summaryrefslogtreecommitdiff
path: root/easy-rsa/2.0/tmp
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2012-11-05 16:28:10 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2012-11-05 16:28:10 +0100
commitd213c4e5576e2fd601679e0d7b2fb1262b807111 (patch)
tree5f0cc82bd0f11fb13b385417604d04c751245a92 /easy-rsa/2.0/tmp
parent79c8d3ef7a938f86472e549ef64e1fb820dc80c4 (diff)
parent8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (diff)
Merge tag 'upstream/2.3_rc1'
Upstream version 2.3_rc1
Diffstat (limited to 'easy-rsa/2.0/tmp')
-rw-r--r--easy-rsa/2.0/tmp/README229
-rwxr-xr-xeasy-rsa/2.0/tmp/build-ca8
-rwxr-xr-xeasy-rsa/2.0/tmp/build-dh11
-rwxr-xr-xeasy-rsa/2.0/tmp/build-inter7
-rwxr-xr-xeasy-rsa/2.0/tmp/build-key7
-rwxr-xr-xeasy-rsa/2.0/tmp/build-key-pass7
-rwxr-xr-xeasy-rsa/2.0/tmp/build-key-pkcs128
-rwxr-xr-xeasy-rsa/2.0/tmp/build-key-server10
-rwxr-xr-xeasy-rsa/2.0/tmp/build-req7
-rwxr-xr-xeasy-rsa/2.0/tmp/build-req-pass7
-rwxr-xr-xeasy-rsa/2.0/tmp/clean-all16
-rw-r--r--easy-rsa/2.0/tmp/file1
-rwxr-xr-xeasy-rsa/2.0/tmp/inherit-inter39
-rwxr-xr-xeasy-rsa/2.0/tmp/list-crl13
-rw-r--r--easy-rsa/2.0/tmp/openssl-0.9.6.cnf265
-rw-r--r--easy-rsa/2.0/tmp/openssl-1.0.0.cnf285
-rwxr-xr-xeasy-rsa/2.0/tmp/pkitool379
-rwxr-xr-xeasy-rsa/2.0/tmp/revoke-full40
-rwxr-xr-xeasy-rsa/2.0/tmp/sign-req7
-rw-r--r--easy-rsa/2.0/tmp/vars74
-rwxr-xr-xeasy-rsa/2.0/tmp/whichopensslcnf23
21 files changed, 0 insertions, 1443 deletions
diff --git a/easy-rsa/2.0/tmp/README b/easy-rsa/2.0/tmp/README
deleted file mode 100644
index 6f5395c..0000000
--- a/easy-rsa/2.0/tmp/README
+++ /dev/null
@@ -1,229 +0,0 @@
-EASY-RSA Version 2.0-rc1
-
-This is a small RSA key management package, based on the openssl
-command line tool, that can be found in the easy-rsa subdirectory
-of the OpenVPN distribution. While this tool is primary concerned
-with key management for the SSL VPN application space, it can also
-be used for building web certificates.
-
-These are reference notes. For step-by-step instructions, see the
-HOWTO:
-
-http://openvpn.net/howto.html
-
-This package is based on the ./pkitool script. Run ./pkitool
-without arguments for a detailed help message (which is also pasted
-below).
-
-Release Notes for easy-rsa-2.0
-
-* Most functionality has been consolidated into the pkitool
- script. For compatibility, all previous scripts from 1.0 such
- as build-key and build-key-server are provided as stubs
- which call pkitool to do the real work.
-
-* pkitool has a --batch flag (enabled by default) which generates
- keys/certs without needing any interactive input. pkitool
- can still generate certs/keys using interactive prompting by
- using the --interact flag.
-
-* The inherit-inter script has been provided for creating
- a new PKI rooted on an intermediate certificate built within a
- higher-level PKI. See comments in the inherit-inter script
- for more info.
-
-* The openssl.cnf file has been modified. pkitool will not
- work with the openssl.cnf file included with previous
- easy-rsa releases.
-
-* The vars file has been modified -- the following extra
- variables have been added: EASY_RSA, CA_EXPIRE,
- KEY_EXPIRE.
-
-* The make-crl and revoke-crt scripts have been removed and
- are replaced by the revoke-full script.
-
-* The "Organizational Unit" X509 field can be set using
- the KEY_OU environmental variable before calling pkitool.
-
-* This release only affects the Linux/Unix version of easy-rsa.
- The Windows version (written to use the Windows shell) is unchanged.
-
-* Use the revoke-full script to revoke a certificate, and generate
- (or update) the crl.pem file in the keys directory (as set by the
- vars script). Then use "crl-verify crl.pem" in your OpenVPN server
- config file, so that OpenVPN can reject any connections coming from
- clients which present a revoked certificate. Usage for the script is:
-
- revoke-full <common-name>
-
- Note this this procedure is primarily designed to revoke client
- certificates. You could theoretically use this method to revoke
- server certificates as well, but then you would need to propagate
- the crl.pem file to all clients as well, and have them include
- "crl-verify crl.pem" in their configuration files.
-
-* PKCS#11 support was added.
-
-* For those interested in using this tool to generate web certificates,
- A variant of the easy-rsa package that allows the creation of multi-domain
- certificates with subjectAltName can be obtained from here:
-
- http://www.bisente.com/proyectos/easy-rsa-subjectaltname/
-
-INSTALL easy-rsa
-
-1. Edit vars.
-2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf
- file included in this distribution.
-3. Set KEY_DIR to point to a directory which will
- contain all keys, certificates, etc. This
- directory need not exist, and if it does,
- it will be deleted with rm -rf, so BE
- CAREFUL how you set KEY_DIR.
-4. (Optional) Edit other fields in vars
- per your site data. You may want to
- increase KEY_SIZE to 2048 if you are
- paranoid and don't mind slower key
- processing, but certainly 1024 is
- fine for testing purposes. KEY_SIZE
- must be compatible across both peers
- participating in a secure SSL/TLS
- connection.
-5. (Optional) If you intend to use PKCS#11,
- install openssl >= 0.9.7, install the
- following components from www.opensc.org:
- - opensc >= 0.10.0
- - engine_pkcs11 >= 0.1.3
- Update the openssl.cnf to load the engine:
- - Uncomment pkcs11 under engine_section.
- - Validate path at dynamic_path under pkcs11_section.
-6. . vars
-7. ./clean-all
-8. As you create certificates, keys, and
- certificate signing requests, understand that
- only .key files should be kept confidential.
- .crt and .csr files can be sent over insecure
- channels such as plaintext email.
-
-IMPORTANT
-
-To avoid a possible Man-in-the-Middle attack where an authorized
-client tries to connect to another client by impersonating the
-server, make sure to enforce some kind of server certificate
-verification by clients. There are currently four different ways
-of accomplishing this, listed in the order of preference:
-
-(1) Build your server certificates with specific key usage and
- extended key usage. The RFC3280 determine that the following
- attributes should be provided for TLS connections:
-
- Mode Key usage Extended key usage
- ---------------------------------------------------------------------------
- Client digitalSignature TLS Web Client Authentication
- keyAgreement
- digitalSignature, keyAgreement
-
- Server digitalSignature, keyEncipherment TLS Web Server Authentication
- digitalSignature, keyAgreement
-
- Now add the following line to your client configuration:
-
- remote-cert-tls server
-
- This will block clients from connecting to any
- server which lacks the required extension designation
- in its certificate, even if the certificate has been
- signed by the CA which is cited in the OpenVPN configuration
- file (--ca directive).
-
-(3) Use the --tls-remote directive on the client to
- accept/reject the server connection based on the common
- name of the server certificate.
-
-(3) Use a --tls-verify script or plugin to accept/reject the
- server connection based on a custom test of the server
- certificate's embedded X509 subject details.
-
-(4) Sign server certificates with one CA and client certificates
- with a different CA. The client config "ca" directive should
- reference the server-signing CA while the server config "ca"
- directive should reference the client-signing CA.
-
-NOTES
-
-Show certificate fields:
- openssl x509 -in cert.crt -text
-
-PKITOOL documentation
-
-pkitool 2.0
-Usage: pkitool [options...] [common-name]
-Options:
- --batch : batch mode (default)
- --keysize : Set keysize
- size : size (default=1024)
- --interact : interactive mode
- --server : build server cert
- --initca : build root CA
- --inter : build intermediate CA
- --pass : encrypt private key with password
- --csr : only generate a CSR, do not sign
- --sign : sign an existing CSR
- --pkcs12 : generate a combined PKCS#12 file
- --pkcs11 : generate certificate on PKCS#11 token
- lib : PKCS#11 library
- slot : PKCS#11 slot
- id : PKCS#11 object id (hex string)
- label : PKCS#11 object label
-Standalone options:
- --pkcs11-slots : list PKCS#11 slots
- lib : PKCS#11 library
- --pkcs11-objects : list PKCS#11 token objects
- lib : PKCS#11 library
- slot : PKCS#11 slot
- --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
- lib : PKCS#11 library
- slot : PKCS#11 slot
- label : PKCS#11 token label
-Notes:
- Please edit the vars script to reflect your configuration,
- then source it with "source ./vars".
- Next, to start with a fresh PKI configuration and to delete any
- previous certificates and keys, run "./clean-all".
- Finally, you can run this tool (pkitool) to build certificates/keys.
- In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
-Generated files and corresponding OpenVPN directives:
-(Files will be placed in the $KEY_DIR directory, defined in ./vars)
- ca.crt -> root certificate (--ca)
- ca.key -> root key, keep secure (not directly used by OpenVPN)
- .crt files -> client/server certificates (--cert)
- .key files -> private keys, keep secure (--key)
- .csr files -> certificate signing request (not directly used by OpenVPN)
- dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
-Examples:
- pkitool --initca -> Build root certificate
- pkitool --initca --pass -> Build root certificate with password-protected key
- pkitool --server server1 -> Build "server1" certificate/key
- pkitool client1 -> Build "client1" certificate/key
- pkitool --pass client2 -> Build password-protected "client2" certificate/key
- pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
- pkitool --csr client4 -> Build "client4" CSR to be signed by another CA
- pkitool --sign client4 -> Sign "client4" CSR
- pkitool --inter interca -> Build an intermediate key-signing certificate/key
- Also see ./inherit-inter script.
- pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
- -> Build "client5" certificate/key in PKCS#11 token
-Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
-Protect client2 key with a password. Build DH parms. Generated files in ./keys :
- [edit vars with your site-specific info]
- source ./vars
- ./clean-all
- ./build-dh -> takes a long time, consider backgrounding
- ./pkitool --initca
- ./pkitool --server myserver
- ./pkitool client1
- ./pkitool --pass client2
-Typical usage for adding client cert to existing PKI:
- source ./vars
- ./pkitool client-new
diff --git a/easy-rsa/2.0/tmp/build-ca b/easy-rsa/2.0/tmp/build-ca
deleted file mode 100755
index bce29a6..0000000
--- a/easy-rsa/2.0/tmp/build-ca
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-#
-# Build a root certificate
-#
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --initca $*
diff --git a/easy-rsa/2.0/tmp/build-dh b/easy-rsa/2.0/tmp/build-dh
deleted file mode 100755
index 4beb127..0000000
--- a/easy-rsa/2.0/tmp/build-dh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# Build Diffie-Hellman parameters for the server side
-# of an SSL/TLS connection.
-
-if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
- $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
-else
- echo 'Please source the vars script first (i.e. "source ./vars")'
- echo 'Make sure you have edited it to reflect your configuration.'
-fi
diff --git a/easy-rsa/2.0/tmp/build-inter b/easy-rsa/2.0/tmp/build-inter
deleted file mode 100755
index 87bf98d..0000000
--- a/easy-rsa/2.0/tmp/build-inter
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# Make an intermediate CA certificate/private key pair using a locally generated
-# root certificate.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --inter $*
diff --git a/easy-rsa/2.0/tmp/build-key b/easy-rsa/2.0/tmp/build-key
deleted file mode 100755
index 6c0fed8..0000000
--- a/easy-rsa/2.0/tmp/build-key
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# Make a certificate/private key pair using a locally generated
-# root certificate.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact $*
diff --git a/easy-rsa/2.0/tmp/build-key-pass b/easy-rsa/2.0/tmp/build-key-pass
deleted file mode 100755
index 8ef8307..0000000
--- a/easy-rsa/2.0/tmp/build-key-pass
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# Similar to build-key, but protect the private key
-# with a password.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pass $*
diff --git a/easy-rsa/2.0/tmp/build-key-pkcs12 b/easy-rsa/2.0/tmp/build-key-pkcs12
deleted file mode 100755
index ba90e6a..0000000
--- a/easy-rsa/2.0/tmp/build-key-pkcs12
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-# Make a certificate/private key pair using a locally generated
-# root certificate and convert it to a PKCS #12 file including the
-# the CA certificate as well.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pkcs12 $*
diff --git a/easy-rsa/2.0/tmp/build-key-server b/easy-rsa/2.0/tmp/build-key-server
deleted file mode 100755
index fee0194..0000000
--- a/easy-rsa/2.0/tmp/build-key-server
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/sh
-
-# Make a certificate/private key pair using a locally generated
-# root certificate.
-#
-# Explicitly set nsCertType to server using the "server"
-# extension in the openssl.cnf file.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --server $*
diff --git a/easy-rsa/2.0/tmp/build-req b/easy-rsa/2.0/tmp/build-req
deleted file mode 100755
index 559d512..0000000
--- a/easy-rsa/2.0/tmp/build-req
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# Build a certificate signing request and private key. Use this
-# when your root certificate and key is not available locally.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr $*
diff --git a/easy-rsa/2.0/tmp/build-req-pass b/easy-rsa/2.0/tmp/build-req-pass
deleted file mode 100755
index b73ee1b..0000000
--- a/easy-rsa/2.0/tmp/build-req-pass
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# Like build-req, but protect your private key
-# with a password.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr --pass $*
diff --git a/easy-rsa/2.0/tmp/clean-all b/easy-rsa/2.0/tmp/clean-all
deleted file mode 100755
index cc6e3b2..0000000
--- a/easy-rsa/2.0/tmp/clean-all
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-# Initialize the $KEY_DIR directory.
-# Note that this script does a
-# rm -rf on $KEY_DIR so be careful!
-
-if [ "$KEY_DIR" ]; then
- rm -rf "$KEY_DIR"
- mkdir "$KEY_DIR" && \
- chmod go-rwx "$KEY_DIR" && \
- touch "$KEY_DIR/index.txt" && \
- echo 01 >"$KEY_DIR/serial"
-else
- echo 'Please source the vars script first (i.e. "source ./vars")'
- echo 'Make sure you have edited it to reflect your configuration.'
-fi
diff --git a/easy-rsa/2.0/tmp/file b/easy-rsa/2.0/tmp/file
deleted file mode 100644
index 1987bd7..0000000
--- a/easy-rsa/2.0/tmp/file
+++ /dev/null
@@ -1 +0,0 @@
-./openssl-1.0.0.cnf
diff --git a/easy-rsa/2.0/tmp/inherit-inter b/easy-rsa/2.0/tmp/inherit-inter
deleted file mode 100755
index aaa5168..0000000
--- a/easy-rsa/2.0/tmp/inherit-inter
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/sh
-
-# Build a new PKI which is rooted on an intermediate certificate generated
-# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
-# have independent vars settings, and must use a different KEY_DIR directory
-# from the parent. This tool can be used to generate arbitrary depth
-# certificate chains.
-#
-# To build an intermediate CA, follow the same steps for a regular PKI but
-# replace ./build-key or ./pkitool --initca with this script.
-
-# The EXPORT_CA file will contain the CA certificate chain and should be
-# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
-# will only contain the local intermediate CA -- it's needed by the easy-rsa
-# scripts but not by OpenVPN directly.
-EXPORT_CA="export-ca.crt"
-
-if [ $# -ne 2 ]; then
- echo "usage: $0 <parent-key-dir> <common-name>"
- echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
- echo "common-name: the common name of the intermediate certificate in the parent PKI"
- exit 1;
-fi
-
-if [ "$KEY_DIR" ]; then
- cp "$1/$2.crt" "$KEY_DIR/ca.crt"
- cp "$1/$2.key" "$KEY_DIR/ca.key"
-
- if [ -e "$1/$EXPORT_CA" ]; then
- PARENT_CA="$1/$EXPORT_CA"
- else
- PARENT_CA="$1/ca.crt"
- fi
- cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
- cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
-else
- echo 'Please source the vars script first (i.e. "source ./vars")'
- echo 'Make sure you have edited it to reflect your configuration.'
-fi
diff --git a/easy-rsa/2.0/tmp/list-crl b/easy-rsa/2.0/tmp/list-crl
deleted file mode 100755
index d1d8a69..0000000
--- a/easy-rsa/2.0/tmp/list-crl
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-# list revoked certificates
-
-CRL="${1:-crl.pem}"
-
-if [ "$KEY_DIR" ]; then
- cd "$KEY_DIR" && \
- $OPENSSL crl -text -noout -in "$CRL"
-else
- echo 'Please source the vars script first (i.e. "source ./vars")'
- echo 'Make sure you have edited it to reflect your configuration.'
-fi
diff --git a/easy-rsa/2.0/tmp/openssl-0.9.6.cnf b/easy-rsa/2.0/tmp/openssl-0.9.6.cnf
deleted file mode 100644
index d28341d..0000000
--- a/easy-rsa/2.0/tmp/openssl-0.9.6.cnf
+++ /dev/null
@@ -1,265 +0,0 @@
-# For use with easy-rsa version 2.0
-
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = $ENV::KEY_DIR # Where everything is kept
-certs = $dir # Where the issued certs are kept
-crl_dir = $dir # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir # default place for new certs.
-
-certificate = $dir/ca.crt # The CA certificate
-serial = $dir/serial # The current serial number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/ca.key # The private key
-RANDFILE = $dir/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 3650 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = md5 # which md to use.
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_anything
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = $ENV::KEY_SIZE
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = $ENV::KEY_COUNTRY
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = $ENV::KEY_PROVINCE
-
-localityName = Locality Name (eg, city)
-localityName_default = $ENV::KEY_CITY
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = $ENV::KEY_ORG
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_default = $ENV::KEY_EMAIL
-emailAddress_max = 40
-
-# JY -- added for batch mode
-organizationalUnitName_default = $ENV::KEY_OU
-commonName_default = $ENV::KEY_CN
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "Easy-RSA Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=clientAuth
-keyUsage = digitalSignature
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ server ]
-
-# JY ADDED -- Make a cert with nsCertType set to "server"
-basicConstraints=CA:FALSE
-nsCertType = server
-nsComment = "Easy-RSA Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
-keyUsage = digitalSignature, keyEncipherment
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/easy-rsa/2.0/tmp/openssl-1.0.0.cnf b/easy-rsa/2.0/tmp/openssl-1.0.0.cnf
deleted file mode 100644
index da425aa..0000000
--- a/easy-rsa/2.0/tmp/openssl-1.0.0.cnf
+++ /dev/null
@@ -1,285 +0,0 @@
-# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-openssl_conf = openssl_init
-
-[ openssl_init ]
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-engines = engine_section
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = $ENV::KEY_DIR # Where everything is kept
-certs = $dir # Where the issued certs are kept
-crl_dir = $dir # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir # default place for new certs.
-
-certificate = $dir/ca.crt # The CA certificate
-serial = $dir/serial # The current serial number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/ca.key # The private key
-RANDFILE = $dir/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 3650 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = md5 # use public key default MD
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_anything
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-name = optional
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-name = optional
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = $ENV::KEY_SIZE
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = $ENV::KEY_COUNTRY
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = $ENV::KEY_PROVINCE
-
-localityName = Locality Name (eg, city)
-localityName_default = $ENV::KEY_CITY
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = $ENV::KEY_ORG
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-name = Name
-name_max = 64
-
-emailAddress = Email Address
-emailAddress_default = $ENV::KEY_EMAIL
-emailAddress_max = 40
-
-# JY -- added for batch mode
-organizationalUnitName_default = $ENV::KEY_OU
-commonName_default = $ENV::KEY_CN
-name_default = $ENV::KEY_NAME
-
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "Easy-RSA Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=clientAuth
-keyUsage = digitalSignature
-
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ server ]
-
-# JY ADDED -- Make a cert with nsCertType set to "server"
-basicConstraints=CA:FALSE
-nsCertType = server
-nsComment = "Easy-RSA Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
-keyUsage = digitalSignature, keyEncipherment
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
-
-[ engine_section ]
-#
-# If you are using PKCS#11
-# Install engine_pkcs11 of opensc (www.opensc.org)
-# And uncomment the following
-# verify that dynamic_path points to the correct location
-#
-#pkcs11 = pkcs11_section
-
-[ pkcs11_section ]
-engine_id = pkcs11
-dynamic_path = /usr/lib/engines/engine_pkcs11.so
-MODULE_PATH = $ENV::PKCS11_MODULE_PATH
-PIN = $ENV::PKCS11_PIN
-init = 0
diff --git a/easy-rsa/2.0/tmp/pkitool b/easy-rsa/2.0/tmp/pkitool
deleted file mode 100755
index 49588f5..0000000
--- a/easy-rsa/2.0/tmp/pkitool
+++ /dev/null
@@ -1,379 +0,0 @@
-#!/bin/sh
-
-# OpenVPN -- An application to securely tunnel IP networks
-# over a single TCP/UDP port, with support for SSL/TLS-based
-# session authentication and key exchange,
-# packet encryption, packet authentication, and
-# packet compression.
-#
-# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program (see the file COPYING included with this
-# distribution); if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-# pkitool is a front-end for the openssl tool.
-
-# Calling scripts can set the certificate organizational
-# unit with the KEY_OU environmental variable.
-
-# Calling scripts can also set the KEY_NAME environmental
-# variable to set the "name" X509 subject field.
-
-PROGNAME=pkitool
-VERSION=2.0
-DEBUG=0
-
-die()
-{
- local m="$1"
-
- echo "$m" >&2
- exit 1
-}
-
-need_vars()
-{
- echo ' Please edit the vars script to reflect your configuration,'
- echo ' then source it with "source ./vars".'
- echo ' Next, to start with a fresh PKI configuration and to delete any'
- echo ' previous certificates and keys, run "./clean-all".'
- echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
-}
-
-usage()
-{
- echo "$PROGNAME $VERSION"
- echo "Usage: $PROGNAME [options...] [common-name]"
- echo "Options:"
- echo " --batch : batch mode (default)"
- echo " --keysize : Set keysize"
- echo " size : size (default=1024)"
- echo " --interact : interactive mode"
- echo " --server : build server cert"
- echo " --initca : build root CA"
- echo " --inter : build intermediate CA"
- echo " --pass : encrypt private key with password"
- echo " --csr : only generate a CSR, do not sign"
- echo " --sign : sign an existing CSR"
- echo " --pkcs12 : generate a combined PKCS#12 file"
- echo " --pkcs11 : generate certificate on PKCS#11 token"
- echo " lib : PKCS#11 library"
- echo " slot : PKCS#11 slot"
- echo " id : PKCS#11 object id (hex string)"
- echo " label : PKCS#11 object label"
- echo "Standalone options:"
- echo " --pkcs11-slots : list PKCS#11 slots"
- echo " lib : PKCS#11 library"
- echo " --pkcs11-objects : list PKCS#11 token objects"
- echo " lib : PKCS#11 library"
- echo " slot : PKCS#11 slot"
- echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
- echo " lib : PKCS#11 library"
- echo " slot : PKCS#11 slot"
- echo " label : PKCS#11 token label"
- echo "Notes:"
- need_vars
- echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
- echo "Generated files and corresponding OpenVPN directives:"
- echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
- echo " ca.crt -> root certificate (--ca)"
- echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
- echo " .crt files -> client/server certificates (--cert)"
- echo " .key files -> private keys, keep secure (--key)"
- echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
- echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
- echo "Examples:"
- echo " $PROGNAME --initca -> Build root certificate"
- echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
- echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
- echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
- echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
- echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
- echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
- echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
- echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
- echo " Also see ./inherit-inter script."
- echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
- echo " -> Build \"client5\" certificate/key in PKCS#11 token"
- echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
- echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
- echo " [edit vars with your site-specific info]"
- echo " source ./vars"
- echo " ./clean-all"
- echo " ./build-dh -> takes a long time, consider backgrounding"
- echo " ./$PROGNAME --initca"
- echo " ./$PROGNAME --server myserver"
- echo " ./$PROGNAME client1"
- echo " ./$PROGNAME --pass client2"
- echo "Typical usage for adding client cert to existing PKI:"
- echo " source ./vars"
- echo " ./$PROGNAME client-new"
-}
-
-# Set tool defaults
-[ -n "$OPENSSL" ] || export OPENSSL="openssl"
-[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
-[ -n "$GREP" ] || export GREP="grep"
-
-# Set defaults
-DO_REQ="1"
-REQ_EXT=""
-DO_CA="1"
-CA_EXT=""
-DO_P12="0"
-DO_P11="0"
-DO_ROOT="0"
-NODES_REQ="-nodes"
-NODES_P12=""
-BATCH="-batch"
-CA="ca"
-# must be set or errors of openssl.cnf
-PKCS11_MODULE_PATH="dummy"
-PKCS11_PIN="dummy"
-
-# Process options
-while [ $# -gt 0 ]; do
- case "$1" in
- --keysize ) KEY_SIZE=$2
- shift;;
- --server ) REQ_EXT="$REQ_EXT -extensions server"
- CA_EXT="$CA_EXT -extensions server" ;;
- --batch ) BATCH="-batch" ;;
- --interact ) BATCH="" ;;
- --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
- --initca ) DO_ROOT="1" ;;
- --pass ) NODES_REQ="" ;;
- --csr ) DO_CA="0" ;;
- --sign ) DO_REQ="0" ;;
- --pkcs12 ) DO_P12="1" ;;
- --pkcs11 ) DO_P11="1"
- PKCS11_MODULE_PATH="$2"
- PKCS11_SLOT="$3"
- PKCS11_ID="$4"
- PKCS11_LABEL="$5"
- shift 4;;
-
- # standalone
- --pkcs11-init)
- PKCS11_MODULE_PATH="$2"
- PKCS11_SLOT="$3"
- PKCS11_LABEL="$4"
- if [ -z "$PKCS11_LABEL" ]; then
- die "Please specify library name, slot and label"
- fi
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
- --label "$PKCS11_LABEL" &&
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
- exit $?;;
- --pkcs11-slots)
- PKCS11_MODULE_PATH="$2"
- if [ -z "$PKCS11_MODULE_PATH" ]; then
- die "Please specify library name"
- fi
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
- exit 0;;
- --pkcs11-objects)
- PKCS11_MODULE_PATH="$2"
- PKCS11_SLOT="$3"
- if [ -z "$PKCS11_SLOT" ]; then
- die "Please specify library name and slot"
- fi
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
- exit 0;;
-
- --help|--usage)
- usage
- exit ;;
- --version)
- echo "$PROGNAME $VERSION"
- exit ;;
- # errors
- --* ) die "$PROGNAME: unknown option: $1" ;;
- * ) break ;;
- esac
- shift
-done
-
-if ! [ -z "$BATCH" ]; then
- if $OPENSSL version | grep 0.9.6 > /dev/null; then
- die "Batch mode is unsupported in openssl<0.9.7"
- fi
-fi
-
-if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
- die "PKCS#11 and PKCS#12 cannot be specified together"
-fi
-
-if [ $DO_P11 -eq 1 ]; then
- if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
- die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
- fi
-fi
-
-# If we are generating pkcs12, only encrypt the final step
-if [ $DO_P12 -eq 1 ]; then
- NODES_P12="$NODES_REQ"
- NODES_REQ="-nodes"
-fi
-
-if [ $DO_P11 -eq 1 ]; then
- if [ -z "$PKCS11_LABEL" ]; then
- die "PKCS#11 arguments incomplete"
- fi
-fi
-
-# If undefined, set default key expiration intervals
-if [ -z "$KEY_EXPIRE" ]; then
- KEY_EXPIRE=3650
-fi
-if [ -z "$CA_EXPIRE" ]; then
- CA_EXPIRE=3650
-fi
-
-# Set organizational unit to empty string if undefined
-if [ -z "$KEY_OU" ]; then
- KEY_OU=""
-fi
-
-# Set X509 Name string to empty string if undefined
-if [ -z "$KEY_NAME" ]; then
- KEY_NAME=""
-fi
-
-# Set KEY_CN, FN
-if [ $DO_ROOT -eq 1 ]; then
- if [ -z "$KEY_CN" ]; then
- if [ "$1" ]; then
- KEY_CN="$1"
- elif [ "$KEY_ORG" ]; then
- KEY_CN="$KEY_ORG CA"
- fi
- fi
- if [ $BATCH ] && [ "$KEY_CN" ]; then
- echo "Using CA Common Name:" "$KEY_CN"
- fi
- FN="$KEY_CN"
-elif [ $BATCH ] && [ "$KEY_CN" ]; then
- echo "Using Common Name:" "$KEY_CN"
- FN="$KEY_CN"
- if [ "$1" ]; then
- FN="$1"
- fi
-else
- if [ $# -ne 1 ]; then
- usage
- exit 1
- else
- KEY_CN="$1"
- fi
- FN="$KEY_CN"
-fi
-
-export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
-
-# Show parameters (debugging)
-if [ $DEBUG -eq 1 ]; then
- echo DO_REQ $DO_REQ
- echo REQ_EXT $REQ_EXT
- echo DO_CA $DO_CA
- echo CA_EXT $CA_EXT
- echo NODES_REQ $NODES_REQ
- echo NODES_P12 $NODES_P12
- echo DO_P12 $DO_P12
- echo KEY_CN $KEY_CN
- echo BATCH $BATCH
- echo DO_ROOT $DO_ROOT
- echo KEY_EXPIRE $KEY_EXPIRE
- echo CA_EXPIRE $CA_EXPIRE
- echo KEY_OU $KEY_OU
- echo KEY_NAME $KEY_NAME
- echo DO_P11 $DO_P11
- echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
- echo PKCS11_SLOT $PKCS11_SLOT
- echo PKCS11_ID $PKCS11_ID
- echo PKCS11_LABEL $PKCS11_LABEL
-fi
-
-# Make sure ./vars was sourced beforehand
-if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
- cd "$KEY_DIR"
-
- # Make sure $KEY_CONFIG points to the correct version
- # of openssl.cnf
- if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
- :
- else
- echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
- echo "version of openssl.cnf: $KEY_CONFIG"
- echo "The correct version should have a comment that says: easy-rsa version 2.x";
- exit 1;
- fi
-
- # Build root CA
- if [ $DO_ROOT -eq 1 ]; then
- $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
- -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
- chmod 0600 "$CA.key"
- else
- # Make sure CA key/cert is available
- if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
- if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
- echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
- echo "Try $PROGNAME --initca to build a root certificate/key."
- exit 1
- fi
- fi
-
- # Generate key for PKCS#11 token
- PKCS11_ARGS=
- if [ $DO_P11 -eq 1 ]; then
- stty -echo
- echo -n "User PIN: "
- read -r PKCS11_PIN
- stty echo
- export PKCS11_PIN
-
- echo "Generating key pair on PKCS#11 token..."
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
- --login --pin "$PKCS11_PIN" \
- --key-type rsa:1024 \
- --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
- PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
- fi
-
- # Build cert/key
- ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
- -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
- ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
- -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
- ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
- -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
- ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
- ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
-
- # Load certificate into PKCS#11 token
- if [ $DO_P11 -eq 1 ]; then
- $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
- --login --pin "$PKCS11_PIN" \
- --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
- [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
- fi
-
- fi
-
-# Need definitions
-else
- need_vars
-fi
diff --git a/easy-rsa/2.0/tmp/revoke-full b/easy-rsa/2.0/tmp/revoke-full
deleted file mode 100755
index 4169c4c..0000000
--- a/easy-rsa/2.0/tmp/revoke-full
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/sh
-
-# revoke a certificate, regenerate CRL,
-# and verify revocation
-
-CRL="crl.pem"
-RT="revoke-test.pem"
-
-if [ $# -ne 1 ]; then
- echo "usage: revoke-full <cert-name-base>";
- exit 1
-fi
-
-if [ "$KEY_DIR" ]; then
- cd "$KEY_DIR"
- rm -f "$RT"
-
- # set defaults
- export KEY_CN=""
- export KEY_OU=""
- export KEY_NAME=""
-
- # revoke key and generate a new CRL
- $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
-
- # generate a new CRL -- try to be compatible with
- # intermediate PKIs
- $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
- if [ -e export-ca.crt ]; then
- cat export-ca.crt "$CRL" >"$RT"
- else
- cat ca.crt "$CRL" >"$RT"
- fi
-
- # verify the revocation
- $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
-else
- echo 'Please source the vars script first (i.e. "source ./vars")'
- echo 'Make sure you have edited it to reflect your configuration.'
-fi
diff --git a/easy-rsa/2.0/tmp/sign-req b/easy-rsa/2.0/tmp/sign-req
deleted file mode 100755
index 6cae7b4..0000000
--- a/easy-rsa/2.0/tmp/sign-req
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# Sign a certificate signing request (a .csr file)
-# with a local root certificate and key.
-
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --sign $*
diff --git a/easy-rsa/2.0/tmp/vars b/easy-rsa/2.0/tmp/vars
deleted file mode 100644
index 2ea1ced..0000000
--- a/easy-rsa/2.0/tmp/vars
+++ /dev/null
@@ -1,74 +0,0 @@
-# easy-rsa parameter settings
-
-# NOTE: If you installed from an RPM,
-# don't edit this file in place in
-# /usr/share/openvpn/easy-rsa --
-# instead, you should copy the whole
-# easy-rsa directory to another location
-# (such as /etc/openvpn) so that your
-# edits will not be wiped out by a future
-# OpenVPN package upgrade.
-
-# This variable should point to
-# the top level of the easy-rsa
-# tree.
-export EASY_RSA="`pwd`"
-
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
-
-# This variable should point to
-# the openssl.cnf file included
-# with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
-
-# Edit this variable to point to
-# your soon-to-be-created key
-# directory.
-#
-# WARNING: clean-all will do
-# a rm -rf on this directory
-# so make sure you define
-# it correctly!
-export KEY_DIR="$EASY_RSA/keys"
-
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
-# PKCS11 fixes
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-
-# Increase this to 2048 if you
-# are paranoid. This will slow
-# down TLS negotiation performance
-# as well as the one-time DH parms
-# generation process.
-export KEY_SIZE=1024
-
-# In how many days should the root CA key expire?
-export CA_EXPIRE=3650
-
-# In how many days should certificates expire?
-export KEY_EXPIRE=3650
-
-# These are the default values for fields
-# which will be placed in the certificate.
-# Don't leave any of these fields blank.
-export KEY_COUNTRY="US"
-export KEY_PROVINCE="CA"
-export KEY_CITY="SanFrancisco"
-export KEY_ORG="Fort-Funston"
-export KEY_EMAIL="me@myhost.mydomain"
-export KEY_EMAIL=mail@host.domain
-export KEY_CN=changeme
-export KEY_NAME=changeme
-export KEY_OU=changeme
-export PKCS11_MODULE_PATH=changeme
-export PKCS11_PIN=1234
diff --git a/easy-rsa/2.0/tmp/whichopensslcnf b/easy-rsa/2.0/tmp/whichopensslcnf
deleted file mode 100755
index 94225cb..0000000
--- a/easy-rsa/2.0/tmp/whichopensslcnf
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-cnf="$1/openssl.cnf"
-if [ "$OPENSSL" ]; then
- if $OPENSSL version | grep 0.9.6 > /dev/null; then
- cnf="$1/openssl-0.9.6.cnf"
- elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
- cnf="$1/openssl-1.0.0.cnf"
- else
- cnf="$1/openssl.cnf"
- fi
-fi
-
-echo $cnf
-
-if [ ! -r $cnf ]; then
- echo "**************************************************************" >&2
- echo " No $cnf file could be found" >&2
- echo " Further invocations will fail" >&2
- echo "**************************************************************" >&2
-fi
-
-exit 0