debian/0000755000000000000000000000000012262767421007177 5ustar debian/easy-rsa.docs0000644000000000000000000000002212262766255011573 0ustar debian/README-2.0 debian/copyright0000644000000000000000000000337612050227411011124 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: easy-rsa Source: https://github.com/OpenVPN/easy-rsa Files: * Copyright: 2002-2010 OpenVPN Technologies, Inc. License: GPL-2 This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". Files: debian/* Copyright: 2012 Alberto Gonzalez Iniesta License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/make-cadir0000755000000000000000000000151212050227411011102 0ustar #!/bin/sh # This script creates a new directory in order to be used # with the tools from the easy-rsa project. # # Copyright (C) 2012 Alberto Gonzalez Iniesta # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. set -e usage() { echo "Usage: $0 DIRECTORY" echo "Creates a *new* directory and prepares it to be used as a (CA) key management directory (to create and store keys and certificates)." exit 1 } [ "$#" -ne 1 ] && usage [ -e "$1" ] && { echo "$1 exists. Aborting." ; usage ; } mkdir -p "$1" chmod 700 "$1" ln -s /usr/share/easy-rsa/* "$1" rm -f "$1"/vars "$1"/*.cnf cp /usr/share/easy-rsa/vars /usr/share/easy-rsa/*.cnf "$1" debian/easy-rsa.manpages0000644000000000000000000000002412050227411012415 0ustar debian/make-cadir.1 debian/easy-rsa.dirs0000644000000000000000000000002412262764531011601 0ustar usr/share/easy-rsa/ debian/patches/0000755000000000000000000000000012262765172010627 5ustar debian/patches/subjectAltName-support.patch0000644000000000000000000001331212262765147016265 0ustar Description: allows creating RSA keys valid for more than one domain by using the subjectAltName attribute. Origin: http://www.msquared.id.au/articles/easy-rsa-subjectaltname/ Forwarded: no Author: Vicente Aguilar and Msquared Last-Update: 2012-11-12 Index: easy-rsa/openssl-0.9.6.cnf =================================================================== --- easy-rsa.orig/openssl-0.9.6.cnf 2014-01-07 12:50:10.983136393 +0100 +++ easy-rsa/openssl-0.9.6.cnf 2014-01-07 12:50:10.983136393 +0100 @@ -191,6 +191,7 @@ # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES # Copy subject details # issuerAltName=issuer:copy @@ -212,6 +213,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES [ v3_req ] Index: easy-rsa/openssl-0.9.8.cnf =================================================================== --- easy-rsa.orig/openssl-0.9.8.cnf 2014-01-07 12:50:10.983136393 +0100 +++ easy-rsa/openssl-0.9.8.cnf 2014-01-07 12:50:10.983136393 +0100 @@ -200,6 +200,7 @@ # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES # Copy subject details # issuerAltName=issuer:copy @@ -221,6 +222,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES [ v3_req ] Index: easy-rsa/pkitool =================================================================== --- easy-rsa.orig/pkitool 2014-01-07 12:50:10.983136393 +0100 +++ easy-rsa/pkitool 2014-01-07 12:50:10.983136393 +0100 @@ -269,16 +269,20 @@ if [ -z "$KEY_CN" ]; then if [ "$1" ]; then KEY_CN="$1" + KEY_ALTNAMES="DNS:${KEY_CN}" elif [ "$KEY_ORG" ]; then KEY_CN="$KEY_ORG CA" + KEY_ALTNAMES="$KEY_CN" fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using CA Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" fi FN="$KEY_CN" elif [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" FN="$KEY_CN" if [ "$1" ]; then FN="$1" @@ -289,11 +293,18 @@ exit 1 else KEY_CN="$1" + KEY_ALTNAMES="DNS:$1" + shift + while [ "x$1" != "x" ] + do + KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1" + shift + done fi FN="$KEY_CN" fi -export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES # Show parameters (debugging) if [ $DEBUG -eq 1 ]; then @@ -305,6 +316,7 @@ echo NODES_P12 $NODES_P12 echo DO_P12 $DO_P12 echo KEY_CN $KEY_CN + echo KEY_ALTNAMES $KEY_ALTNAMES echo BATCH $BATCH echo DO_ROOT $DO_ROOT echo KEY_EXPIRE $KEY_EXPIRE Index: easy-rsa/README.subjectAltName =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ easy-rsa/README.subjectAltName 2014-01-07 12:50:10.983136393 +0100 @@ -0,0 +1,38 @@ +easy-rsa with subjectAltName support +by Vicente Aguilar +http://www.bisente.com/proyectos/easy-rsa-subjectaltname +updates by Msquared +http://www.msquared.id.au/articles/easy-rsa-subjectaltname/ + + +INTRODUCTION +============ + +This is a modified version of OpenVPN's easy-rsa script, that allows you to +create RSA keys valid for more than one domain by using the subjectAltName +attribute. + +While I don't see this as a good practice when using the certificate for +identity validation (like in establishing a VPN), it can be useful if you +have a web server with just one IP address and want to provide HTTPS service +for several virtual domains without the browser complaining that the site +domain doesn't match the certificate's domain. + + +USAGE +===== + +Use the script as usual, see README.orig and http://openvpn.net/easyrsa.html. +If you want to make a key with several domains, just add them as parameters +on the command line: + + # ./build-key-server www.domain1.com www.domain2.com www.domain3.com + +The key's certificate in ./keys/www.domain1.com.crt will contain a section +like: + + X509v3 Subject Alternative Name: + DNS:www.domain1.com, DNS:www.domain2.com, DNS:www.domain3.com + +Any modern browser should accept the certificate for all these domains +without complaining. Index: easy-rsa/revoke-full =================================================================== --- easy-rsa.orig/revoke-full 2014-01-07 12:50:10.983136393 +0100 +++ easy-rsa/revoke-full 2014-01-07 12:50:10.983136393 +0100 @@ -20,6 +20,9 @@ export KEY_OU="" export KEY_NAME="" + # required due to hack in openssl.cnf that supports Subject Alternative Names + export KEY_ALTNAMES="" + # revoke key and generate a new CRL $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" Index: easy-rsa/openssl-1.0.0.cnf =================================================================== --- easy-rsa.orig/openssl-1.0.0.cnf 2014-01-07 12:14:36.823104370 +0100 +++ easy-rsa/openssl-1.0.0.cnf 2014-01-07 12:52:02.231138063 +0100 @@ -195,6 +195,7 @@ # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES # Copy subject details # issuerAltName=issuer:copy @@ -216,6 +217,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES [ v3_req ] debian/patches/series0000644000000000000000000000003512050437551012032 0ustar subjectAltName-support.patch debian/make-cadir.10000644000000000000000000000105512050227411011240 0ustar .TH MAKE-CADIR "1" "November 2012" "1.0" "make-cadir man page" .SH NAME make-cadir \- create certificates dir .SH SYNOPSIS .B ca-dir \fIDIR\fR .SH DESCRIPTION .PP Creates a NEW directory, copying and linking any necessary files from the easy-rsa package. .PP The specified DIR must not exist. .SH AUTHOR Written by Alberto Gonzalez Iniesta .SH COPYRIGHT Copyright \(co 2012 Alberto Gonzalez Iniesta License GPLv2: GNU GPL version 2 .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. debian/rules0000755000000000000000000000016112262763745010262 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ debian/compat0000644000000000000000000000000212050227411010356 0ustar 8 debian/README-2.00000644000000000000000000002212312262765702010354 0ustar EASY-RSA Version 2.0-rc1 This is a small RSA key management package, based on the openssl command line tool, that can be found in the easy-rsa subdirectory of the OpenVPN distribution. While this tool is primary concerned with key management for the SSL VPN application space, it can also be used for building web certificates. These are reference notes. For step-by-step instructions, see the HOWTO: http://openvpn.net/howto.html This package is based on the ./pkitool script. Run ./pkitool without arguments for a detailed help message (which is also pasted below). Release Notes for easy-rsa-2.0 * Most functionality has been consolidated into the pkitool script. For compatibility, all previous scripts from 1.0 such as build-key and build-key-server are provided as stubs which call pkitool to do the real work. * pkitool has a --batch flag (enabled by default) which generates keys/certs without needing any interactive input. pkitool can still generate certs/keys using interactive prompting by using the --interact flag. * The inherit-inter script has been provided for creating a new PKI rooted on an intermediate certificate built within a higher-level PKI. See comments in the inherit-inter script for more info. * The openssl.cnf file has been modified. pkitool will not work with the openssl.cnf file included with previous easy-rsa releases. * The vars file has been modified -- the following extra variables have been added: EASY_RSA, CA_EXPIRE, KEY_EXPIRE. * The make-crl and revoke-crt scripts have been removed and are replaced by the revoke-full script. * The "Organizational Unit" X509 field can be set using the KEY_OU environmental variable before calling pkitool. * This release only affects the Linux/Unix version of easy-rsa. The Windows version (written to use the Windows shell) is unchanged. * Use the revoke-full script to revoke a certificate, and generate (or update) the crl.pem file in the keys directory (as set by the vars script). Then use "crl-verify crl.pem" in your OpenVPN server config file, so that OpenVPN can reject any connections coming from clients which present a revoked certificate. Usage for the script is: revoke-full Note this this procedure is primarily designed to revoke client certificates. You could theoretically use this method to revoke server certificates as well, but then you would need to propagate the crl.pem file to all clients as well, and have them include "crl-verify crl.pem" in their configuration files. * PKCS#11 support was added. * For those interested in using this tool to generate web certificates, A variant of the easy-rsa package that allows the creation of multi-domain certificates with subjectAltName can be obtained from here: http://www.bisente.com/proyectos/easy-rsa-subjectaltname/ INSTALL easy-rsa 1. Edit vars. 2. Set KEY_CONFIG to point to the correct openssl-.cnf file included in this distribution. 3. Set KEY_DIR to point to a directory which will contain all keys, certificates, etc. This directory need not exist, and if it does, it will be deleted with rm -rf, so BE CAREFUL how you set KEY_DIR. 4. (Optional) Edit other fields in vars per your site data. You may want to increase KEY_SIZE to 2048 if you are paranoid and don't mind slower key processing, but certainly 1024 is fine for testing purposes. KEY_SIZE must be compatible across both peers participating in a secure SSL/TLS connection. 5. (Optional) If you intend to use PKCS#11, install openssl >= 0.9.7, install the following components from www.opensc.org: - opensc >= 0.10.0 - engine_pkcs11 >= 0.1.3 Update the openssl.cnf to load the engine: - Uncomment pkcs11 under engine_section. - Validate path at dynamic_path under pkcs11_section. 6. . vars 7. ./clean-all 8. As you create certificates, keys, and certificate signing requests, understand that only .key files should be kept confidential. .crt and .csr files can be sent over insecure channels such as plaintext email. IMPORTANT To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients. There are currently four different ways of accomplishing this, listed in the order of preference: (1) Build your server certificates with specific key usage and extended key usage. The RFC3280 determine that the following attributes should be provided for TLS connections: Mode Key usage Extended key usage --------------------------------------------------------------------------- Client digitalSignature TLS Web Client Authentication keyAgreement digitalSignature, keyAgreement Server digitalSignature, keyEncipherment TLS Web Server Authentication digitalSignature, keyAgreement Now add the following line to your client configuration: remote-cert-tls server This will block clients from connecting to any server which lacks the required extension designation in its certificate, even if the certificate has been signed by the CA which is cited in the OpenVPN configuration file (--ca directive). (3) Use the --tls-remote directive on the client to accept/reject the server connection based on the common name of the server certificate. (3) Use a --tls-verify script or plugin to accept/reject the server connection based on a custom test of the server certificate's embedded X509 subject details. (4) Sign server certificates with one CA and client certificates with a different CA. The client config "ca" directive should reference the server-signing CA while the server config "ca" directive should reference the client-signing CA. NOTES Show certificate fields: openssl x509 -in cert.crt -text PKITOOL documentation pkitool 2.0 Usage: pkitool [options...] [common-name] Options: --batch : batch mode (default) --keysize : Set keysize size : size (default=1024) --interact : interactive mode --server : build server cert --initca : build root CA --inter : build intermediate CA --pass : encrypt private key with password --csr : only generate a CSR, do not sign --sign : sign an existing CSR --pkcs12 : generate a combined PKCS#12 file --pkcs11 : generate certificate on PKCS#11 token lib : PKCS#11 library slot : PKCS#11 slot id : PKCS#11 object id (hex string) label : PKCS#11 object label Standalone options: --pkcs11-slots : list PKCS#11 slots lib : PKCS#11 library --pkcs11-objects : list PKCS#11 token objects lib : PKCS#11 library slot : PKCS#11 slot --pkcs11-init : initialize PKCS#11 token DANGEROUS!!! lib : PKCS#11 library slot : PKCS#11 slot label : PKCS#11 token label Notes: Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. In order to use PKCS#11 interface you must have opensc-0.10.0 or higher. Generated files and corresponding OpenVPN directives: (Files will be placed in the $KEY_DIR directory, defined in ./vars) ca.crt -> root certificate (--ca) ca.key -> root key, keep secure (not directly used by OpenVPN) .crt files -> client/server certificates (--cert) .key files -> private keys, keep secure (--key) .csr files -> certificate signing request (not directly used by OpenVPN) dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) Examples: pkitool --initca -> Build root certificate pkitool --initca --pass -> Build root certificate with password-protected key pkitool --server server1 -> Build "server1" certificate/key pkitool client1 -> Build "client1" certificate/key pkitool --pass client2 -> Build password-protected "client2" certificate/key pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format pkitool --csr client4 -> Build "client4" CSR to be signed by another CA pkitool --sign client4 -> Sign "client4" CSR pkitool --inter interca -> Build an intermediate key-signing certificate/key Also see ./inherit-inter script. pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 -> Build "client5" certificate/key in PKCS#11 token Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. Protect client2 key with a password. Build DH parms. Generated files in ./keys : [edit vars with your site-specific info] source ./vars ./clean-all ./build-dh -> takes a long time, consider backgrounding ./pkitool --initca ./pkitool --server myserver ./pkitool client1 ./pkitool --pass client2 Typical usage for adding client cert to existing PKI: source ./vars ./pkitool client-new debian/control0000644000000000000000000000076312262767270010612 0ustar Source: easy-rsa Section: utils Priority: extra Maintainer: Alberto Gonzalez Iniesta Build-Depends: debhelper (>= 8.0.0) Standards-Version: 3.9.5 Homepage: https://community.openvpn.net/openvpn Package: easy-rsa Architecture: all Depends: openssl, ${shlibs:Depends}, ${misc:Depends} Recommends: opensc Description: Simple shell based CA utility This package eases the creation of certificates, for example for openvpn clients. . This was formerly part of the openvpn package. debian/watch0000644000000000000000000000017612050227411010215 0ustar # Compulsory line, this is a version 3 file version=3 http://swupdate.openvpn.net/community/releases/easy-rsa-(.*)\.tar\.gz debian/easy-rsa.install0000644000000000000000000000124612262764507012320 0ustar debian/make-cadir usr/bin/ build-dh usr/share/easy-rsa/ build-key usr/share/easy-rsa/ build-key-pkcs12 usr/share/easy-rsa/ build-req usr/share/easy-rsa/ clean-all usr/share/easy-rsa/ inherit-inter usr/share/easy-rsa/ openssl-0.9.6.cnf usr/share/easy-rsa/ openssl-1.0.0.cnf usr/share/easy-rsa/ revoke-full usr/share/easy-rsa/ vars usr/share/easy-rsa/ build-ca usr/share/easy-rsa/ build-inter usr/share/easy-rsa/ build-key-pass usr/share/easy-rsa/ build-key-server usr/share/easy-rsa/ build-req-pass usr/share/easy-rsa/ list-crl usr/share/easy-rsa/ openssl-0.9.8.cnf usr/share/easy-rsa/ pkitool usr/share/easy-rsa/ sign-req usr/share/easy-rsa/ whichopensslcnf usr/share/easy-rsa/ debian/README.Debian0000644000000000000000000000166612262763321011244 0ustar easy-rsa for Debian ------------------- easy-rsa is a set of scripts to easy the administration of a Certificate Authority. For example to manage openvpn scripts. The effortless way to use it is calling "make-cadir DIRECTORY", which will create a new directory with symlinks to the scripts and a copy of the configuration files so you can edit them to suit your needs. i.e. ~$ make-cadir my_ca ~$ cd my_ca ~/my_ca$ vi vars -- Alberto Gonzalez Iniesta Mon, 12 Nov 2012 18:18:57 +0100 Improving security of created certificates ------------------------------------------ easy-rsa defaults use 2048 bits for keylength and 10 years (3650 days) as certificate lifetime. bettercrypto.org suggests increasing the keylength to 4096 bits and decreasing the certificate lifetime. You can change those values in the 'vars' file of your CA directory. -- Alberto Gonzalez Iniesta Tue, 07 Jan 2014 12:36:35 +0100 debian/source/0000755000000000000000000000000012050227411010460 5ustar debian/source/format0000644000000000000000000000001412050227411011666 0ustar 3.0 (quilt) debian/changelog0000644000000000000000000000135612262767421011056 0ustar easy-rsa (2.2.2-1) unstable; urgency=low * New upstream release. (Closes: #733905) * Rework build system, remove Build-Deps on autotools-dev * Add README.Debian with tips on using easy-rsa. * Add patch to support specifying subjectAltName (for use in web server certs). * Add suggestions to improve defaults' security to README.Debian. * Rescue upstream README file from older tarball. * Bumped Standards-Version to 3.9.5 -- Alberto Gonzalez Iniesta Tue, 07 Jan 2014 12:14:58 +0100 easy-rsa (2.2.0-1) unstable; urgency=low * Initial release (Closes: #693070) * Create make-cadir, to simplify the use of easy-rsa in Debian. -- Alberto Gonzalez Iniesta Tue, 06 Nov 2012 13:43:50 +0100