION=2.0
|
||||
DEBUG=0
|
||||
|
||||
die()
|
||||
{
|
||||
local m="$1"
|
||||
|
||||
echo "$m" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
need_vars()
|
||||
{
|
||||
echo ' Please edit the vars script to reflect your configuration,'
|
||||
echo ' then source it with "source ./vars".'
|
||||
echo ' Next, to start with a fresh PKI configuration and to delete any'
|
||||
echo ' previous certificates and keys, run "./clean-all".'
|
||||
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
|
||||
}
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "$PROGNAME $VERSION"
|
||||
echo "Usage: $PROGNAME [options...] [common-name]"
|
||||
echo "Options:"
|
||||
echo " --batch : batch mode (default)"
|
||||
echo " --keysize : Set keysize"
|
||||
echo " size : size (default=1024)"
|
||||
echo " --interact : interactive mode"
|
||||
echo " --server : build server cert"
|
||||
echo " --initca : build root CA"
|
||||
echo " --inter : build intermediate CA"
|
||||
echo " --pass : encrypt private key with password"
|
||||
echo " --csr : only generate a CSR, do not sign"
|
||||
echo " --sign : sign an existing CSR"
|
||||
echo " --pkcs12 : generate a combined PKCS#12 file"
|
||||
echo " --pkcs11 : generate certificate on PKCS#11 token"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " id : PKCS#11 object id (hex string)"
|
||||
echo " label : PKCS#11 object label"
|
||||
echo "Standalone options:"
|
||||
echo " --pkcs11-slots : list PKCS#11 slots"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " --pkcs11-objects : list PKCS#11 token objects"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " label : PKCS#11 token label"
|
||||
echo "Notes:"
|
||||
need_vars
|
||||
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
|
||||
echo "Generated files and corresponding OpenVPN directives:"
|
||||
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
|
||||
echo " ca.crt -> root certificate (--ca)"
|
||||
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
|
||||
echo " .crt files -> client/server certificates (--cert)"
|
||||
echo " .key files -> private keys, keep secure (--key)"
|
||||
echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
|
||||
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
|
||||
echo "Examples:"
|
||||
echo " $PROGNAME --initca -> Build root certificate"
|
||||
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
|
||||
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
|
||||
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
|
||||
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
|
||||
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
|
||||
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
|
||||
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
|
||||
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
|
||||
echo " Also see ./inherit-inter script."
|
||||
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
|
||||
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
|
||||
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
|
||||
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
|
||||
echo " [edit vars with your site-specific info]"
|
||||
echo " source ./vars"
|
||||
echo " ./clean-all"
|
||||
echo " ./build-dh -> takes a long time, consider backgrounding"
|
||||
echo " ./$PROGNAME --initca"
|
||||
echo " ./$PROGNAME --server myserver"
|
||||
echo " ./$PROGNAME client1"
|
||||
echo " ./$PROGNAME --pass client2"
|
||||
echo "Typical usage for adding client cert to existing PKI:"
|
||||
echo " source ./vars"
|
||||
echo " ./$PROGNAME client-new"
|
||||
}
|
||||
|
||||
# Set tool defaults
|
||||
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
|
||||
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
|
||||
[ -n "$GREP" ] || export GREP="grep"
|
||||
|
||||
# Set defaults
|
||||
DO_REQ="1"
|
||||
REQ_EXT=""
|
||||
DO_CA="1"
|
||||
CA_EXT=""
|
||||
DO_P12="0"
|
||||
DO_P11="0"
|
||||
DO_ROOT="0"
|
||||
NODES_REQ="-nodes"
|
||||
NODES_P12=""
|
||||
BATCH="-batch"
|
||||
CA="ca"
|
||||
# must be set or errors of openssl.cnf
|
||||
PKCS11_MODULE_PATH="dummy"
|
||||
PKCS11_PIN="dummy"
|
||||
|
||||
# Process options
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--keysize ) KEY_SIZE=$2
|
||||
shift;;
|
||||
--server ) REQ_EXT="$REQ_EXT -extensions server"
|
||||
CA_EXT="$CA_EXT -extensions server" ;;
|
||||
--batch ) BATCH="-batch" ;;
|
||||
--interact ) BATCH="" ;;
|
||||
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
|
||||
--initca ) DO_ROOT="1" ;;
|
||||
--pass ) NODES_REQ="" ;;
|
||||
--csr ) DO_CA="0" ;;
|
||||
--sign ) DO_REQ="0" ;;
|
||||
--pkcs12 ) DO_P12="1" ;;
|
||||
--pkcs11 ) DO_P11="1"
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
PKCS11_ID="$4"
|
||||
PKCS11_LABEL="$5"
|
||||
shift 4;;
|
||||
|
||||
# standalone
|
||||
--pkcs11-init)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
PKCS11_LABEL="$4"
|
||||
if [ -z "$PKCS11_LABEL" ]; then
|
||||
die "Please specify library name, slot and label"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
|
||||
--label "$PKCS11_LABEL" &&
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
|
||||
exit $?;;
|
||||
--pkcs11-slots)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
if [ -z "$PKCS11_MODULE_PATH" ]; then
|
||||
die "Please specify library name"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
|
||||
exit 0;;
|
||||
--pkcs11-objects)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
if [ -z "$PKCS11_SLOT" ]; then
|
||||
die "Please specify library name and slot"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
|
||||
exit 0;;
|
||||
|
||||
--help|--usage)
|
||||
usage
|
||||
exit ;;
|
||||
--version)
|
||||
echo "$PROGNAME $VERSION"
|
||||
exit ;;
|
||||
# errors
|
||||
--* ) die "$PROGNAME: unknown option: $1" ;;
|
||||
* ) break ;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if ! [ -z "$BATCH" ]; then
|
||||
if $OPENSSL version | grep 0.9.6 > /dev/null; then
|
||||
die "Batch mode is unsupported in openssl<0.9.7"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
|
||||
die "PKCS#11 and PKCS#12 cannot be specified together"
|
||||
fi
|
||||
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
|
||||
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If we are generating pkcs12, only encrypt the final step
|
||||
if [ $DO_P12 -eq 1 ]; then
|
||||
NODES_P12="$NODES_REQ"
|
||||
NODES_REQ="-nodes"
|
||||
fi
|
||||
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
if [ -z "$PKCS11_LABEL" ]; then
|
||||
die "PKCS#11 arguments incomplete"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If undefined, set default key expiration intervals
|
||||
if [ -z "$KEY_EXPIRE" ]; then
|
||||
KEY_EXPIRE=3650
|
||||
fi
|
||||
if [ -z "$CA_EXPIRE" ]; then
|
||||
CA_EXPIRE=3650
|
||||
fi
|
||||
|
||||
# Set organizational unit to empty string if undefined
|
||||
if [ -z "$KEY_OU" ]; then
|
||||
KEY_OU=""
|
||||
fi
|
||||
|
||||
# Set X509 Name string to empty string if undefined
|
||||
if [ -z "$KEY_NAME" ]; then
|
||||
KEY_NAME=""
|
||||
fi
|
||||
|
||||
# Set KEY_CN, FN
|
||||
if [ $DO_ROOT -eq 1 ]; then
|
||||
if [ -z "$KEY_CN" ]; then
|
||||
if [ "$1" ]; then
|
||||
KEY_CN="$1"
|
||||
elif [ "$KEY_ORG" ]; then
|
||||
KEY_CN="$KEY_ORG CA"
|
||||
fi
|
||||
fi
|
||||
if [ $BATCH ] && [ "$KEY_CN" ]; then
|
||||
echo "Using CA Common Name:" "$KEY_CN"
|
||||
fi
|
||||
FN="$KEY_CN"
|
||||
elif [ $BATCH ] && [ "$KEY_CN" ]; then
|
||||
echo "Using Common Name:" "$KEY_CN"
|
||||
FN="$KEY_CN"
|
||||
if [ "$1" ]; then
|
||||
FN="$1"
|
||||
fi
|
||||
else
|
||||
if [ $# -ne 1 ]; then
|
||||
usage
|
||||
exit 1
|
||||
else
|
||||
KEY_CN="$1"
|
||||
fi
|
||||
FN="$KEY_CN"
|
||||
fi
|
||||
|
||||
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
|
||||
|
||||
# Show parameters (debugging)
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
echo DO_REQ $DO_REQ
|
||||
echo REQ_EXT $REQ_EXT
|
||||
echo DO_CA $DO_CA
|
||||
echo CA_EXT $CA_EXT
|
||||
echo NODES_REQ $NODES_REQ
|
||||
echo NODES_P12 $NODES_P12
|
||||
echo DO_P12 $DO_P12
|
||||
echo KEY_CN $KEY_CN
|
||||
echo BATCH $BATCH
|
||||
echo DO_ROOT $DO_ROOT
|
||||
echo KEY_EXPIRE $KEY_EXPIRE
|
||||
echo CA_EXPIRE $CA_EXPIRE
|
||||
echo KEY_OU $KEY_OU
|
||||
echo KEY_NAME $KEY_NAME
|
||||
echo DO_P11 $DO_P11
|
||||
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
|
||||
echo PKCS11_SLOT $PKCS11_SLOT
|
||||
echo PKCS11_ID $PKCS11_ID
|
||||
echo PKCS11_LABEL $PKCS11_LABEL
|
||||
fi
|
||||
|
||||
# Make sure ./vars was sourced beforehand
|
||||
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
|
||||
cd "$KEY_DIR"
|
||||
|
||||
# Make sure $KEY_CONFIG points to the correct version
|
||||
# of openssl.cnf
|
||||
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
|
||||
:
|
||||
else
|
||||
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
|
||||
echo "version of openssl.cnf: $KEY_CONFIG"
|
||||
echo "The correct version should have a comment that says: easy-rsa version 2.x";
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Build root CA
|
||||
if [ $DO_ROOT -eq 1 ]; then
|
||||
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
|
||||
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
|
||||
chmod 0600 "$CA.key"
|
||||
else
|
||||
# Make sure CA key/cert is available
|
||||
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
|
||||
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
|
||||
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
|
||||
echo "Try $PROGNAME --initca to build a root certificate/key."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Generate key for PKCS#11 token
|
||||
PKCS11_ARGS=
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
stty -echo
|
||||
echo -n "User PIN: "
|
||||
read -r PKCS11_PIN
|
||||
stty echo
|
||||
export PKCS11_PIN
|
||||
|
||||
echo "Generating key pair on PKCS#11 token..."
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
|
||||
--login --pin "$PKCS11_PIN" \
|
||||
--key-type rsa:1024 \
|
||||
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
|
||||
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
|
||||
fi
|
||||
|
||||
# Build cert/key
|
||||
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
|
||||
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
|
||||
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
|
||||
-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
|
||||
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
|
||||
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
|
||||
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
|
||||
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
|
||||
|
||||
# Load certificate into PKCS#11 token
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
|
||||
--login --pin "$PKCS11_PIN" \
|
||||
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
|
||||
[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# Need definitions
|
||||
else
|
||||
need_vars
|
||||
fi
|
||||
@ -1,40 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# revoke a certificate, regenerate CRL,
|
||||
# and verify revocation
|
||||
|
||||
CRL="crl.pem"
|
||||
RT="revoke-test.pem"
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "usage: revoke-full <cert-name-base>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cd "$KEY_DIR"
|
||||
rm -f "$RT"
|
||||
|
||||
# set defaults
|
||||
export KEY_CN=""
|
||||
export KEY_OU=""
|
||||
export KEY_NAME=""
|
||||
|
||||
# revoke key and generate a new CRL
|
||||
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
|
||||
|
||||
# generate a new CRL -- try to be compatible with
|
||||
# intermediate PKIs
|
||||
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
|
||||
if [ -e export-ca.crt ]; then
|
||||
cat export-ca.crt "$CRL" >"$RT"
|
||||
else
|
||||
cat ca.crt "$CRL" >"$RT"
|
||||
fi
|
||||
|
||||
# verify the revocation
|
||||
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Sign a certificate signing request (a .csr file)
|
||||
# with a local root certificate and key.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --sign $*
|
||||
Binary file not shown.
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Build a root certificate
|
||||
#
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --initca $*
|
||||
@ -1,11 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build Diffie-Hellman parameters for the server side
|
||||
# of an SSL/TLS connection.
|
||||
|
||||
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
|
||||
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make an intermediate CA certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --inter $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Similar to build-key, but protect the private key
|
||||
# with a password.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --pass $*
|
||||
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate and convert it to a PKCS #12 file including the
|
||||
# the CA certificate as well.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --pkcs12 $*
|
||||
@ -1,10 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Make a certificate/private key pair using a locally generated
|
||||
# root certificate.
|
||||
#
|
||||
# Explicitly set nsCertType to server using the "server"
|
||||
# extension in the openssl.cnf file.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --server $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build a certificate signing request and private key. Use this
|
||||
# when your root certificate and key is not available locally.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --csr $*
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Like build-req, but protect your private key
|
||||
# with a password.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --csr --pass $*
|
||||
@ -1,16 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Initialize the $KEY_DIR directory.
|
||||
# Note that this script does a
|
||||
# rm -rf on $KEY_DIR so be careful!
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
rm -rf "$KEY_DIR"
|
||||
mkdir "$KEY_DIR" && \
|
||||
chmod go-rwx "$KEY_DIR" && \
|
||||
touch "$KEY_DIR/index.txt" && \
|
||||
echo 01 >"$KEY_DIR/serial"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1 +0,0 @@
|
||||
./openssl-1.0.0.cnf
|
||||
@ -1,39 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Build a new PKI which is rooted on an intermediate certificate generated
|
||||
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
|
||||
# have independent vars settings, and must use a different KEY_DIR directory
|
||||
# from the parent. This tool can be used to generate arbitrary depth
|
||||
# certificate chains.
|
||||
#
|
||||
# To build an intermediate CA, follow the same steps for a regular PKI but
|
||||
# replace ./build-key or ./pkitool --initca with this script.
|
||||
|
||||
# The EXPORT_CA file will contain the CA certificate chain and should be
|
||||
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
|
||||
# will only contain the local intermediate CA -- it's needed by the easy-rsa
|
||||
# scripts but not by OpenVPN directly.
|
||||
EXPORT_CA="export-ca.crt"
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "usage: $0 <parent-key-dir> <common-name>"
|
||||
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
|
||||
echo "common-name: the common name of the intermediate certificate in the parent PKI"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
|
||||
cp "$1/$2.key" "$KEY_DIR/ca.key"
|
||||
|
||||
if [ -e "$1/$EXPORT_CA" ]; then
|
||||
PARENT_CA="$1/$EXPORT_CA"
|
||||
else
|
||||
PARENT_CA="$1/ca.crt"
|
||||
fi
|
||||
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
|
||||
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,13 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# list revoked certificates
|
||||
|
||||
CRL="${1:-crl.pem}"
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cd "$KEY_DIR" && \
|
||||
$OPENSSL crl -text -noout -in "$CRL"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,265 +0,0 @@
|
||||
# For use with easy-rsa version 2.0
|
||||
|
||||
#
|
||||
# OpenSSL example configuration file.
|
||||
# This is mostly being used for generation of certificate requests.
|
||||
#
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString.
|
||||
# utf8only: only UTF8Strings.
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
@ -1,285 +0,0 @@
|
||||
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
|
||||
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[ openssl_init ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
engines = engine_section
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||
# Add a simple OID like this:
|
||||
# testoid1=1.2.3.4
|
||||
# Or use config file substitution like this:
|
||||
# testoid2=${testoid1}.5.6
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::KEY_DIR # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
# so this is commented out by default to leave a V1 CRL.
|
||||
# crl_extensions = crl_ext
|
||||
|
||||
default_days = 3650 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
# For the 'anything' policy
|
||||
# At this point in time, you must list all acceptable 'object'
|
||||
# types.
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = $ENV::KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||
|
||||
# Passwords for private keys if not present they will be prompted for
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
|
||||
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
||||
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||
# MASK:XXXX a literal mask value.
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::KEY_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::KEY_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::KEY_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::KEY_ORG
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
#1.organizationName_default = World Wide Web Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
name = Name
|
||||
name_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::KEY_EMAIL
|
||||
emailAddress_max = 40
|
||||
|
||||
# JY -- added for batch mode
|
||||
organizationalUnitName_default = $ENV::KEY_OU
|
||||
commonName_default = $ENV::KEY_CN
|
||||
name_default = $ENV::KEY_NAME
|
||||
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
|
||||
# This goes against PKIX guidelines but some CAs do it and some software
|
||||
# requires this to avoid interpreting an end user certificate as a CA.
|
||||
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
|
||||
# For normal client use this is typical
|
||||
# nsCertType = client, email
|
||||
|
||||
# and for everything including object signing:
|
||||
# nsCertType = client, email, objsign
|
||||
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "Easy-RSA Generated Certificate"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
#nsRevocationUrl
|
||||
#nsRenewalUrl
|
||||
#nsCaPolicyUrl
|
||||
#nsSslServerName
|
||||
|
||||
[ server ]
|
||||
|
||||
# JY ADDED -- Make a cert with nsCertType set to "server"
|
||||
basicConstraints=CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Easy-RSA Generated Server Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
extendedKeyUsage=serverAuth
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_req ]
|
||||
|
||||
# Extensions to add to a certificate request
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
[ v3_ca ]
|
||||
|
||||
|
||||
# Extensions for a typical CA
|
||||
|
||||
|
||||
# PKIX recommendation.
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
# So we do this instead.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Key usage: this is typical for a CA certificate. However since it will
|
||||
# prevent it being used as an test self-signed certificate it is best
|
||||
# left out by default.
|
||||
# keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# Some might want this also
|
||||
# nsCertType = sslCA, emailCA
|
||||
|
||||
# Include email address in subject alt name: another PKIX recommendation
|
||||
# subjectAltName=email:copy
|
||||
# Copy issuer details
|
||||
# issuerAltName=issuer:copy
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
[ engine_section ]
|
||||
#
|
||||
# If you are using PKCS#11
|
||||
# Install engine_pkcs11 of opensc (www.opensc.org)
|
||||
# And uncomment the following
|
||||
# verify that dynamic_path points to the correct location
|
||||
#
|
||||
#pkcs11 = pkcs11_section
|
||||
|
||||
[ pkcs11_section ]
|
||||
engine_id = pkcs11
|
||||
dynamic_path = /usr/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
|
||||
PIN = $ENV::PKCS11_PIN
|
||||
init = 0
|
||||
@ -1,379 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# OpenVPN -- An application to securely tunnel IP networks
|
||||
# over a single TCP/UDP port, with support for SSL/TLS-based
|
||||
# session authentication and key exchange,
|
||||
# packet encryption, packet authentication, and
|
||||
# packet compression.
|
||||
#
|
||||
# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License version 2
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program (see the file COPYING included with this
|
||||
# distribution); if not, write to the Free Software Foundation, Inc.,
|
||||
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
# pkitool is a front-end for the openssl tool.
|
||||
|
||||
# Calling scripts can set the certificate organizational
|
||||
# unit with the KEY_OU environmental variable.
|
||||
|
||||
# Calling scripts can also set the KEY_NAME environmental
|
||||
# variable to set the "name" X509 subject field.
|
||||
|
||||
PROGNAME=pkitool
|
||||
VERSION=2.0
|
||||
DEBUG=0
|
||||
|
||||
die()
|
||||
{
|
||||
local m="$1"
|
||||
|
||||
echo "$m" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
need_vars()
|
||||
{
|
||||
echo ' Please edit the vars script to reflect your configuration,'
|
||||
echo ' then source it with "source ./vars".'
|
||||
echo ' Next, to start with a fresh PKI configuration and to delete any'
|
||||
echo ' previous certificates and keys, run "./clean-all".'
|
||||
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
|
||||
}
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "$PROGNAME $VERSION"
|
||||
echo "Usage: $PROGNAME [options...] [common-name]"
|
||||
echo "Options:"
|
||||
echo " --batch : batch mode (default)"
|
||||
echo " --keysize : Set keysize"
|
||||
echo " size : size (default=1024)"
|
||||
echo " --interact : interactive mode"
|
||||
echo " --server : build server cert"
|
||||
echo " --initca : build root CA"
|
||||
echo " --inter : build intermediate CA"
|
||||
echo " --pass : encrypt private key with password"
|
||||
echo " --csr : only generate a CSR, do not sign"
|
||||
echo " --sign : sign an existing CSR"
|
||||
echo " --pkcs12 : generate a combined PKCS#12 file"
|
||||
echo " --pkcs11 : generate certificate on PKCS#11 token"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " id : PKCS#11 object id (hex string)"
|
||||
echo " label : PKCS#11 object label"
|
||||
echo "Standalone options:"
|
||||
echo " --pkcs11-slots : list PKCS#11 slots"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " --pkcs11-objects : list PKCS#11 token objects"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
|
||||
echo " lib : PKCS#11 library"
|
||||
echo " slot : PKCS#11 slot"
|
||||
echo " label : PKCS#11 token label"
|
||||
echo "Notes:"
|
||||
need_vars
|
||||
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
|
||||
echo "Generated files and corresponding OpenVPN directives:"
|
||||
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
|
||||
echo " ca.crt -> root certificate (--ca)"
|
||||
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
|
||||
echo " .crt files -> client/server certificates (--cert)"
|
||||
echo " .key files -> private keys, keep secure (--key)"
|
||||
echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
|
||||
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
|
||||
echo "Examples:"
|
||||
echo " $PROGNAME --initca -> Build root certificate"
|
||||
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
|
||||
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
|
||||
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
|
||||
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
|
||||
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
|
||||
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
|
||||
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
|
||||
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
|
||||
echo " Also see ./inherit-inter script."
|
||||
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
|
||||
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
|
||||
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
|
||||
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
|
||||
echo " [edit vars with your site-specific info]"
|
||||
echo " source ./vars"
|
||||
echo " ./clean-all"
|
||||
echo " ./build-dh -> takes a long time, consider backgrounding"
|
||||
echo " ./$PROGNAME --initca"
|
||||
echo " ./$PROGNAME --server myserver"
|
||||
echo " ./$PROGNAME client1"
|
||||
echo " ./$PROGNAME --pass client2"
|
||||
echo "Typical usage for adding client cert to existing PKI:"
|
||||
echo " source ./vars"
|
||||
echo " ./$PROGNAME client-new"
|
||||
}
|
||||
|
||||
# Set tool defaults
|
||||
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
|
||||
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
|
||||
[ -n "$GREP" ] || export GREP="grep"
|
||||
|
||||
# Set defaults
|
||||
DO_REQ="1"
|
||||
REQ_EXT=""
|
||||
DO_CA="1"
|
||||
CA_EXT=""
|
||||
DO_P12="0"
|
||||
DO_P11="0"
|
||||
DO_ROOT="0"
|
||||
NODES_REQ="-nodes"
|
||||
NODES_P12=""
|
||||
BATCH="-batch"
|
||||
CA="ca"
|
||||
# must be set or errors of openssl.cnf
|
||||
PKCS11_MODULE_PATH="dummy"
|
||||
PKCS11_PIN="dummy"
|
||||
|
||||
# Process options
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--keysize ) KEY_SIZE=$2
|
||||
shift;;
|
||||
--server ) REQ_EXT="$REQ_EXT -extensions server"
|
||||
CA_EXT="$CA_EXT -extensions server" ;;
|
||||
--batch ) BATCH="-batch" ;;
|
||||
--interact ) BATCH="" ;;
|
||||
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
|
||||
--initca ) DO_ROOT="1" ;;
|
||||
--pass ) NODES_REQ="" ;;
|
||||
--csr ) DO_CA="0" ;;
|
||||
--sign ) DO_REQ="0" ;;
|
||||
--pkcs12 ) DO_P12="1" ;;
|
||||
--pkcs11 ) DO_P11="1"
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
PKCS11_ID="$4"
|
||||
PKCS11_LABEL="$5"
|
||||
shift 4;;
|
||||
|
||||
# standalone
|
||||
--pkcs11-init)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
PKCS11_LABEL="$4"
|
||||
if [ -z "$PKCS11_LABEL" ]; then
|
||||
die "Please specify library name, slot and label"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
|
||||
--label "$PKCS11_LABEL" &&
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
|
||||
exit $?;;
|
||||
--pkcs11-slots)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
if [ -z "$PKCS11_MODULE_PATH" ]; then
|
||||
die "Please specify library name"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
|
||||
exit 0;;
|
||||
--pkcs11-objects)
|
||||
PKCS11_MODULE_PATH="$2"
|
||||
PKCS11_SLOT="$3"
|
||||
if [ -z "$PKCS11_SLOT" ]; then
|
||||
die "Please specify library name and slot"
|
||||
fi
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
|
||||
exit 0;;
|
||||
|
||||
--help|--usage)
|
||||
usage
|
||||
exit ;;
|
||||
--version)
|
||||
echo "$PROGNAME $VERSION"
|
||||
exit ;;
|
||||
# errors
|
||||
--* ) die "$PROGNAME: unknown option: $1" ;;
|
||||
* ) break ;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if ! [ -z "$BATCH" ]; then
|
||||
if $OPENSSL version | grep 0.9.6 > /dev/null; then
|
||||
die "Batch mode is unsupported in openssl<0.9.7"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
|
||||
die "PKCS#11 and PKCS#12 cannot be specified together"
|
||||
fi
|
||||
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
|
||||
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If we are generating pkcs12, only encrypt the final step
|
||||
if [ $DO_P12 -eq 1 ]; then
|
||||
NODES_P12="$NODES_REQ"
|
||||
NODES_REQ="-nodes"
|
||||
fi
|
||||
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
if [ -z "$PKCS11_LABEL" ]; then
|
||||
die "PKCS#11 arguments incomplete"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If undefined, set default key expiration intervals
|
||||
if [ -z "$KEY_EXPIRE" ]; then
|
||||
KEY_EXPIRE=3650
|
||||
fi
|
||||
if [ -z "$CA_EXPIRE" ]; then
|
||||
CA_EXPIRE=3650
|
||||
fi
|
||||
|
||||
# Set organizational unit to empty string if undefined
|
||||
if [ -z "$KEY_OU" ]; then
|
||||
KEY_OU=""
|
||||
fi
|
||||
|
||||
# Set X509 Name string to empty string if undefined
|
||||
if [ -z "$KEY_NAME" ]; then
|
||||
KEY_NAME=""
|
||||
fi
|
||||
|
||||
# Set KEY_CN, FN
|
||||
if [ $DO_ROOT -eq 1 ]; then
|
||||
if [ -z "$KEY_CN" ]; then
|
||||
if [ "$1" ]; then
|
||||
KEY_CN="$1"
|
||||
elif [ "$KEY_ORG" ]; then
|
||||
KEY_CN="$KEY_ORG CA"
|
||||
fi
|
||||
fi
|
||||
if [ $BATCH ] && [ "$KEY_CN" ]; then
|
||||
echo "Using CA Common Name:" "$KEY_CN"
|
||||
fi
|
||||
FN="$KEY_CN"
|
||||
elif [ $BATCH ] && [ "$KEY_CN" ]; then
|
||||
echo "Using Common Name:" "$KEY_CN"
|
||||
FN="$KEY_CN"
|
||||
if [ "$1" ]; then
|
||||
FN="$1"
|
||||
fi
|
||||
else
|
||||
if [ $# -ne 1 ]; then
|
||||
usage
|
||||
exit 1
|
||||
else
|
||||
KEY_CN="$1"
|
||||
fi
|
||||
FN="$KEY_CN"
|
||||
fi
|
||||
|
||||
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
|
||||
|
||||
# Show parameters (debugging)
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
echo DO_REQ $DO_REQ
|
||||
echo REQ_EXT $REQ_EXT
|
||||
echo DO_CA $DO_CA
|
||||
echo CA_EXT $CA_EXT
|
||||
echo NODES_REQ $NODES_REQ
|
||||
echo NODES_P12 $NODES_P12
|
||||
echo DO_P12 $DO_P12
|
||||
echo KEY_CN $KEY_CN
|
||||
echo BATCH $BATCH
|
||||
echo DO_ROOT $DO_ROOT
|
||||
echo KEY_EXPIRE $KEY_EXPIRE
|
||||
echo CA_EXPIRE $CA_EXPIRE
|
||||
echo KEY_OU $KEY_OU
|
||||
echo KEY_NAME $KEY_NAME
|
||||
echo DO_P11 $DO_P11
|
||||
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
|
||||
echo PKCS11_SLOT $PKCS11_SLOT
|
||||
echo PKCS11_ID $PKCS11_ID
|
||||
echo PKCS11_LABEL $PKCS11_LABEL
|
||||
fi
|
||||
|
||||
# Make sure ./vars was sourced beforehand
|
||||
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
|
||||
cd "$KEY_DIR"
|
||||
|
||||
# Make sure $KEY_CONFIG points to the correct version
|
||||
# of openssl.cnf
|
||||
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
|
||||
:
|
||||
else
|
||||
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
|
||||
echo "version of openssl.cnf: $KEY_CONFIG"
|
||||
echo "The correct version should have a comment that says: easy-rsa version 2.x";
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Build root CA
|
||||
if [ $DO_ROOT -eq 1 ]; then
|
||||
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
|
||||
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
|
||||
chmod 0600 "$CA.key"
|
||||
else
|
||||
# Make sure CA key/cert is available
|
||||
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
|
||||
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
|
||||
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
|
||||
echo "Try $PROGNAME --initca to build a root certificate/key."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Generate key for PKCS#11 token
|
||||
PKCS11_ARGS=
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
stty -echo
|
||||
echo -n "User PIN: "
|
||||
read -r PKCS11_PIN
|
||||
stty echo
|
||||
export PKCS11_PIN
|
||||
|
||||
echo "Generating key pair on PKCS#11 token..."
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
|
||||
--login --pin "$PKCS11_PIN" \
|
||||
--key-type rsa:1024 \
|
||||
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
|
||||
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
|
||||
fi
|
||||
|
||||
# Build cert/key
|
||||
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
|
||||
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
|
||||
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
|
||||
-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
|
||||
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
|
||||
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
|
||||
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
|
||||
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
|
||||
|
||||
# Load certificate into PKCS#11 token
|
||||
if [ $DO_P11 -eq 1 ]; then
|
||||
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
|
||||
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
|
||||
--login --pin "$PKCS11_PIN" \
|
||||
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
|
||||
[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# Need definitions
|
||||
else
|
||||
need_vars
|
||||
fi
|
||||
@ -1,40 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# revoke a certificate, regenerate CRL,
|
||||
# and verify revocation
|
||||
|
||||
CRL="crl.pem"
|
||||
RT="revoke-test.pem"
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "usage: revoke-full <cert-name-base>";
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$KEY_DIR" ]; then
|
||||
cd "$KEY_DIR"
|
||||
rm -f "$RT"
|
||||
|
||||
# set defaults
|
||||
export KEY_CN=""
|
||||
export KEY_OU=""
|
||||
export KEY_NAME=""
|
||||
|
||||
# revoke key and generate a new CRL
|
||||
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
|
||||
|
||||
# generate a new CRL -- try to be compatible with
|
||||
# intermediate PKIs
|
||||
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
|
||||
if [ -e export-ca.crt ]; then
|
||||
cat export-ca.crt "$CRL" >"$RT"
|
||||
else
|
||||
cat ca.crt "$CRL" >"$RT"
|
||||
fi
|
||||
|
||||
# verify the revocation
|
||||
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
|
||||
else
|
||||
echo 'Please source the vars script first (i.e. "source ./vars")'
|
||||
echo 'Make sure you have edited it to reflect your configuration.'
|
||||
fi
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Sign a certificate signing request (a .csr file)
|
||||
# with a local root certificate and key.
|
||||
|
||||
export EASY_RSA="${EASY_RSA:-.}"
|
||||
"$EASY_RSA/pkitool" --interact --sign $*
|
||||
@ -1,74 +0,0 @@
|
||||
# easy-rsa parameter settings
|
||||
|
||||
# NOTE: If you installed from an RPM,
|
||||
# don't edit this file in place in
|
||||
# /usr/share/openvpn/easy-rsa --
|
||||
# instead, you should copy the whole
|
||||
# easy-rsa directory to another location
|
||||
# (such as /etc/openvpn) so that your
|
||||
# edits will not be wiped out by a future
|
||||
# OpenVPN package upgrade.
|
||||
|
||||
# This variable should point to
|
||||
# the top level of the easy-rsa
|
||||
# tree.
|
||||
export EASY_RSA="`pwd`"
|
||||
|
||||
#
|
||||
# This variable should point to
|
||||
# the requested executables
|
||||
#
|
||||
export OPENSSL="openssl"
|
||||
export PKCS11TOOL="pkcs11-tool"
|
||||
export GREP="grep"
|
||||
|
||||
|
||||
# This variable should point to
|
||||
# the openssl.cnf file included
|
||||
# with easy-rsa.
|
||||
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
|
||||
|
||||
# Edit this variable to point to
|
||||
# your soon-to-be-created key
|
||||
# directory.
|
||||
#
|
||||
# WARNING: clean-all will do
|
||||
# a rm -rf on this directory
|
||||
# so make sure you define
|
||||
# it correctly!
|
||||
export KEY_DIR="$EASY_RSA/keys"
|
||||
|
||||
# Issue rm -rf warning
|
||||
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
|
||||
|
||||
# PKCS11 fixes
|
||||
export PKCS11_MODULE_PATH="dummy"
|
||||
export PKCS11_PIN="dummy"
|
||||
|
||||
# Increase this to 2048 if you
|
||||
# are paranoid. This will slow
|
||||
# down TLS negotiation performance
|
||||
# as well as the one-time DH parms
|
||||
# generation process.
|
||||
export KEY_SIZE=1024
|
||||
|
||||
# In how many days should the root CA key expire?
|
||||
export CA_EXPIRE=3650
|
||||
|
||||
# In how many days should certificates expire?
|
||||
export KEY_EXPIRE=3650
|
||||
|
||||
# These are the default values for fields
|
||||
# which will be placed in the certificate.
|
||||
# Don't leave any of these fields blank.
|
||||
export KEY_COUNTRY="US"
|
||||
export KEY_PROVINCE="CA"
|
||||
export KEY_CITY="SanFrancisco"
|
||||
export KEY_ORG="Fort-Funston"
|
||||
export KEY_EMAIL="me@myhost.mydomain"
|
||||
export KEY_EMAIL=mail@host.domain
|
||||
export KEY_CN=changeme
|
||||
export KEY_NAME=changeme
|
||||
export KEY_OU=changeme
|
||||
export PKCS11_MODULE_PATH=changeme
|
||||
export PKCS11_PIN=1234
|
||||
@ -1,23 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
cnf="$1/openssl.cnf"
|
||||
if [ "$OPENSSL" ]; then
|
||||
if $OPENSSL version | grep 0.9.6 > /dev/null; then
|
||||
cnf="$1/openssl-0.9.6.cnf"
|
||||
elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
|
||||
cnf="$1/openssl-1.0.0.cnf"
|
||||
else
|
||||
cnf="$1/openssl.cnf"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $cnf
|
||||
|
||||
if [ ! -r $cnf ]; then
|
||||
echo "**************************************************************" >&2
|
||||
echo " No $cnf file could be found" >&2
|
||||
echo " Further invocations will fail" >&2
|
||||
echo "**************************************************************" >&2
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@ -1,86 +0,0 @@
|
||||
# easy-rsa parameter settings
|
||||
|
||||
# NOTE: If you installed from an RPM,
|
||||
# don't edit this file in place in
|
||||
# /usr/share/openvpn/easy-rsa --
|
||||
# instead, you should copy the whole
|
||||
# easy-rsa directory to another location
|
||||
# (such as /etc/openvpn) so that your
|
||||
# edits will not be wiped out by a future
|
||||
# OpenVPN package upgrade.
|
||||
|
||||
# This variable should point to
|
||||
# the top level of the easy-rsa
|
||||
# tree.
|
||||
##export EASY_RSA="`pwd`"
|
||||
BASE_DIR=/etc/openvpn
|
||||
export EASY_RSA="${BASE_DIR}/easy-rsa/2.0"
|
||||
|
||||
#
|
||||
# This variable should point to
|
||||
# the requested executables
|
||||
#
|
||||
export OPENSSL="openssl"
|
||||
export PKCS11TOOL="pkcs11-tool"
|
||||
export GREP="grep"
|
||||
|
||||
|
||||
# This variable should point to
|
||||
# the openssl.cnf file included
|
||||
# with easy-rsa.
|
||||
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
|
||||
|
||||
# Edit this variable to point to
|
||||
# your soon-to-be-created key
|
||||
# directory.
|
||||
#
|
||||
# WARNING: clean-all will do
|
||||
# a rm -rf on this directory
|
||||
# so make sure you define
|
||||
# it correctly!
|
||||
##export KEY_DIR="$EASY_RSA/keys"
|
||||
export KEY_DIR="${BASE_DIR}/keys"
|
||||
|
||||
# Issue rm -rf warning
|
||||
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
|
||||
|
||||
# PKCS11 fixes
|
||||
export PKCS11_MODULE_PATH="dummy"
|
||||
export PKCS11_PIN="dummy"
|
||||
|
||||
# Increase this to 2048 if you
|
||||
# are paranoid. This will slow
|
||||
# down TLS negotiation performance
|
||||
# as well as the one-time DH parms
|
||||
# generation process.
|
||||
export KEY_SIZE=1024
|
||||
|
||||
# In how many days should the root CA key expire?
|
||||
export CA_EXPIRE=3650
|
||||
|
||||
# In how many days should certificates expire?
|
||||
export KEY_EXPIRE=3650
|
||||
|
||||
# These are the default values for fields
|
||||
# which will be placed in the certificate.
|
||||
# Don't leave any of these fields blank.
|
||||
##export KEY_COUNTRY="US"
|
||||
##export KEY_PROVINCE="CA"
|
||||
##export KEY_CITY="SanFrancisco"
|
||||
##export KEY_ORG="Fort-Funston"
|
||||
##export KEY_EMAIL="me@myhost.mydomain"
|
||||
##export KEY_EMAIL=mail@host.domain
|
||||
export KEY_CN=changeme
|
||||
export KEY_NAME=changeme
|
||||
##export KEY_OU=changeme
|
||||
export PKCS11_MODULE_PATH=changeme
|
||||
export PKCS11_PIN=1234
|
||||
|
||||
export KEY_COUNTRY=DE
|
||||
export KEY_PROVINCE=Berlin
|
||||
export KEY_CITY=Berlin
|
||||
export KEY_ORG="o.open"
|
||||
export KEY_OU="Netzwerk Services"
|
||||
export KEY_EMAIL="argus@oopen.de"
|
||||
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
cnf="$1/openssl.cnf"
|
||||
|
||||
if [ "$OPENSSL" ]; then
|
||||
if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]" > /dev/null; then
|
||||
cnf="$1/openssl-0.9.6.cnf"
|
||||
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]" > /dev/null; then
|
||||
cnf="$1/openssl-0.9.8.cnf"
|
||||
elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
|
||||
cnf="$1/openssl-1.0.0.cnf"
|
||||
else
|
||||
cnf="$1/openssl.cnf"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $cnf
|
||||
|
||||
if [ ! -r $cnf ]; then
|
||||
echo "**************************************************************" >&2
|
||||
echo " No $cnf file could be found" >&2
|
||||
echo " Further invocations will fail" >&2
|
||||
echo "**************************************************************" >&2
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@ -1,7 +0,0 @@
|
||||
10.0.63.1 openvpn server
|
||||
10.0.63.2 -- chris --
|
||||
10.0.63.3 -- frei --
|
||||
10.0.63.4 -- frei --
|
||||
10.0.63.5 undine
|
||||
10.0.63.6 -- frei --
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
Validity
|
||||
Not Before: Jul 1 23:13:53 2008 GMT
|
||||
Not After : Jun 29 23:13:53 2018 GMT
|
||||
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN-server/emailAddress=argus@oopen.de
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:d0:5b:9b:21:03:ec:db:17:cf:35:f5:5b:de:6b:
|
||||
a9:1a:69:cc:09:c8:6e:a2:4a:36:66:10:9b:00:2c:
|
||||
1a:bd:59:6f:0f:b8:35:22:8e:8e:b0:e4:07:94:6c:
|
||||
cd:7b:35:6a:3e:36:ff:28:eb:2a:78:3a:06:69:82:
|
||||
90:3f:8d:c9:7b:5b:b7:1d:f6:df:c0:65:ea:da:50:
|
||||
f9:6b:94:b2:94:89:5f:3c:75:a2:13:9c:37:6c:11:
|
||||
7f:c8:88:e6:73:3d:67:6e:27:98:33:82:ee:76:35:
|
||||
a6:f2:b5:f7:5f:a2:f2:b9:c7:90:e2:b1:d2:20:c6:
|
||||
ee:45:a0:34:27:a3:a8:d3:f1
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Cert Type:
|
||||
SSL Server
|
||||
Netscape Comment:
|
||||
OpenSSL Generated Server Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
38:93:19:84:8B:74:C0:F1:0C:C9:19:EF:68:80:99:CE:07:FD:97:07
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:D8:DF:4E:1D:32:12:1B:71:A6:34:C3:F0:FE:25:1A:62:FE:57:11:67
|
||||
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
serial:97:D2:DD:71:C9:58:DF:7F
|
||||
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
2c:ee:2e:ff:76:a8:c1:37:71:19:f8:7c:86:68:56:55:03:18:
|
||||
48:94:7b:3b:ad:6e:30:16:7d:ef:14:15:94:5b:48:7d:78:2b:
|
||||
04:66:38:c9:1a:64:7b:df:aa:ab:95:24:9c:3f:53:3c:3c:03:
|
||||
c1:21:4a:00:18:d7:db:6d:45:79:ea:cf:5e:2f:bf:a2:8f:b6:
|
||||
33:45:02:a7:86:e7:17:35:72:30:ba:01:07:e1:16:57:8f:ca:
|
||||
00:5d:7d:27:39:27:e3:25:d2:06:37:52:d4:41:9c:92:1e:05:
|
||||
09:8b:4e:06:d8:9c:0e:6e:1b:5b:1c:cb:f4:99:a6:5d:c5:7d:
|
||||
d5:94
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID1DCCAz2gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
|
||||
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
|
||||
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1VcmJh
|
||||
bi1WUE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDcwMTIz
|
||||
MTM1M1oXDTE4MDYyOTIzMTM1M1owgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
|
||||
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
|
||||
czEdMBsGA1UEAxMUQU5XLVVyYmFuLVZQTi1zZXJ2ZXIxHTAbBgkqhkiG9w0BCQEW
|
||||
DmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQW5sh
|
||||
A+zbF8819Vvea6kaacwJyG6iSjZmEJsALBq9WW8PuDUijo6w5AeUbM17NWo+Nv8o
|
||||
6yp4OgZpgpA/jcl7W7cd9t/AZeraUPlrlLKUiV88daITnDdsEX/IiOZzPWduJ5gz
|
||||
gu52NabytfdfovK5x5DisdIgxu5FoDQno6jT8QIDAQABo4IBQDCCATwwCQYDVR0T
|
||||
BAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wg
|
||||
R2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUOJMZhIt0wPEM
|
||||
yRnvaICZzgf9lwcwgccGA1UdIwSBvzCBvIAU2N9OHTISG3GmNMPw/iUaYv5XEWeh
|
||||
gZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcT
|
||||
BkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZp
|
||||
Y2VzMRYwFAYDVQQDEw1BTlctVXJiYW4tVlBOMR0wGwYJKoZIhvcNAQkBFg5hcmd1
|
||||
c0Bvb3Blbi5kZYIJAJfS3XHJWN9/MA0GCSqGSIb3DQEBBAUAA4GBACzuLv92qME3
|
||||
cRn4fIZoVlUDGEiUezutbjAWfe8UFZRbSH14KwRmOMkaZHvfqquVJJw/Uzw8A8Eh
|
||||
SgAY19ttRXnqz14vv6KPtjNFAqeG5xc1cjC6AQfhFlePygBdfSc5J+Ml0gY3UtRB
|
||||
nJIeBQmLTgbYnA5uG1scy/SZpl3FfdWU
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,67 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 2 (0x2)
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
Validity
|
||||
Not Before: Jul 1 23:15:58 2008 GMT
|
||||
Not After : Jun 29 23:15:58 2018 GMT
|
||||
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN-undine/emailAddress=argus@oopen.de
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:c8:62:7d:b2:40:a2:db:94:db:5a:e6:21:70:a5:
|
||||
c9:a6:9e:72:5e:ec:a3:6e:ff:94:f1:cc:86:20:0f:
|
||||
73:f5:0d:12:9a:f8:3a:8a:9c:d9:71:fc:37:e3:bf:
|
||||
5b:c6:a3:70:b6:c8:c9:37:a4:b1:74:91:77:f2:6e:
|
||||
33:bf:fd:76:89:ee:34:f8:2b:3b:e9:02:03:c3:70:
|
||||
56:6d:f7:7a:e6:a6:9a:85:5d:c4:5f:27:90:2c:f4:
|
||||
b9:64:86:f4:75:c4:8e:02:04:18:6d:5a:9d:e7:64:
|
||||
fd:5e:af:7f:24:f7:a4:2b:f0:03:41:0f:3c:fb:26:
|
||||
38:66:34:8b:d7:9e:1f:0b:a5
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
OpenSSL Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
C8:0A:A1:82:F7:2E:F1:96:D2:2C:61:D9:B2:09:0C:6E:FF:08:DB:78
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:D8:DF:4E:1D:32:12:1B:71:A6:34:C3:F0:FE:25:1A:62:FE:57:11:67
|
||||
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
serial:97:D2:DD:71:C9:58:DF:7F
|
||||
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
50:0e:8c:69:68:3a:4f:80:85:62:1f:d9:17:c1:af:f0:12:e3:
|
||||
12:b8:63:52:d8:b6:bb:34:e2:c5:bc:88:a5:a0:eb:fd:1f:62:
|
||||
32:6c:da:d7:c4:1d:75:e7:97:4f:92:d6:9c:a4:24:5f:f4:4c:
|
||||
22:ce:87:3f:6a:d8:2f:90:2c:56:b5:91:ec:6a:bb:af:95:3d:
|
||||
84:64:01:8b:9f:64:55:80:e1:2c:08:de:1f:d6:3d:d8:25:84:
|
||||
fd:80:36:fc:b9:cf:ee:83:31:97:0f:72:2d:8e:a5:a7:0f:90:
|
||||
0c:c6:5f:fb:75:a2:ca:75:81:ca:78:a1:9e:92:4a:72:a5:54:
|
||||
b5:78
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDujCCAyOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
|
||||
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
|
||||
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1VcmJh
|
||||
bi1WUE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDcwMTIz
|
||||
MTU1OFoXDTE4MDYyOTIzMTU1OFowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
|
||||
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
|
||||
czEdMBsGA1UEAxMUQU5XLVVyYmFuLVZQTi11bmRpbmUxHTAbBgkqhkiG9w0BCQEW
|
||||
DmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIYn2y
|
||||
QKLblNta5iFwpcmmnnJe7KNu/5TxzIYgD3P1DRKa+DqKnNlx/Dfjv1vGo3C2yMk3
|
||||
pLF0kXfybjO//XaJ7jT4KzvpAgPDcFZt93rmppqFXcRfJ5As9LlkhvR1xI4CBBht
|
||||
Wp3nZP1er38k96Qr8ANBDzz7JjhmNIvXnh8LpQIDAQABo4IBJjCCASIwCQYDVR0T
|
||||
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
|
||||
dGUwHQYDVR0OBBYEFMgKoYL3LvGW0ixh2bIJDG7/CNt4MIHHBgNVHSMEgb8wgbyA
|
||||
FNjfTh0yEhtxpjTD8P4lGmL+VxFnoYGYpIGVMIGSMQswCQYDVQQGEwJERTEPMA0G
|
||||
A1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZ
|
||||
MBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEWMBQGA1UEAxMNQU5XLVVyYmFuLVZQ
|
||||
TjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQCX0t1xyVjffzANBgkq
|
||||
hkiG9w0BAQQFAAOBgQBQDoxpaDpPgIViH9kXwa/wEuMSuGNS2La7NOLFvIiloOv9
|
||||
H2IybNrXxB1155dPktacpCRf9Ewizoc/atgvkCxWtZHsaruvlT2EZAGLn2RVgOEs
|
||||
CN4f1j3YJYT9gDb8uc/ugzGXD3ItjqWnD5AMxl/7daLKdYHKeKGekkpypVS1eA==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,67 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 3 (0x3)
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
Validity
|
||||
Not Before: Jul 1 23:17:00 2008 GMT
|
||||
Not After : Jun 29 23:17:00 2018 GMT
|
||||
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN-chris/emailAddress=argus@oopen.de
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:e9:62:11:b8:ec:c5:0d:8a:33:18:ab:67:f8:19:
|
||||
bc:aa:5e:d4:65:07:2a:6c:bf:02:8e:69:b4:9f:06:
|
||||
51:b0:b8:ad:6d:0b:a8:69:63:eb:e1:f6:63:1b:36:
|
||||
ea:c2:46:fa:00:63:88:c5:b9:ab:8a:40:59:79:43:
|
||||
9e:0e:0d:2a:e8:8b:8e:dc:8c:4f:1d:49:c6:42:ab:
|
||||
46:ad:8b:9f:de:10:19:b0:db:a3:e6:f1:bc:0a:0e:
|
||||
64:bb:17:f9:08:91:87:ef:5c:60:27:b7:d5:f9:65:
|
||||
6e:43:c7:df:7f:20:2e:14:7f:dc:e5:8b:1f:01:53:
|
||||
fc:09:57:43:c6:21:90:3b:d5
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
OpenSSL Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
97:35:1E:8C:65:D7:C1:65:C1:D7:68:66:6F:BB:C9:82:A3:18:14:EE
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:D8:DF:4E:1D:32:12:1B:71:A6:34:C3:F0:FE:25:1A:62:FE:57:11:67
|
||||
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
serial:97:D2:DD:71:C9:58:DF:7F
|
||||
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
1e:37:9a:a6:dd:39:43:87:a0:a9:d4:4c:0e:d9:5e:f6:43:0a:
|
||||
6e:2a:e8:5d:06:76:c8:4c:6c:ef:dc:21:22:4f:59:aa:4d:6f:
|
||||
21:3f:e5:3d:d5:7f:df:14:84:04:1d:78:0b:12:d2:00:89:09:
|
||||
75:6a:55:f6:a5:0a:9f:47:56:49:53:98:38:23:94:4b:cf:5b:
|
||||
57:1c:21:e0:f2:fb:4a:78:63:ad:fd:e4:1c:57:1c:ed:1d:45:
|
||||
ae:85:6f:8a:9f:0f:1f:ea:34:ad:42:b4:18:77:dd:9f:86:9f:
|
||||
48:28:0f:22:cc:c3:42:2b:7a:9f:f3:d2:ee:c3:20:7b:fa:d4:
|
||||
a9:85
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDuTCCAyKgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
|
||||
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
|
||||
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1VcmJh
|
||||
bi1WUE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDcwMTIz
|
||||
MTcwMFoXDTE4MDYyOTIzMTcwMFowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
|
||||
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
|
||||
czEcMBoGA1UEAxMTQU5XLVVyYmFuLVZQTi1jaHJpczEdMBsGCSqGSIb3DQEJARYO
|
||||
YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOliEbjs
|
||||
xQ2KMxirZ/gZvKpe1GUHKmy/Ao5ptJ8GUbC4rW0LqGlj6+H2Yxs26sJG+gBjiMW5
|
||||
q4pAWXlDng4NKuiLjtyMTx1JxkKrRq2Ln94QGbDbo+bxvAoOZLsX+QiRh+9cYCe3
|
||||
1fllbkPH338gLhR/3OWLHwFT/AlXQ8YhkDvVAgMBAAGjggEmMIIBIjAJBgNVHRME
|
||||
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
|
||||
ZTAdBgNVHQ4EFgQUlzUejGXXwWXB12hmb7vJgqMYFO4wgccGA1UdIwSBvzCBvIAU
|
||||
2N9OHTISG3GmNMPw/iUaYv5XEWehgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD
|
||||
VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkw
|
||||
FwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctVXJiYW4tVlBO
|
||||
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAJfS3XHJWN9/MA0GCSqG
|
||||
SIb3DQEBBAUAA4GBAB43mqbdOUOHoKnUTA7ZXvZDCm4q6F0GdshMbO/cISJPWapN
|
||||
byE/5T3Vf98UhAQdeAsS0gCJCXVqVfalCp9HVklTmDgjlEvPW1ccIeDy+0p4Y639
|
||||
5BxXHO0dRa6Fb4qfDx/qNK1CtBh33Z+Gn0goDyLMw0Irep/z0u7DIHv61KmF
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,73 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 4 (0x4)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
Validity
|
||||
Not Before: Sep 18 00:00:05 2013 GMT
|
||||
Not After : Sep 16 00:00:05 2023 GMT
|
||||
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Netzwerk Services, CN=ANW-URB-VPN-gw-ckubu/name=Christoph Kuchenbuch/emailAddress=argus@oopen.de
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (1024 bit)
|
||||
Modulus:
|
||||
00:d7:02:6c:3b:15:f3:97:28:c0:5e:8d:24:ac:9a:
|
||||
9f:cd:11:f6:9d:5e:a5:5f:5d:3d:42:a5:de:b0:35:
|
||||
b5:d7:b1:e0:e0:f8:f3:29:53:7f:33:78:18:92:67:
|
||||
1c:aa:f9:16:48:5b:19:d3:cb:8d:d4:fe:1b:84:d9:
|
||||
e2:89:1a:85:5c:0b:93:c3:9d:6d:a8:4e:72:65:84:
|
||||
16:d6:02:6c:b0:0d:00:46:e3:06:15:54:bc:a8:84:
|
||||
80:f1:a9:93:b0:7a:a3:57:31:3a:9b:aa:29:9b:39:
|
||||
34:e2:64:df:4c:d5:3c:6c:c5:1c:3a:4b:26:ee:5e:
|
||||
58:e9:29:9b:42:ce:ef:90:5b
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
5C:5B:7D:20:D6:16:C4:CD:E8:D8:F9:FF:86:B5:ED:8C:83:CF:90:C5
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:D8:DF:4E:1D:32:12:1B:71:A6:34:C3:F0:FE:25:1A:62:FE:57:11:67
|
||||
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
serial:97:D2:DD:71:C9:58:DF:7F
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Client Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
c3:95:2b:e3:f8:62:d2:5e:b8:02:bc:a9:11:f8:bb:f5:0a:04:
|
||||
fe:a3:68:e7:c1:97:f0:44:77:c7:54:98:4a:dd:b9:df:76:4b:
|
||||
2c:d5:4c:a1:9e:e6:da:5f:d0:e4:73:c1:63:6e:29:ef:3c:79:
|
||||
82:0e:f1:59:ca:8d:41:aa:22:42:e6:e2:88:ba:00:91:b1:f6:
|
||||
f5:15:03:db:72:ab:39:01:c7:ee:19:25:c1:fd:ff:5d:30:b2:
|
||||
ff:76:70:e9:3b:4f:88:af:14:68:8b:63:e2:a6:9c:e6:05:0e:
|
||||
eb:b9:9f:3d:04:2e:9f:34:c1:14:53:69:3e:5a:c3:2e:ab:8e:
|
||||
12:72
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEDjCCA3egAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCREUx
|
||||
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
|
||||
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1VcmJh
|
||||
bi1WUE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTEzMDkxODAw
|
||||
MDAwNVoXDTIzMDkxNjAwMDAwNVowgbkxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
|
||||
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRowGAYDVQQL
|
||||
ExFOZXR6d2VyayBTZXJ2aWNlczEdMBsGA1UEAxMUQU5XLVVSQi1WUE4tZ3ctY2t1
|
||||
YnUxHTAbBgNVBCkTFENocmlzdG9waCBLdWNoZW5idWNoMR0wGwYJKoZIhvcNAQkB
|
||||
Fg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1wJs
|
||||
OxXzlyjAXo0krJqfzRH2nV6lX109QqXesDW117Hg4PjzKVN/M3gYkmccqvkWSFsZ
|
||||
08uN1P4bhNniiRqFXAuTw51tqE5yZYQW1gJssA0ARuMGFVS8qISA8amTsHqjVzE6
|
||||
m6opmzk04mTfTNU8bMUcOksm7l5Y6SmbQs7vkFsCAwEAAaOCAUkwggFFMAkGA1Ud
|
||||
EwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZp
|
||||
Y2F0ZTAdBgNVHQ4EFgQUXFt9INYWxM3o2Pn/hrXtjIPPkMUwgccGA1UdIwSBvzCB
|
||||
vIAU2N9OHTISG3GmNMPw/iUaYv5XEWehgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8w
|
||||
DQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVu
|
||||
MRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctVXJiYW4t
|
||||
VlBOMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAJfS3XHJWN9/MBMG
|
||||
A1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOB
|
||||
gQDDlSvj+GLSXrgCvKkR+Lv1CgT+o2jnwZfwRHfHVJhK3bnfdkss1UyhnubaX9Dk
|
||||
c8FjbinvPHmCDvFZyo1BqiJC5uKIugCRsfb1FQPbcqs5AcfuGSXB/f9dMLL/dnDp
|
||||
O0+IrxRoi2PippzmBQ7ruZ89BC6fNMEUU2k+WsMuq44Scg==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,22 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDnzCCAwigAwIBAgIJAJfS3XHJWN9/MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
|
||||
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
|
||||
BAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEWMBQGA1UEAxMN
|
||||
QU5XLVVyYmFuLVZQTjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwHhcN
|
||||
MDgwNzAxMjMwOTQyWhcNMTgwNjI5MjMwOTQyWjCBkjELMAkGA1UEBhMCREUxDzAN
|
||||
BgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4x
|
||||
GTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1VcmJhbi1W
|
||||
UE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEB
|
||||
AQUAA4GNADCBiQKBgQDXN4KAEcJwYICMNTL47p3grgBwylUtkjtjJdmUVo8k85jR
|
||||
nZSlj592rDPB7/G1o7qU8vEQlmIQSjkfC/ViuMlS38kmn+1B8kVpqoUPWZ8PRnm5
|
||||
JHWRK6TD8LjHCEZKr1hfaviddbK8Exg7b+Va3Pz0eAqS/BfuuRXdrZYJTdiuDQID
|
||||
AQABo4H6MIH3MB0GA1UdDgQWBBTY304dMhIbcaY0w/D+JRpi/lcRZzCBxwYDVR0j
|
||||
BIG/MIG8gBTY304dMhIbcaY0w/D+JRpi/lcRZ6GBmKSBlTCBkjELMAkGA1UEBhMC
|
||||
REUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZv
|
||||
Lm9wZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1V
|
||||
cmJhbi1WUE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlggkAl9LdcclY
|
||||
338wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCtIEYEN8d5imgML5V3
|
||||
OnwSN+aAm6hobm6IE1fFj+G6RyvcewrLaKybXljBe2sLB4TdK3CUntoJ7yaw28xl
|
||||
5u1rBmzFI7r/xNwdU+qurpb121yMnwQSSgF0bVpDZHdz4+V1+V4Lor8bvmqOIfsH
|
||||
YMgxU+nNxqoPlGaO1xxcEuK78g==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,15 +0,0 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQDXN4KAEcJwYICMNTL47p3grgBwylUtkjtjJdmUVo8k85jRnZSl
|
||||
j592rDPB7/G1o7qU8vEQlmIQSjkfC/ViuMlS38kmn+1B8kVpqoUPWZ8PRnm5JHWR
|
||||
K6TD8LjHCEZKr1hfaviddbK8Exg7b+Va3Pz0eAqS/BfuuRXdrZYJTdiuDQIDAQAB
|
||||
AoGATTRWlkbIr7OOqb1z2aUP8ce51LxgrgZlU34CfZpHo4PXcGrNJk9Nby77Kjk/
|
||||
Rl/D0ScNn1uzNhDKSP7rOkz7uxyRLkh2GQIHOgCD4qvGVyvy1zjOWOrTjrl1RbOF
|
||||
QGNE3tNK9c8JuYGrxJPUIME61f7V8PQK98AmPVXaCR+u+GkCQQDzzLKHY3CnS5jh
|
||||
JeMD8XBTPEHYLL/yWp8qT1DgPsV6gebKrMOxWL/7pUfYMWRV4fItGcRAvAGLlN5G
|
||||
Pwhb0VGfAkEA4fyj5wLX7wxp43aHLJ2gJRFlfMnl9yUPh8zjGleqDI5+dfvp3GZC
|
||||
9rPvLRIEA+tjlBfx4bYAnQHXe9FoMqSY0wJBAM2Bb7/WH6C1haHLuOea/i77bRlW
|
||||
51nX77DPeQH9h6LzmuKe7LoycGoj8UKYp9YJBoXj4V0b3UWWcCLQgTA8aksCQEqP
|
||||
p6hVqNcnWlyBQ/I1g5wXVEvK9YQIh0pAEIIlgGaqMRFOb4eXeeqZzYUqV4bPiEhZ
|
||||
aiYVfbhP3j/tBJsI8Z8CQBDV21UILY09GiskhCKppEOaOgbD9e9YJ+fVxAl9bNAm
|
||||
0bxTK6lO4hhiSbPosS8h+rJEE/NRUNEuxrc4CvNdoTo=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@ -1,67 +0,0 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 3 (0x3)
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
Validity
|
||||
Not Before: Jul 1 23:17:00 2008 GMT
|
||||
Not After : Jun 29 23:17:00 2018 GMT
|
||||
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-Urban-VPN-chris/emailAddress=argus@oopen.de
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:e9:62:11:b8:ec:c5:0d:8a:33:18:ab:67:f8:19:
|
||||
bc:aa:5e:d4:65:07:2a:6c:bf:02:8e:69:b4:9f:06:
|
||||
51:b0:b8:ad:6d:0b:a8:69:63:eb:e1:f6:63:1b:36:
|
||||
ea:c2:46:fa:00:63:88:c5:b9:ab:8a:40:59:79:43:
|
||||
9e:0e:0d:2a:e8:8b:8e:dc:8c:4f:1d:49:c6:42:ab:
|
||||
46:ad:8b:9f:de:10:19:b0:db:a3:e6:f1:bc:0a:0e:
|
||||
64:bb:17:f9:08:91:87:ef:5c:60:27:b7:d5:f9:65:
|
||||
6e:43:c7:df:7f:20:2e:14:7f:dc:e5:8b:1f:01:53:
|
||||
fc:09:57:43:c6:21:90:3b:d5
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
OpenSSL Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
97:35:1E:8C:65:D7:C1:65:C1:D7:68:66:6F:BB:C9:82:A3:18:14:EE
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:D8:DF:4E:1D:32:12:1B:71:A6:34:C3:F0:FE:25:1A:62:FE:57:11:67
|
||||
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-Urban-VPN/emailAddress=argus@oopen.de
|
||||
serial:97:D2:DD:71:C9:58:DF:7F
|
||||
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
1e:37:9a:a6:dd:39:43:87:a0:a9:d4:4c:0e:d9:5e:f6:43:0a:
|
||||
6e:2a:e8:5d:06:76:c8:4c:6c:ef:dc:21:22:4f:59:aa:4d:6f:
|
||||
21:3f:e5:3d:d5:7f:df:14:84:04:1d:78:0b:12:d2:00:89:09:
|
||||
75:6a:55:f6:a5:0a:9f:47:56:49:53:98:38:23:94:4b:cf:5b:
|
||||
57:1c:21:e0:f2:fb:4a:78:63:ad:fd:e4:1c:57:1c:ed:1d:45:
|
||||
ae:85:6f:8a:9f:0f:1f:ea:34:ad:42:b4:18:77:dd:9f:86:9f:
|
||||
48:28:0f:22:cc:c3:42:2b:7a:9f:f3:d2:ee:c3:20:7b:fa:d4:
|
||||
a9:85
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDuTCCAyKgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
|
||||
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
|
||||
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1VcmJh
|
||||
bi1WUE4xHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDcwMTIz
|
||||
MTcwMFoXDTE4MDYyOTIzMTcwMFowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
|
||||
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
|
||||
czEcMBoGA1UEAxMTQU5XLVVyYmFuLVZQTi1jaHJpczEdMBsGCSqGSIb3DQEJARYO
|
||||
YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOliEbjs
|
||||
xQ2KMxirZ/gZvKpe1GUHKmy/Ao5ptJ8GUbC4rW0LqGlj6+H2Yxs26sJG+gBjiMW5
|
||||
q4pAWXlDng4NKuiLjtyMTx1JxkKrRq2Ln94QGbDbo+bxvAoOZLsX+QiRh+9cYCe3
|
||||
1fllbkPH338gLhR/3OWLHwFT/AlXQ8YhkDvVAgMBAAGjggEmMIIBIjAJBgNVHRME
|
||||
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
|
||||
ZTAdBgNVHQ4EFgQUlzUejGXXwWXB12hmb7vJgqMYFO4wgccGA1UdIwSBvzCBvIAU
|
||||
2N9OHTISG3GmNMPw/iUaYv5XEWehgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD
|
||||
VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkw
|
||||
FwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctVXJiYW4tVlBO
|
||||
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAJfS3XHJWN9/MA0GCSqG
|
||||
SIb3DQEBBAUAA4GBAB43mqbdOUOHoKnUTA7ZXvZDCm4q6F0GdshMbO/cISJPWapN
|
||||
byE/5T3Vf98UhAQdeAsS0gCJCXVqVfalCp9HVklTmDgjlEvPW1ccIeDy+0p4Y639
|
||||
5BxXHO0dRa6Fb4qfDx/qNK1CtBh33Z+Gn0goDyLMw0Irep/z0u7DIHv61KmF
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,12 +0,0 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIB2TCCAUICAQAwgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
|
||||
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
|
||||
IHNlcnZpY2VzMRwwGgYDVQQDExNBTlctVXJiYW4tVlBOLWNocmlzMR0wGwYJKoZI
|
||||
hvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
|
||||
gYEA6WIRuOzFDYozGKtn+Bm8ql7UZQcqbL8Cjmm0nwZRsLitbQuoaWPr4fZjGzbq
|
||||
wkb6AGOIxbmrikBZeUOeDg0q6IuO3IxPHUnGQqtGrYuf3hAZsNuj5vG8Cg5kuxf5
|
||||
CJGH71xgJ7fV+WVuQ8fffyAuFH/c5YsfAVP8CVdDxiGQO9UCAwEAAaAAMA0GCSqG
|
||||
SIb3DQEBBQUAA4GBAMmA43TxDhInXxBpuJwRlk2hnY/nXZW1IrfQtpVC6v8WM+e1
|
||||
zWx9PNvV7Y6ocaFdGhxqnjUzkKb7lCfQ11aL6ehc5w9NWY8MaZ8J5N4u5ipr/pbO
|
||||
FdQKr8D44iHJ7a93cOsE0wDPGBpk5rp8Z2TsLaLYGQuoCNQEoFk6YB57CzB4
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
@ -1,18 +0,0 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,3CEBF9073B3CB899
|
||||
|
||||
5xX8Lu3DsaALocEwU7TDMEldu4UN2e6kIVoiN4+vjtH0A1BBdRhLjP2boTh6LyT7
|
||||
FObWp9OBmY6nXhDHGKIUB7QJFX69GeIaRdidDZmDmRgh9DnJFQF0eQfN9S4IYcW5
|
||||
Lm2Qehwc+Evno176WuX5mOQJ112UCRPf6mI1WwVloz20rvKebVtdZ9RLz9TlZToQ
|
||||
icwy93R8JjTLsFZnuUZzhECAXlkNGb7BS23J+w3yZmQhHAHDICL1qU8EDKxE8+XD
|
||||
+uUCSaLhzpP6/LVdE1R+0027oa64zU5sSS1Q2qPGJL2DHPKnXYQcRPbVzMFvOkYI
|
||||
058ud8MztVQEpKBP2s3Ua8n7vHCEBsh0W7x+xbjIVjcGCV8m64Mm6pYdozmzfHRm
|
||||
qoEN98XsLyB/cbblBO1QpruCYZXDFf3OsfQq9lw+/m/RxESiAhFL0lBIBmgQVVFh
|
||||
rzNoilLge046sOo5HiGaJpiZbcM2Yjh3Lumoom+z+1p5FziL+gV1VFp3GF/y4Vr3
|
||||
AQ7HuAKIP0eO15jCDtYylmaNQM3ngd0/Wnd5YVIS+RHSVbE1/exXs/bRiyz5pjCl
|
||||
JPY4OtGYQ+mE6jycrbz+RGco20XPgjSyibjqm4a61FE9d5BrfJMqH2XTjpmNLpFD
|
||||
4xivB1aHy3CzCkxLaczQGLxOho3hibCK6P05xwQHwNgmmNqNuDazaASEdB9aUoDq
|
||||
WGux3OmUbDndOdL/UogaeqGurgQva81kUEHW7NXJLCRu4thr+OJhpAs3vdgXbiSL
|
||||
KhN1Mu4NGQynBPHcxMxcEUcZBCFZZPG55NQd/f5YAWXn2jxTZzZ+nw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user