EasyRSA-2.2.2/000775 000765 000024 00000000000 12237326651 013431 5ustar00ecriststaff000000 000000 EasyRSA-2.2.2/build-ca000775 000765 000024 00000000167 12237326651 015043 0ustar00ecriststaff000000 000000 #!/bin/sh # # Build a root certificate # export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --initca $* EasyRSA-2.2.2/build-dh000775 000765 000024 00000000540 12237326651 015046 0ustar00ecriststaff000000 000000 #!/bin/sh # Build Diffie-Hellman parameters for the server side # of an SSL/TLS connection. if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' fi EasyRSA-2.2.2/build-inter000775 000765 000024 00000000274 12237326651 015600 0ustar00ecriststaff000000 000000 #!/bin/sh # Make an intermediate CA certificate/private key pair using a locally generated # root certificate. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --inter $* EasyRSA-2.2.2/build-key000775 000765 000024 00000000243 12237326651 015243 0ustar00ecriststaff000000 000000 #!/bin/sh # Make a certificate/private key pair using a locally generated # root certificate. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact $* EasyRSA-2.2.2/build-key-pass000775 000765 000024 00000000235 12237326651 016210 0ustar00ecriststaff000000 000000 #!/bin/sh # Similar to build-key, but protect the private key # with a password. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --pass $* EasyRSA-2.2.2/build-key-pkcs12000775 000765 000024 00000000371 12237326651 016346 0ustar00ecriststaff000000 000000 #!/bin/sh # Make a certificate/private key pair using a locally generated # root certificate and convert it to a PKCS #12 file including the # the CA certificate as well. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --pkcs12 $* EasyRSA-2.2.2/build-key-server000775 000765 000024 00000000414 12237326651 016547 0ustar00ecriststaff000000 000000 #!/bin/sh # Make a certificate/private key pair using a locally generated # root certificate. # # Explicitly set nsCertType to server using the "server" # extension in the openssl.cnf file. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --server $* EasyRSA-2.2.2/build-req000775 000765 000024 00000000325 12237326651 015243 0ustar00ecriststaff000000 000000 #!/bin/sh # Build a certificate signing request and private key. Use this # when your root certificate and key is not available locally. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --csr $* EasyRSA-2.2.2/build-req-pass000775 000765 000024 00000000236 12237326651 016210 0ustar00ecriststaff000000 000000 #!/bin/sh # Like build-req, but protect your private key # with a password. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --csr --pass $* EasyRSA-2.2.2/clean-all000775 000765 000024 00000000701 12237326651 015205 0ustar00ecriststaff000000 000000 #!/bin/sh # Initialize the $KEY_DIR directory. # Note that this script does a # rm -rf on $KEY_DIR so be careful! if [ "$KEY_DIR" ]; then rm -rf "$KEY_DIR" mkdir "$KEY_DIR" && \ chmod go-rwx "$KEY_DIR" && \ touch "$KEY_DIR/index.txt" && \ echo 01 >"$KEY_DIR/serial" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' fi EasyRSA-2.2.2/inherit-inter000775 000765 000024 00000002677 12237326651 016154 0ustar00ecriststaff000000 000000 #!/bin/sh # Build a new PKI which is rooted on an intermediate certificate generated # by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should # have independent vars settings, and must use a different KEY_DIR directory # from the parent. This tool can be used to generate arbitrary depth # certificate chains. # # To build an intermediate CA, follow the same steps for a regular PKI but # replace ./build-key or ./pkitool --initca with this script. # The EXPORT_CA file will contain the CA certificate chain and should be # referenced by the OpenVPN "ca" directive in config files. The ca.crt file # will only contain the local intermediate CA -- it's needed by the easy-rsa # scripts but not by OpenVPN directly. EXPORT_CA="export-ca.crt" if [ $# -ne 2 ]; then echo "usage: $0 " echo "parent-key-dir: the KEY_DIR directory of the parent PKI" echo "common-name: the common name of the intermediate certificate in the parent PKI" exit 1; fi if [ "$KEY_DIR" ]; then cp "$1/$2.crt" "$KEY_DIR/ca.crt" cp "$1/$2.key" "$KEY_DIR/ca.key" if [ -e "$1/$EXPORT_CA" ]; then PARENT_CA="$1/$EXPORT_CA" else PARENT_CA="$1/ca.crt" fi cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' fi EasyRSA-2.2.2/list-crl000775 000765 000024 00000000456 12237326651 015115 0ustar00ecriststaff000000 000000 #!/bin/sh # list revoked certificates CRL="${1:-crl.pem}" if [ "$KEY_DIR" ]; then cd "$KEY_DIR" && \ $OPENSSL crl -text -noout -in "$CRL" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' fi EasyRSA-2.2.2/openssl-0.9.6.cnf000664 000765 000024 00000017157 12237326651 016267 0ustar00ecriststaff000000 000000 # For use with easy-rsa version 2.0 # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $ENV::KEY_DIR # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = $ENV::KEY_SIZE default_keyfile = privkey.pem default_md = sha256 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $ENV::KEY_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::KEY_PROVINCE localityName = Locality Name (eg, city) localityName_default = $ENV::KEY_CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::KEY_ORG # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_default = $ENV::KEY_EMAIL emailAddress_max = 40 # JY -- added for batch mode organizationalUnitName_default = $ENV::KEY_OU commonName_default = $ENV::KEY_CN # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "Easy-RSA Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth keyUsage = digitalSignature # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE nsCertType = server nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always EasyRSA-2.2.2/openssl-0.9.8.cnf000664 000765 000024 00000020234 12237326651 016257 0ustar00ecriststaff000000 000000 # For use with easy-rsa version 2.0 # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf = openssl_init [ openssl_init ] # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids engines = engine_section # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $ENV::KEY_DIR # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional #################################################################### [ req ] default_bits = $ENV::KEY_SIZE default_keyfile = privkey.pem default_md = sha256 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $ENV::KEY_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::KEY_PROVINCE localityName = Locality Name (eg, city) localityName_default = $ENV::KEY_CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::KEY_ORG # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 name = Name name_max = 64 emailAddress = Email Address emailAddress_default = $ENV::KEY_EMAIL emailAddress_max = 40 # JY -- added for batch mode organizationalUnitName_default = $ENV::KEY_OU commonName_default = $ENV::KEY_CN name_default = $ENV::KEY_NAME # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "Easy-RSA Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth keyUsage = digitalSignature # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE nsCertType = server nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always [ engine_section ] # # If you are using PKCS#11 # Install engine_pkcs11 of opensc (www.opensc.org) # And uncomment the following # verify that dynamic_path points to the correct location # #pkcs11 = pkcs11_section [ pkcs11_section ] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = $ENV::PKCS11_MODULE_PATH PIN = $ENV::PKCS11_PIN init = 0 EasyRSA-2.2.2/openssl-1.0.0.cnf000664 000765 000024 00000020065 12237326651 016241 0ustar00ecriststaff000000 000000 # For use with easy-rsa version 2.0 and OpenSSL 1.0.0* # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf = openssl_init [ openssl_init ] # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids engines = engine_section # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $ENV::KEY_DIR # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional #################################################################### [ req ] default_bits = $ENV::KEY_SIZE default_keyfile = privkey.pem default_md = sha256 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation after 2004). # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $ENV::KEY_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::KEY_PROVINCE localityName = Locality Name (eg, city) localityName_default = $ENV::KEY_CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::KEY_ORG # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 name = Name name_max = 64 emailAddress = Email Address emailAddress_default = $ENV::KEY_EMAIL emailAddress_max = 40 # JY -- added for batch mode organizationalUnitName_default = $ENV::KEY_OU commonName_default = $ENV::KEY_CN name_default = $ENV::KEY_NAME # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "Easy-RSA Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth keyUsage = digitalSignature # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE nsCertType = server nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always [ engine_section ] # # If you are using PKCS#11 # Install engine_pkcs11 of opensc (www.opensc.org) # And uncomment the following # verify that dynamic_path points to the correct location # #pkcs11 = pkcs11_section [ pkcs11_section ] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = $ENV::PKCS11_MODULE_PATH PIN = $ENV::PKCS11_PIN init = 0 EasyRSA-2.2.2/pkitool000775 000765 000024 00000031246 12237326651 015046 0ustar00ecriststaff000000 000000 #!/bin/sh # OpenVPN -- An application to securely tunnel IP networks # over a single TCP/UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2010 OpenVPN Technologies, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program (see the file COPYING included with this # distribution); if not, write to the Free Software Foundation, Inc., # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # pkitool is a front-end for the openssl tool. # Calling scripts can set the certificate organizational # unit with the KEY_OU environmental variable. # Calling scripts can also set the KEY_NAME environmental # variable to set the "name" X509 subject field. PROGNAME=pkitool VERSION=2.0 DEBUG=0 die() { local m="$1" echo "$m" >&2 exit 1 } need_vars() { cat < root certificate (--ca) ca.key -> root key, keep secure (not directly used by OpenVPN) .crt files -> client/server certificates (--cert) .key files -> private keys, keep secure (--key) .csr files -> certificate signing request (not directly used by OpenVPN) dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) Examples: $PROGNAME --initca -> Build root certificate $PROGNAME --initca --pass -> Build root certificate with password-protected key $PROGNAME --server server1 -> Build "server1" certificate/key $PROGNAME client1 -> Build "client1" certificate/key $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA $PROGNAME --sign client4 -> Sign "client4" CSR $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key Also see ./inherit-inter script. $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 -> Build "client5" certificate/key in PKCS#11 token Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. Protect client2 key with a password. Build DH parms. Generated files in ./keys : [edit vars with your site-specific info] source ./vars ./clean-all ./build-dh -> takes a long time, consider backgrounding ./$PROGNAME --initca ./$PROGNAME --server myserver ./$PROGNAME client1 ./$PROGNAME --pass client2 Typical usage for adding client cert to existing PKI: source ./vars ./$PROGNAME client-new EOM } # Set tool defaults [ -n "$OPENSSL" ] || export OPENSSL="openssl" [ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" [ -n "$GREP" ] || export GREP="grep" # Set defaults DO_REQ="1" REQ_EXT="" DO_CA="1" CA_EXT="" DO_P12="0" DO_P11="0" DO_ROOT="0" NODES_REQ="-nodes" NODES_P12="" BATCH="-batch" CA="ca" # must be set or errors of openssl.cnf PKCS11_MODULE_PATH="dummy" PKCS11_PIN="dummy" # Process options while [ $# -gt 0 ]; do case "$1" in --keysize ) KEY_SIZE=$2 shift;; --server ) REQ_EXT="$REQ_EXT -extensions server" CA_EXT="$CA_EXT -extensions server" ;; --batch ) BATCH="-batch" ;; --interact ) BATCH="" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --initca ) DO_ROOT="1" ;; --pass ) NODES_REQ="" ;; --csr ) DO_CA="0" ;; --sign ) DO_REQ="0" ;; --pkcs12 ) DO_P12="1" ;; --pkcs11 ) DO_P11="1" PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" PKCS11_ID="$4" PKCS11_LABEL="$5" shift 4;; # standalone --pkcs11-init) PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" PKCS11_LABEL="$4" if [ -z "$PKCS11_LABEL" ]; then die "Please specify library name, slot and label" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ --label "$PKCS11_LABEL" && $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" exit $?;; --pkcs11-slots) PKCS11_MODULE_PATH="$2" if [ -z "$PKCS11_MODULE_PATH" ]; then die "Please specify library name" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots exit 0;; --pkcs11-objects) PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" if [ -z "$PKCS11_SLOT" ]; then die "Please specify library name and slot" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" exit 0;; --help|--usage) usage exit ;; --version) echo "$PROGNAME $VERSION" exit ;; # errors --* ) die "$PROGNAME: unknown option: $1" ;; * ) break ;; esac shift done if ! [ -z "$BATCH" ]; then if $OPENSSL version | grep 0.9.6 > /dev/null; then die "Batch mode is unsupported in openssl<0.9.7" fi fi if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then die "PKCS#11 and PKCS#12 cannot be specified together" fi if [ $DO_P11 -eq 1 ]; then if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then die "Please edit $KEY_CONFIG and setup PKCS#11 engine" fi fi # If we are generating pkcs12, only encrypt the final step if [ $DO_P12 -eq 1 ]; then NODES_P12="$NODES_REQ" NODES_REQ="-nodes" fi if [ $DO_P11 -eq 1 ]; then if [ -z "$PKCS11_LABEL" ]; then die "PKCS#11 arguments incomplete" fi fi # If undefined, set default key expiration intervals if [ -z "$KEY_EXPIRE" ]; then KEY_EXPIRE=3650 fi if [ -z "$CA_EXPIRE" ]; then CA_EXPIRE=3650 fi # Set organizational unit to empty string if undefined if [ -z "$KEY_OU" ]; then KEY_OU="" fi # Set X509 Name string to empty string if undefined if [ -z "$KEY_NAME" ]; then KEY_NAME="" fi # Set KEY_CN, FN if [ $DO_ROOT -eq 1 ]; then if [ -z "$KEY_CN" ]; then if [ "$1" ]; then KEY_CN="$1" elif [ "$KEY_ORG" ]; then KEY_CN="$KEY_ORG CA" fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using CA Common Name:" "$KEY_CN" fi FN="$KEY_CN" elif [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using Common Name:" "$KEY_CN" FN="$KEY_CN" if [ "$1" ]; then FN="$1" fi else if [ $# -ne 1 ]; then usage exit 1 else KEY_CN="$1" fi FN="$KEY_CN" fi export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN # Show parameters (debugging) if [ $DEBUG -eq 1 ]; then echo DO_REQ $DO_REQ echo REQ_EXT $REQ_EXT echo DO_CA $DO_CA echo CA_EXT $CA_EXT echo NODES_REQ $NODES_REQ echo NODES_P12 $NODES_P12 echo DO_P12 $DO_P12 echo KEY_CN $KEY_CN echo BATCH $BATCH echo DO_ROOT $DO_ROOT echo KEY_EXPIRE $KEY_EXPIRE echo CA_EXPIRE $CA_EXPIRE echo KEY_OU $KEY_OU echo KEY_NAME $KEY_NAME echo DO_P11 $DO_P11 echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH echo PKCS11_SLOT $PKCS11_SLOT echo PKCS11_ID $PKCS11_ID echo PKCS11_LABEL $PKCS11_LABEL fi # Make sure ./vars was sourced beforehand if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then cd "$KEY_DIR" # Make sure $KEY_CONFIG points to the correct version # of openssl.cnf if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then : else echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "version of openssl.cnf: $KEY_CONFIG" echo "The correct version should have a comment that says: easy-rsa version 2.x"; exit 1; fi # Build root CA if [ $DO_ROOT -eq 1 ]; then $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ chmod 0600 "$CA.key" else # Make sure CA key/cert is available if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" echo "Try $PROGNAME --initca to build a root certificate/key." exit 1 fi fi # Generate key for PKCS#11 token PKCS11_ARGS= if [ $DO_P11 -eq 1 ]; then stty -echo echo -n "User PIN: " read -r PKCS11_PIN stty echo export PKCS11_PIN echo "Generating key pair on PKCS#11 token..." $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ --login --pin "$PKCS11_PIN" \ --key-type rsa:1024 \ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" fi # Build cert/key ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \ -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) # Load certificate into PKCS#11 token if [ $DO_P11 -eq 1 ]; then $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ --login --pin "$PKCS11_PIN" \ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" [ -e "$FN.crt.der" ]; rm "$FN.crt.der" fi fi # Need definitions else need_vars fi EasyRSA-2.2.2/revoke-full000775 000765 000024 00000001640 12237326651 015613 0ustar00ecriststaff000000 000000 #!/bin/sh # revoke a certificate, regenerate CRL, # and verify revocation CRL="crl.pem" RT="revoke-test.pem" if [ $# -ne 1 ]; then echo "usage: revoke-full "; exit 1 fi if [ "$KEY_DIR" ]; then cd "$KEY_DIR" rm -f "$RT" # set defaults export KEY_CN="" export KEY_OU="" export KEY_NAME="" # revoke key and generate a new CRL $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" # generate a new CRL -- try to be compatible with # intermediate PKIs $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" if [ -e export-ca.crt ]; then cat export-ca.crt "$CRL" >"$RT" else cat ca.crt "$CRL" >"$RT" fi # verify the revocation $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' fi EasyRSA-2.2.2/sign-req000775 000765 000024 00000000262 12237326651 015104 0ustar00ecriststaff000000 000000 #!/bin/sh # Sign a certificate signing request (a .csr file) # with a local root certificate and key. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --sign $* EasyRSA-2.2.2/vars000664 000765 000024 00000004035 12237326651 014331 0ustar00ecriststaff000000 000000 # easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. export EASY_RSA="`pwd`" # # This variable should point to # the requested executables # export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR="$EASY_RSA/keys" # Issue rm -rf warning echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # PKCS11 fixes export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=2048 # In how many days should the root CA key expire? export CA_EXPIRE=3650 # In how many days should certificates expire? export KEY_EXPIRE=3650 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit" # X509 Subject Field export KEY_NAME="EasyRSA" # PKCS11 Smart Card # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_PIN=1234 # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # You will also need to make sure your OpenVPN server config has the duplicate-cn option set # export KEY_CN="CommonName" EasyRSA-2.2.2/whichopensslcnf000775 000765 000024 00000001344 12237326651 016556 0ustar00ecriststaff000000 000000 #!/bin/sh cnf="$1/openssl.cnf" if [ "$OPENSSL" ]; then if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then cnf="$1/openssl-0.9.6.cnf" elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then cnf="$1/openssl-0.9.8.cnf" elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then cnf="$1/openssl-1.0.0.cnf" else cnf="$1/openssl.cnf" fi fi echo $cnf if [ ! -r $cnf ]; then echo "**************************************************************" >&2 echo " No $cnf file could be found" >&2 echo " Further invocations will fail" >&2 echo "**************************************************************" >&2 fi exit 0