# easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. #export EASY_RSA="`pwd`" BASE_DIR=/etc/openvpn export EASY_RSA=${BASE_DIR}/easy-rsa # # This variable should point to # the requested executables # export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` #export KEY_CONFIG="$EASY_RSA/openssl.cnf" # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! #export KEY_DIR="$EASY_RSA/keys" export KEY_DIR="${BASE_DIR}/keys" # Issue rm -rf warning echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # PKCS11 fixes export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=2048 # In how many days should the root CA key expire? #export CA_EXPIRE=3650 export CA_EXPIRE=10957 # In how many days should certificates expire? #export KEY_EXPIRE=3650 export KEY_EXPIRE=7305 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. #export KEY_COUNTRY="US" #export KEY_PROVINCE="CA" #export KEY_CITY="SanFrancisco" #export KEY_ORG="Fort-Funston" #export KEY_EMAIL="me@myhost.mydomain" #export KEY_OU="MyOrganizationalUnit" export KEY_COUNTRY=DE export KEY_PROVINCE=Berlin export KEY_CITY=Berlin export KEY_ORG="o.open" export KEY_EMAIL="argus@oopen.de" export KEY_OU="network services" export KEY_ALTNAMES="VPN OPP" # X509 Subject Field export KEY_NAME="OPP-Vpn" # PKCS11 Smart Card # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_PIN=1234 # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # You will also need to make sure your OpenVPN server config has the duplicate-cn option set # export KEY_CN="CommonName"