summaryrefslogtreecommitdiff
path: root/easy-rsa/1.0
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2012-11-05 16:28:09 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2012-11-05 16:28:09 +0100
commit8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch)
tree566d0620eb693320cb121dfd93a5675fa704a30b /easy-rsa/1.0
parent349cfa7acb95abe865209a28e417ec74b56f9bba (diff)
Imported Upstream version 2.3_rc1
Diffstat (limited to 'easy-rsa/1.0')
-rw-r--r--easy-rsa/1.0/README161
-rwxr-xr-xeasy-rsa/1.0/build-ca13
-rwxr-xr-xeasy-rsa/1.0/build-dh12
-rwxr-xr-xeasy-rsa/1.0/build-inter19
-rwxr-xr-xeasy-rsa/1.0/build-key20
-rwxr-xr-xeasy-rsa/1.0/build-key-pass20
-rwxr-xr-xeasy-rsa/1.0/build-key-pkcs1221
-rwxr-xr-xeasy-rsa/1.0/build-key-server22
-rwxr-xr-xeasy-rsa/1.0/build-req18
-rwxr-xr-xeasy-rsa/1.0/build-req-pass18
-rwxr-xr-xeasy-rsa/1.0/clean-all19
-rw-r--r--easy-rsa/1.0/list-crl18
-rw-r--r--easy-rsa/1.0/make-crl18
-rw-r--r--easy-rsa/1.0/openssl.cnf255
-rw-r--r--easy-rsa/1.0/revoke-crt18
-rwxr-xr-xeasy-rsa/1.0/revoke-full29
-rwxr-xr-xeasy-rsa/1.0/sign-req18
-rw-r--r--easy-rsa/1.0/vars49
18 files changed, 0 insertions, 748 deletions
diff --git a/easy-rsa/1.0/README b/easy-rsa/1.0/README
deleted file mode 100644
index fd424ef..0000000
--- a/easy-rsa/1.0/README
+++ /dev/null
@@ -1,161 +0,0 @@
-This is a small RSA key management package,
-based on the openssl command line tool, that
-can be found in the easy-rsa subdirectory
-of the OpenVPN distribution.
-
-These are reference notes. For step
-by step instructions, see the HOWTO:
-
-http://openvpn.net/howto.html
-
-INSTALL
-
-1. Edit vars.
-2. Set KEY_CONFIG to point to the openssl.cnf file
- included in this distribution.
-3. Set KEY_DIR to point to a directory which will
- contain all keys, certificates, etc. This
- directory need not exist, and if it does,
- it will be deleted with rm -rf, so BE
- CAREFUL how you set KEY_DIR.
-4. (Optional) Edit other fields in vars
- per your site data. You may want to
- increase KEY_SIZE to 2048 if you are
- paranoid and don't mind slower key
- processing, but certainly 1024 is
- fine for testing purposes. KEY_SIZE
- must be compatible across both peers
- participating in a secure SSL/TLS
- connection.
-5 . vars
-6. ./clean-all
-7. As you create certificates, keys, and
- certificate signing requests, understand that
- only .key files should be kept confidential.
- .crt and .csr files can be sent over insecure
- channels such as plaintext email.
-8. You should never need to copy a .key file
- between computers. Normally each computer
- will have its own certificate/key pair.
-
-BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
-
-1. ./build-ca
-2. ca.crt and ca.key will be built in your KEY_DIR
- directory
-
-BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
-
-1. ./build-inter inter
-2. inter.crt and inter.key will be built in your KEY_DIR
- directory and signed with your root certificate.
-
-BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
-the server end of a SSL/TLS connection).
-
-1. ./build-dh
-
-BUILD A CERTIFICATE SIGNING REQUEST (If
-you want to sign your certificate with a root
-certificate controlled by another individual
-or organization, or residing on a different machine).
-
-1. Get ca.crt (the root certificate) from your
- certificate authority. Though this
- transfer can be over an insecure channel, to prevent
- man-in-the-middle attacks you must confirm that
- ca.crt was not tampered with. Large CAs solve this
- problem by hardwiring their root certificates into
- popular web browsers. A simple way to verify a root
- CA is to call the issuer on the telephone and confirm
- that the md5sum or sha1sum signatures on the ca.crt
- files match (such as with the command: "md5sum ca.crt").
-2. Choose a name for your certificate such as your computer
- name. In our example we will use "mycert".
-3. ./build-req mycert
-4. You can ignore most of the fields, but set
- "Common Name" to something unique such as your
- computer's host name. Leave all password
- fields blank, unless you want your private key
- to be protected by password. Using a password
- is not required -- it will make your key more secure
- but also more inconvenient to use, because you will
- need to supply your password anytime the key is used.
- NOTE: if you are using a password, use ./build-req-pass
- instead of ./build-req
-5. Your key will be written to $KEY_DIR/mycert.key
-6. Your certificate signing request will be written to
- to $KEY_DIR/mycert.csr
-7. Email mycert.csr to the individual or organization
- which controls the root certificate. This can be
- done over an insecure channel.
-8. After the .csr file is signed by the root certificate
- authority, you will receive a file mycert.crt
- (your certificate). Place mycert.crt in your
- KEY_DIR directory.
-9. The combined files of mycert.crt, mycert.key,
- and ca.crt can now be used to secure one end of
- an SSL/TLS connection.
-
-SIGN A CERTIFICATE SIGNING REQUEST
-
-1. ./sign-req mycert
-2. mycert.crt will be built in your KEY_DIR
- directory using mycert.csr and your root CA
- file as input.
-
-BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
-USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
-script generates and signs a certificate in one step,
-but it requires that the generated certificate and private
-key files be copied to the destination host over a
-secure channel.
-
-1. ./build-key mycert (no password protection)
-2. OR ./build-key-pass mycert (with password protection)
-3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
-4. OR ./build-key-server mycert (with nsCertType=server)
-5. mycert.crt and mycert.key will be built in your
- KEY_DIR directory, and mycert.crt will be signed
- by your root CA. If ./build-key-pkcs12 was used a
- mycert.p12 file will also be created including the
- private key, certificate and the ca certificate.
-
-IMPORTANT
-
-To avoid a possible Man-in-the-Middle attack where an authorized
-client tries to connect to another client by impersonating the
-server, make sure to enforce some kind of server certificate
-verification by clients. There are currently four different ways
-of accomplishing this, listed in the order of preference:
-
-(1) Build your server certificates with the build-key-server
- script. This will designate the certificate as a
- server-only certificate by setting nsCertType=server.
- Now add the following line to your client configuration:
-
- ns-cert-type server
-
- This will block clients from connecting to any
- server which lacks the nsCertType=server designation
- in its certificate, even if the certificate has been
- signed by the CA which is cited in the OpenVPN configuration
- file (--ca directive).
-
-(2) Use the --tls-remote directive on the client to
- accept/reject the server connection based on the common
- name of the server certificate.
-
-(3) Use a --tls-verify script or plugin to accept/reject the
- server connection based on a custom test of the server
- certificate's embedded X509 subject details.
-
-(4) Sign server certificates with one CA and client certificates
- with a different CA. The client config "ca" directive should
- reference the server-signing CA while the server config "ca"
- directive should reference the client-signing CA.
-
-NOTES
-
-Show certificate fields:
- openssl x509 -in cert.crt -text
diff --git a/easy-rsa/1.0/build-ca b/easy-rsa/1.0/build-ca
deleted file mode 100755
index 5ad59cc..0000000
--- a/easy-rsa/1.0/build-ca
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-#
-# Build a root certificate
-#
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
- chmod 0600 ca.key
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-dh b/easy-rsa/1.0/build-dh
deleted file mode 100755
index 6de4baf..0000000
--- a/easy-rsa/1.0/build-dh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh
-
-#
-# Build Diffie-Hellman parameters for the server side
-# of an SSL/TLS connection.
-#
-
-if test $KEY_DIR; then
- openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-inter b/easy-rsa/1.0/build-inter
deleted file mode 100755
index 8b3a6b2..0000000
--- a/easy-rsa/1.0/build-inter
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-#
-# Make an intermediate CA certificate/private key pair using a locally generated
-# root certificate.
-#
-
-if test $# -ne 1; then
- echo "usage: build-inter <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-key b/easy-rsa/1.0/build-key
deleted file mode 100755
index 3159d2b..0000000
--- a/easy-rsa/1.0/build-key
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-#
-# Make a certificate/private key pair using a locally generated
-# root certificate.
-#
-
-if test $# -ne 1; then
- echo "usage: build-key <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
- chmod 0600 $1.key
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-key-pass b/easy-rsa/1.0/build-key-pass
deleted file mode 100755
index 03ab304..0000000
--- a/easy-rsa/1.0/build-key-pass
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-#
-# Similar to build-key, but protect the private key
-# with a password.
-#
-
-if test $# -ne 1; then
- echo "usage: build-key-pass <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
- chmod 0600 $1.key
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-key-pkcs12 b/easy-rsa/1.0/build-key-pkcs12
deleted file mode 100755
index f8a057b..0000000
--- a/easy-rsa/1.0/build-key-pkcs12
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-
-#
-# Make a certificate/private key pair using a locally generated
-# root certificate and convert it to a PKCS #12 file including the
-# the CA certificate as well.
-
-if test $# -ne 1; then
- echo "usage: build-key-pkcs12 <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
- openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
- chmod 0600 $1.key $1.p12
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-key-server b/easy-rsa/1.0/build-key-server
deleted file mode 100755
index 30dc41e..0000000
--- a/easy-rsa/1.0/build-key-server
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-
-#
-# Make a certificate/private key pair using a locally generated
-# root certificate.
-#
-# Explicitly set nsCertType to server using the "server"
-# extension in the openssl.cnf file.
-
-if test $# -ne 1; then
- echo "usage: build-key-server <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
- chmod 0600 $1.key
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-req b/easy-rsa/1.0/build-req
deleted file mode 100755
index 30f62f5..0000000
--- a/easy-rsa/1.0/build-req
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-#
-# Build a certificate signing request and private key. Use this
-# when your root certificate and key is not available locally.
-#
-
-if test $# -ne 1; then
- echo "usage: build-req <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/build-req-pass b/easy-rsa/1.0/build-req-pass
deleted file mode 100755
index 829b286..0000000
--- a/easy-rsa/1.0/build-req-pass
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-#
-# Like build-req, but protect your private key
-# with a password.
-#
-
-if test $# -ne 1; then
- echo "usage: build-req-pass <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/clean-all b/easy-rsa/1.0/clean-all
deleted file mode 100755
index d10aef5..0000000
--- a/easy-rsa/1.0/clean-all
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-#
-# Initialize the $KEY_DIR directory.
-# Note that this script does a
-# rm -rf on $KEY_DIR so be careful!
-#
-
-d=$KEY_DIR
-
-if test $d; then
- rm -rf $d
- mkdir $d && \
- chmod go-rwx $d && \
- touch $d/index.txt && \
- echo 01 >$d/serial
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/list-crl b/easy-rsa/1.0/list-crl
deleted file mode 100644
index b214dbd..0000000
--- a/easy-rsa/1.0/list-crl
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-#
-# list revoked certificates
-#
-#
-
-if test $# -ne 1; then
- echo "usage: list-crl <crlfile.pem>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl crl -text -noout -in $1
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/make-crl b/easy-rsa/1.0/make-crl
deleted file mode 100644
index 62fe6c1..0000000
--- a/easy-rsa/1.0/make-crl
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-#
-# generate a CRL
-#
-#
-
-if test $# -ne 1; then
- echo "usage: make-crl <crlfile.pem>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl ca -gencrl -out $1 -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/openssl.cnf b/easy-rsa/1.0/openssl.cnf
deleted file mode 100644
index 270b069..0000000
--- a/easy-rsa/1.0/openssl.cnf
+++ /dev/null
@@ -1,255 +0,0 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = $ENV::KEY_DIR # Where everything is kept
-certs = $dir # Where the issued certs are kept
-crl_dir = $dir # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir # default place for new certs.
-
-certificate = $dir/ca.crt # The CA certificate
-serial = $dir/serial # The current serial number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/ca.key # The private key
-RANDFILE = $dir/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 3650 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = md5 # which md to use.
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = $ENV::KEY_SIZE
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = $ENV::KEY_COUNTRY
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = $ENV::KEY_PROVINCE
-
-localityName = Locality Name (eg, city)
-localityName_default = $ENV::KEY_CITY
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = $ENV::KEY_ORG
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_default = $ENV::KEY_EMAIL
-emailAddress_max = 40
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ server ]
-
-# JY ADDED -- Make a cert with nsCertType set to "server"
-basicConstraints=CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/easy-rsa/1.0/revoke-crt b/easy-rsa/1.0/revoke-crt
deleted file mode 100644
index 35b071a..0000000
--- a/easy-rsa/1.0/revoke-crt
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-#
-# revoke a certificate
-#
-#
-
-if test $# -ne 1; then
- echo "usage: revoke-crt <file.crt>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl ca -revoke $1 -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/revoke-full b/easy-rsa/1.0/revoke-full
deleted file mode 100755
index 66ea03f..0000000
--- a/easy-rsa/1.0/revoke-full
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-
-# revoke a certificate, regenerate CRL,
-# and verify revocation
-
-CRL=crl.pem
-RT=revoke-test.pem
-
-if test $# -ne 1; then
- echo "usage: revoke-full <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR
- rm -f $RT
-
- # revoke key and generate a new CRL
- openssl ca -revoke $1.crt -config $KEY_CONFIG
-
- # generate a new CRL
- openssl ca -gencrl -out $CRL -config $KEY_CONFIG
- cat ca.crt $CRL >$RT
-
- # verify the revocation
- openssl verify -CAfile $RT -crl_check $1.crt
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/sign-req b/easy-rsa/1.0/sign-req
deleted file mode 100755
index 59edc42..0000000
--- a/easy-rsa/1.0/sign-req
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-#
-# Sign a certificate signing request (a .csr file)
-# with a local root certificate and key.
-#
-
-if test $# -ne 1; then
- echo "usage: sign-req <name>";
- exit 1
-fi
-
-if test $KEY_DIR; then
- cd $KEY_DIR && \
- openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
-else
- echo you must define KEY_DIR
-fi
diff --git a/easy-rsa/1.0/vars b/easy-rsa/1.0/vars
deleted file mode 100644
index da89cd2..0000000
--- a/easy-rsa/1.0/vars
+++ /dev/null
@@ -1,49 +0,0 @@
-# easy-rsa parameter settings
-
-# NOTE: If you installed from an RPM,
-# don't edit this file in place in
-# /usr/share/openvpn/easy-rsa --
-# instead, you should copy the whole
-# easy-rsa directory to another location
-# (such as /etc/openvpn) so that your
-# edits will not be wiped out by a future
-# OpenVPN package upgrade.
-
-# This variable should point to
-# the top level of the easy-rsa
-# tree.
-export D=`pwd`
-
-# This variable should point to
-# the openssl.cnf file included
-# with easy-rsa.
-export KEY_CONFIG=$D/openssl.cnf
-
-# Edit this variable to point to
-# your soon-to-be-created key
-# directory.
-#
-# WARNING: clean-all will do
-# a rm -rf on this directory
-# so make sure you define
-# it correctly!
-export KEY_DIR=$D/keys
-
-# Issue rm -rf warning
-echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
-# Increase this to 2048 if you
-# are paranoid. This will slow
-# down TLS negotiation performance
-# as well as the one-time DH parms
-# generation process.
-export KEY_SIZE=1024
-
-# These are the default values for fields
-# which will be placed in the certificate.
-# Don't leave any of these fields blank.
-export KEY_COUNTRY=KG
-export KEY_PROVINCE=NA
-export KEY_CITY=BISHKEK
-export KEY_ORG="OpenVPN-TEST"
-export KEY_EMAIL="me@myhost.mydomain"