new file mode 100644

@@ -0,0 +1,168 @@

+EASY-RSA Version 2.0-rc1

+

+This is a small RSA key management package, based on the openssl

+command line tool, that can be found in the easy-rsa subdirectory

+of the OpenVPN distribution.

+

+These are reference notes.  For step-by-step instructions, see the

+HOWTO:

+

+http://openvpn.net/howto.html

+

+This package is based on the ./pkitool script.  Run ./pkitool

+without arguments for a detailed help message (which is also pasted

+below).

+

+Release Notes for easy-rsa-2.0

+

+* Most functionality has been consolidated into the pkitool

+  script. For compatibility, all previous scripts from 1.0 such

+  as build-key and build-key-server are provided as stubs

+  which call pkitool to do the real work.

+

+* pkitool has a --batch flag (enabled by default) which generates

+  keys/certs without needing any interactive input.  pkitool

+  can still generate certs/keys using interactive prompting by

+  using the --interact flag.

+

+* The inherit-inter script has been provided for creating

+  a new PKI rooted on an intermediate certificate built within a

+  higher-level PKI.  See comments in the inherit-inter script

+  for more info.

+

+* The openssl.cnf file has been modified.  pkitool will not

+  work with the openssl.cnf file included with previous

+  easy-rsa releases.

+

+* The vars file has been modified -- the following extra

+  variables have been added: EASY_RSA, CA_EXPIRE,

+  KEY_EXPIRE.

+

+* The make-crl and revoke-crt scripts have been removed and

+  are replaced by the revoke-full script.

+

+* The "Organizational Unit" X509 field can be set using

+  the KEY_OU environmental variable before calling pkitool.

+

+* This release only affects the Linux/Unix version of easy-rsa.

+  The Windows version (written to use the Windows shell) is unchanged.

+

+INSTALL easy-rsa

+

+1. Edit vars.

+2. Set KEY_CONFIG to point to the openssl.cnf file

+   included in this distribution.

+3. Set KEY_DIR to point to a directory which will

+   contain all keys, certificates, etc.  This

+   directory need not exist, and if it does,

+   it will be deleted with rm -rf, so BE

+   CAREFUL how you set KEY_DIR.

+4. (Optional) Edit other fields in vars

+   per your site data.  You may want to

+   increase KEY_SIZE to 2048 if you are

+   paranoid and don't mind slower key

+   processing, but certainly 1024 is

+   fine for testing purposes.  KEY_SIZE

+   must be compatible across both peers

+   participating in a secure SSL/TLS

+   connection.

+5  . vars

+6. ./clean-all

+7. As you create certificates, keys, and

+   certificate signing requests, understand that

+   only .key files should be kept confidential.

+   .crt and .csr files can be sent over insecure

+   channels such as plaintext email.

+

+IMPORTANT

+

+To avoid a possible Man-in-the-Middle attack where an authorized

+client tries to connect to another client by impersonating the

+server, make sure to enforce some kind of server certificate

+verification by clients.  There are currently four different ways

+of accomplishing this, listed in the order of preference:

+

+(1) Build your server certificates with the build-key-server

+    script, or using the --server option to pkitool.

+    This will designate the certificate as a

+    server-only certificate by setting nsCertType=server.

+    Now add the following line to your client configuration:

+      

+    ns-cert-type server

+

+    This will block clients from connecting to any

+    server which lacks the nsCertType=server designation

+    in its certificate, even if the certificate has been

+    signed by the CA which is cited in the OpenVPN configuration

+    file (--ca directive).

+

+(2) Use the --tls-remote directive on the client to

+    accept/reject the server connection based on the common

+    name of the server certificate.

+

+(3) Use a --tls-verify script or plugin to accept/reject the

+    server connection based on a custom test of the server

+    certificate's embedded X509 subject details.

+

+(4) Sign server certificates with one CA and client certificates

+    with a different CA.  The client config "ca" directive should

+    reference the server-signing CA while the server config "ca"

+    directive should reference the client-signing CA.

+

+NOTES

+

+Show certificate fields:

+  openssl x509 -in cert.crt -text

+

+PKITOOL documentation

+

+pkitool 2.0

+Usage: pkitool [options...] [common-name]

+Options:

+  --batch    : batch mode (default)

+  --interact : interactive mode

+  --server   : build server cert

+  --initca   : build root CA

+  --inter    : build intermediate CA

+  --pass     : encrypt private key with password

+  --csr      : only generate a CSR, do not sign

+  --sign     : sign an existing CSR

+  --pkcs12   : generate a combined pkcs12 file

+Notes:

+  Please edit the vars script to reflect your configuration,

+  then source it with "source ./vars".

+  Next, to start with a fresh PKI configuration and to delete any

+  previous certificates and keys, run "./clean-all".

+  Finally, you can run this tool (pkitool) to build certificates/keys.

+Generated files and corresponding OpenVPN directives:

+(Files will be placed in the $KEY_DIR directory, defined in ./vars)

+  ca.crt     -> root certificate (--ca)

+  ca.key     -> root key, keep secure (not directly used by OpenVPN)

+  .crt files -> client/server certificates (--cert)

+  .key files -> private keys, keep secure (--key)

+  .csr files -> certificate signing request (not directly used by OpenVPN)

+  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)

+Examples:

+  pkitool --initca          -> Build root certificate

+  pkitool --initca --pass   -> Build root certificate with password-protected key

+  pkitool --server server1  -> Build "server1" certificate/key

+  pkitool client1           -> Build "client1" certificate/key

+  pkitool --pass client2    -> Build password-protected "client2" certificate/key

+  pkitool --pkcs12 client3  -> Build "client3" certificate/key in PKCS #12 format

+  pkitool --csr client4     -> Build "client4" CSR to be signed by another CA

+  pkitool --sign client4    -> Sign "client4" CSR

+  pkitool --inter interca   -> Build an intermediate key-signing certificate/key

+                               Also see ./inherit-inter script.

+Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys.

+Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :

+  [edit vars with your site-specific info]

+  source ./vars

+  ./clean-all

+  ./build-dh     -> takes a long time, consider backgrounding

+  ./pkitool --initca

+  ./pkitool --server myserver

+  ./pkitool client1

+  ./pkitool --pass client2

+Typical usage for adding client cert to existing PKI:

+  source ./vars

+  ./pkitool client-new

new file mode 100755

@@ -0,0 +1,8 @@

+#!/bin/bash

+

+#

+# Build a root certificate

+#

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --initca $*

new file mode 100755

@@ -0,0 +1,11 @@

+#!/bin/bash

+

+# Build Diffie-Hellman parameters for the server side

+# of an SSL/TLS connection.

+

+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then

+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}

+else

+    echo 'Please source the vars script first (i.e. "source ./vars")'

+    echo 'Make sure you have edited it to reflect your configuration.'

+fi

new file mode 100755

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+# Make an intermediate CA certificate/private key pair using a locally generated

+# root certificate.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --inter $*

new file mode 100755

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+# Make a certificate/private key pair using a locally generated

+# root certificate.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact $*

new file mode 100755

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+# Similar to build-key, but protect the private key

+# with a password.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --pass $*

new file mode 100755

@@ -0,0 +1,8 @@

+#!/bin/bash

+

+# Make a certificate/private key pair using a locally generated

+# root certificate and convert it to a PKCS #12 file including the

+# the CA certificate as well.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --pkcs12 $*

new file mode 100755

@@ -0,0 +1,10 @@

+#!/bin/bash

+

+# Make a certificate/private key pair using a locally generated

+# root certificate.

+#

+# Explicitly set nsCertType to server using the "server"

+# extension in the openssl.cnf file.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --server $*

new file mode 100755

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+# Build a certificate signing request and private key.  Use this

+# when your root certificate and key is not available locally.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --csr $*

new file mode 100755

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+# Like build-req, but protect your private key

+# with a password.

+

+export EASY_RSA="${EASY_RSA:-.}"

+"$EASY_RSA/pkitool" --interact --csr --pass $*

new file mode 100755

@@ -0,0 +1,16 @@

+#!/bin/bash

+

+# Initialize the $KEY_DIR directory.

+# Note that this script does a

+# rm -rf on $KEY_DIR so be careful!

+

+if [ "$KEY_DIR" ]; then

+    rm -rf "$KEY_DIR"

+    mkdir "$KEY_DIR" && \

+	chmod go-rwx "$KEY_DIR" && \

+	touch "$KEY_DIR/index.txt" && \

+	echo 01 >"$KEY_DIR/serial"

+else

+    echo 'Please source the vars script first (i.e. "source ./vars")'

+    echo 'Make sure you have edited it to reflect your configuration.'

+fi

new file mode 100755

@@ -0,0 +1,39 @@

+#!/bin/bash

+

+# Build a new PKI which is rooted on an intermediate certificate generated

+# by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should

+# have independent vars settings, and must use a different KEY_DIR directory

+# from the parent.  This tool can be used to generate arbitrary depth

+# certificate chains.

+#

+# To build an intermediate CA, follow the same steps for a regular PKI but

+# replace ./build-key or ./pkitool --initca with this script.

+

+# The EXPORT_CA file will contain the CA certificate chain and should be

+# referenced by the OpenVPN "ca" directive in config files.  The ca.crt file

+# will only contain the local intermediate CA -- it's needed by the easy-rsa

+# scripts but not by OpenVPN directly.

+EXPORT_CA="export-ca.crt"

+

+if [ $# -ne 2 ]; then

+    echo "usage: $0 <parent-key-dir> <common-name>"

+    echo "parent-key-dir: the KEY_DIR directory of the parent PKI"

+    echo "common-name: the common name of the intermediate certificate in the parent PKI"

+    exit 1;

+fi

+

+if [ "$KEY_DIR" ]; then

+    cp "$1/$2.crt" "$KEY_DIR/ca.crt"

+    cp "$1/$2.key" "$KEY_DIR/ca.key"

+

+    if [ -e "$1/$EXPORT_CA" ]; then

+	PARENT_CA="$1/$EXPORT_CA"

+    else

+	PARENT_CA="$1/ca.crt"

+    fi

+    cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"

+    cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"

+else

+    echo 'Please source the vars script first (i.e. "source ./vars")'

+    echo 'Make sure you have edited it to reflect your configuration.'

+fi

new file mode 100755

@@ -0,0 +1,13 @@

+#!/bin/bash

+

+# list revoked certificates

+

+CRL="${1:-crl.pem}"

+

+if [ "$KEY_DIR" ]; then

+    cd "$KEY_DIR" && \

+	openssl crl -text -noout -in "$CRL"

+else

+    echo 'Please source the vars script first (i.e. "source ./vars")'

+    echo 'Make sure you have edited it to reflect your configuration.'

+fi

new file mode 100755

@@ -0,0 +1,261 @@

+# For use with easy-rsa version 2.0

+

+#

+# OpenSSL example configuration file.

+# This is mostly being used for generation of certificate requests.

+#

+

+# This definition stops the following lines choking if HOME isn't

+# defined.

+HOME			= .

+RANDFILE		= $ENV::HOME/.rnd

+

+# Extra OBJECT IDENTIFIER info:

+#oid_file		= $ENV::HOME/.oid

+oid_section		= new_oids

+

+# To use this configuration file with the "-extfile" option of the

+# "openssl x509" utility, name here the section containing the

+# X.509v3 extensions to use:

+# extensions		= 

+# (Alternatively, use a configuration file that has only

+# X.509v3 extensions in its main [= default] section.)

+

+[ new_oids ]

+

+# We can add new OIDs in here for use by 'ca' and 'req'.

+# Add a simple OID like this:

+# testoid1=1.2.3.4

+# Or use config file substitution like this:

+# testoid2=${testoid1}.5.6

+

+####################################################################

+[ ca ]

+default_ca	= CA_default		# The default ca section

+

+####################################################################

+[ CA_default ]

+

+dir		= $ENV::KEY_DIR		# Where everything is kept

+certs		= $dir			# Where the issued certs are kept

+crl_dir		= $dir			# Where the issued crl are kept

+database	= $dir/index.txt	# database index file.

+new_certs_dir	= $dir			# default place for new certs.

+

+certificate	= $dir/ca.crt	 	# The CA certificate

+serial		= $dir/serial 		# The current serial number

+crl		= $dir/crl.pem 		# The current CRL

+private_key	= $dir/ca.key	 	# The private key

+RANDFILE	= $dir/.rand		# private random number file

+

+x509_extensions	= usr_cert		# The extentions to add to the cert

+

+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

+# so this is commented out by default to leave a V1 CRL.

+# crl_extensions	= crl_ext

+

+default_days	= 3650			# how long to certify for

+default_crl_days= 30			# how long before next CRL

+default_md	= md5			# which md to use.

+preserve	= no			# keep passed DN ordering

+

+# A few difference way of specifying how similar the request should look

+# For type CA, the listed attributes must be the same, and the optional

+# and supplied fields are just that :-)

+policy		= policy_anything

+

+# For the CA policy

+[ policy_match ]

+countryName		= match

+stateOrProvinceName	= match

+organizationName	= match

+organizationalUnitName	= optional

+commonName		= supplied

+emailAddress		= optional

+

+# For the 'anything' policy

+# At this point in time, you must list all acceptable 'object'

+# types.

+[ policy_anything ]

+countryName		= optional

+stateOrProvinceName	= optional

+localityName		= optional

+organizationName	= optional

+organizationalUnitName	= optional

+commonName		= supplied

+emailAddress		= optional

+

+####################################################################

+[ req ]

+default_bits		= $ENV::KEY_SIZE

+default_keyfile 	= privkey.pem

+distinguished_name	= req_distinguished_name

+attributes		= req_attributes

+x509_extensions	= v3_ca	# The extentions to add to the self signed cert

+

+# Passwords for private keys if not present they will be prompted for

+# input_password = secret

+# output_password = secret

+

+# This sets a mask for permitted string types. There are several options. 

+# default: PrintableString, T61String, BMPString.

+# pkix	 : PrintableString, BMPString.

+# utf8only: only UTF8Strings.

+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

+# MASK:XXXX a literal mask value.

+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings

+# so use this option with caution!

+string_mask = nombstr

+

+# req_extensions = v3_req # The extensions to add to a certificate request

+

+[ req_distinguished_name ]

+countryName			= Country Name (2 letter code)

+countryName_default		= $ENV::KEY_COUNTRY

+countryName_min			= 2

+countryName_max			= 2

+

+stateOrProvinceName		= State or Province Name (full name)

+stateOrProvinceName_default	= $ENV::KEY_PROVINCE

+

+localityName			= Locality Name (eg, city)

+localityName_default		= $ENV::KEY_CITY

+

+0.organizationName		= Organization Name (eg, company)

+0.organizationName_default	= $ENV::KEY_ORG

+

+# we can do this but it is not needed normally :-)

+#1.organizationName		= Second Organization Name (eg, company)

+#1.organizationName_default	= World Wide Web Pty Ltd

+

+organizationalUnitName		= Organizational Unit Name (eg, section)

+#organizationalUnitName_default	=

+

+commonName			= Common Name (eg, your name or your server\'s hostname)

+commonName_max			= 64

+

+emailAddress			= Email Address

+emailAddress_default		= $ENV::KEY_EMAIL

+emailAddress_max		= 40

+

+# JY -- added for batch mode

+organizationalUnitName_default = $ENV::KEY_OU

+commonName_default = $ENV::KEY_CN

+

+# SET-ex3			= SET extension number 3

+

+[ req_attributes ]

+challengePassword		= A challenge password

+challengePassword_min		= 4

+challengePassword_max		= 20

+

+unstructuredName		= An optional company name

+

+[ usr_cert ]

+

+# These extensions are added when 'ca' signs a request.

+

+# This goes against PKIX guidelines but some CAs do it and some software

+# requires this to avoid interpreting an end user certificate as a CA.

+

+basicConstraints=CA:FALSE

+

+# Here are some examples of the usage of nsCertType. If it is omitted

+# the certificate can be used for anything *except* object signing.

+

+# This is OK for an SSL server.

+# nsCertType			= server

+

+# For an object signing certificate this would be used.

+# nsCertType = objsign

+

+# For normal client use this is typical

+# nsCertType = client, email

+

+# and for everything including object signing:

+# nsCertType = client, email, objsign

+

+# This is typical in keyUsage for a client certificate.

+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

+

+# This will be displayed in Netscape's comment listbox.

+nsComment			= "OpenSSL Generated Certificate"

+

+# PKIX recommendations harmless if included in all certificates.

+subjectKeyIdentifier=hash

+authorityKeyIdentifier=keyid,issuer:always

+

+# This stuff is for subjectAltName and issuerAltname.

+# Import the email address.

+# subjectAltName=email:copy

+

+# Copy subject details

+# issuerAltName=issuer:copy

+

+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem

+#nsBaseUrl

+#nsRevocationUrl

+#nsRenewalUrl

+#nsCaPolicyUrl

+#nsSslServerName

+

+[ server ]

+

+# JY ADDED -- Make a cert with nsCertType set to "server"

+basicConstraints=CA:FALSE

+nsCertType			= server

+nsComment			= "OpenSSL Generated Server Certificate"

+subjectKeyIdentifier=hash

+authorityKeyIdentifier=keyid,issuer:always

+

+[ v3_req ]

+

+# Extensions to add to a certificate request

+

+basicConstraints = CA:FALSE

+keyUsage = nonRepudiation, digitalSignature, keyEncipherment

+

+[ v3_ca ]

+

+

+# Extensions for a typical CA

+

+

+# PKIX recommendation.

+

+subjectKeyIdentifier=hash

+

+authorityKeyIdentifier=keyid:always,issuer:always

+

+# This is what PKIX recommends but some broken software chokes on critical

+# extensions.

+#basicConstraints = critical,CA:true

+# So we do this instead.

+basicConstraints = CA:true

+

+# Key usage: this is typical for a CA certificate. However since it will

+# prevent it being used as an test self-signed certificate it is best

+# left out by default.

+# keyUsage = cRLSign, keyCertSign

+

+# Some might want this also

+# nsCertType = sslCA, emailCA

+

+# Include email address in subject alt name: another PKIX recommendation

+# subjectAltName=email:copy

+# Copy issuer details

+# issuerAltName=issuer:copy

+

+# DER hex encoding of an extension: beware experts only!

+# obj=DER:02:03

+# Where 'obj' is a standard or added object

+# You can even override a supported extension:

+# basicConstraints= critical, DER:30:03:01:01:FF

+

+[ crl_ext ]

+

+# CRL extensions.

+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

+

+# issuerAltName=issuer:copy

+authorityKeyIdentifier=keyid:always,issuer:always

new file mode 100755

@@ -0,0 +1,233 @@

+#!/bin/sh

+

+#  OpenVPN -- An application to securely tunnel IP networks

+#             over a single TCP/UDP port, with support for SSL/TLS-based

+#             session authentication and key exchange,

+#             packet encryption, packet authentication, and

+#             packet compression.

+#

+#  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

+#

+#  This program is free software; you can redistribute it and/or modify

+#  it under the terms of the GNU General Public License version 2

+#  as published by the Free Software Foundation.

+#

+#  This program is distributed in the hope that it will be useful,

+#  but WITHOUT ANY WARRANTY; without even the implied warranty of

+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+#  GNU General Public License for more details.

+#

+#  You should have received a copy of the GNU General Public License

+#  along with this program (see the file COPYING included with this

+#  distribution); if not, write to the Free Software Foundation, Inc.,

+#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+

+# pkitool is a front-end for the openssl tool.

+

+# Calling scripts can set the certificate organizational 

+# unit with the KEY_OU environmental variable. 

+

+PROGNAME=pkitool

+VERSION=2.0

+DEBUG=0

+

+GREP=grep

+OPENSSL=openssl

+

+need_vars()

+{

+    echo '  Please edit the vars script to reflect your configuration,'

+    echo '  then source it with "source ./vars".'

+    echo '  Next, to start with a fresh PKI configuration and to delete any'

+    echo '  previous certificates and keys, run "./clean-all".'

+    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."

+}

+

+usage()

+{

+    echo "$PROGNAME $VERSION"

+    echo "Usage: $PROGNAME [options...] [common-name]"

+    echo "Options:"

+    echo "  --batch    : batch mode (default)"

+    echo "  --interact : interactive mode"

+    echo "  --server   : build server cert"

+    echo "  --initca   : build root CA"

+    echo "  --inter    : build intermediate CA"

+    echo "  --pass     : encrypt private key with password"

+    echo "  --csr      : only generate a CSR, do not sign"

+    echo "  --sign     : sign an existing CSR"

+    echo "  --pkcs12   : generate a combined pkcs12 file"

+    echo "Notes:"

+    need_vars

+    echo "Generated files and corresponding OpenVPN directives:"

+    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'

+    echo "  ca.crt     -> root certificate (--ca)"

+    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"

+    echo "  .crt files -> client/server certificates (--cert)"

+    echo "  .key files -> private keys, keep secure (--key)"

+    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"

+    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"

+    echo "Examples:"

+    echo "  $PROGNAME --initca          -> Build root certificate"

+    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"

+    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"

+    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"

+    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"

+    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS #12 format"

+    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"

+    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"

+    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"

+    echo "                               Also see ./inherit-inter script."

+    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."

+    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"

+    echo "  [edit vars with your site-specific info]"

+    echo "  source ./vars"

+    echo "  ./clean-all"

+    echo "  ./build-dh     -> takes a long time, consider backgrounding"

+    echo "  ./$PROGNAME --initca"

+    echo "  ./$PROGNAME --server myserver"

+    echo "  ./$PROGNAME client1"

+    echo "  ./$PROGNAME --pass client2"

+    echo "Typical usage for adding client cert to existing PKI:"

+    echo "  source ./vars"

+    echo "  ./$PROGNAME client-new"

+}

+

+# Set defaults

+DO_REQ="1"

+REQ_EXT=""

+DO_CA="1"

+CA_EXT=""

+DO_P12="0"

+DO_ROOT="0"

+NODES_REQ="-nodes"

+NODES_P12=""

+BATCH="-batch"

+CA="ca"

+

+# Process options

+while [ $# -gt 0 ]; do

+    case "$1" in

+	--server   ) REQ_EXT="$REQ_EXT -extensions server"

+	             CA_EXT="$CA_EXT -extensions server" ;;

+	--batch    ) BATCH="-batch" ;;

+	--interact ) BATCH="" ;;

+        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;

+        --initca   ) DO_ROOT="1" ;;

+	--pass     ) NODES_REQ="" ;;

+        --csr      ) DO_CA="0" ;;

+        --sign     ) DO_REQ="0" ;;

+        --pkcs12   ) DO_P12="1" ;;

+	--*        ) echo "$PROGNAME: unknown option: $1"

+	             exit 1 ;;

+	*          ) break ;;

+    esac

+    shift   

+done

+

+# If we are generating pkcs12, only encrypt the final step

+if [ $DO_P12 -eq 1 ]; then

+    NODES_P12="$NODES_REQ"

+    NODES_REQ="-nodes"

+fi

+

+# If undefined, set default key expiration intervals

+if [ -z "$KEY_EXPIRE" ]; then

+    KEY_EXPIRE=3650

+fi

+if [ -z "$CA_EXPIRE" ]; then

+    CA_EXPIRE=3650

+fi

+

+# Set organizational unit to empty string if undefined

+if [ -z "$KEY_OU" ]; then

+    KEY_OU=""

+fi

+

+# Set KEY_CN

+if [ $DO_ROOT -eq 1 ]; then

+    if [ -z "$KEY_CN" ]; then

+	if [ "$1" ]; then

+	    KEY_CN="$1"

+	elif [ "$KEY_ORG" ]; then

+	    KEY_CN="$KEY_ORG CA"

+	fi

+    fi

+    if [ $BATCH ] && [ "$KEY_CN" ]; then

+	echo "Using CA Common Name:" $KEY_CN

+    fi

+elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then

+    echo "Using Common Name:" $KEY_CN

+else

+    if [ $# -ne 1 ]; then

+	usage

+	exit 1

+    else

+	KEY_CN="$1"

+    fi

+fi

+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN

+

+# Show parameters (debugging)

+if [ $DEBUG -eq 1 ]; then

+    echo DO_REQ $DO_REQ

+    echo REQ_EXT $REQ_EXT

+    echo DO_CA $DO_CA

+    echo CA_EXT $CA_EXT

+    echo NODES_REQ $NODES_REQ

+    echo NODES_P12 $NODES_P12

+    echo DO_P12 $DO_P12

+    echo KEY_CN $KEY_CN

+    echo BATCH $BATCH

+    echo DO_ROOT $DO_ROOT

+    echo KEY_EXPIRE $KEY_EXPIRE

+    echo CA_EXPIRE $CA_EXPIRE

+    echo KEY_OU $KEY_OU

+fi

+

+# Make sure ./vars was sourced beforehand

+if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then

+    cd "$KEY_DIR"

+

+    # Make sure $KEY_CONFIG points to the correct version

+    # of openssl.cnf

+    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then

+	:

+    else

+	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"

+        echo "version of openssl.cnf: $KEY_CONFIG"

+	echo "The correct version should have a comment that says: easy-rsa version 2.x";

+	exit 1;

+    fi

+

+    # Build root CA

+    if [ $DO_ROOT -eq 1 ]; then

+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \

+	    -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \

+	    chmod 0600 "$CA.key"

+    else        

+        # Make sure CA key/cert is available

+	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then

+	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then

+		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"

+		echo "Try $PROGNAME --initca to build a root certificate/key."

+		exit 1

+	    fi

+	fi

+

+        # Build cert/key

+	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \

+	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \

+	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \

+	        -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \

+	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \

+	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \

+	    ( [ $DO_CA -eq 0 ]  || chmod 0600 "$KEY_CN.key" ) && \

+	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )

+

+    fi

+

+# Need definitions

+else

+    need_vars

+fi

new file mode 100755

@@ -0,0 +1,39 @@

+#!/bin/bash

+

+# revoke a certificate, regenerate CRL,

+# and verify revocation

+

+CRL="crl.pem"

+RT="revoke-test.pem"

+

+if [ $# -ne 1 ]; then

+    echo "usage: revoke-full <common-name>";

+    exit 1

+fi

+

+if [ "$KEY_DIR" ]; then

+    cd "$KEY_DIR"

+    rm -f "$RT"

+