1 files changed, 229 insertions, 0 deletions

diff --git a/easy-rsa/2.0/tmp/README b/easy-rsa/2.0/tmp/README
new file mode 100644
index 0000000..6f5395c
--- /dev/null
+++ b/easy-rsa/2.0/tmp/README
@@ -0,0 +1,229 @@
+EASY-RSA Version 2.0-rc1
+
+This is a small RSA key management package, based on the openssl
+command line tool, that can be found in the easy-rsa subdirectory
+of the OpenVPN distribution.  While this tool is primary concerned
+with key management for the SSL VPN application space, it can also
+be used for building web certificates.
+
+These are reference notes.  For step-by-step instructions, see the
+HOWTO:
+
+http://openvpn.net/howto.html
+
+This package is based on the ./pkitool script.  Run ./pkitool
+without arguments for a detailed help message (which is also pasted
+below).
+
+Release Notes for easy-rsa-2.0
+
+* Most functionality has been consolidated into the pkitool
+  script. For compatibility, all previous scripts from 1.0 such
+  as build-key and build-key-server are provided as stubs
+  which call pkitool to do the real work.
+
+* pkitool has a --batch flag (enabled by default) which generates
+  keys/certs without needing any interactive input.  pkitool
+  can still generate certs/keys using interactive prompting by
+  using the --interact flag.
+
+* The inherit-inter script has been provided for creating
+  a new PKI rooted on an intermediate certificate built within a
+  higher-level PKI.  See comments in the inherit-inter script
+  for more info.
+
+* The openssl.cnf file has been modified.  pkitool will not
+  work with the openssl.cnf file included with previous
+  easy-rsa releases.
+
+* The vars file has been modified -- the following extra
+  variables have been added: EASY_RSA, CA_EXPIRE,
+  KEY_EXPIRE.
+
+* The make-crl and revoke-crt scripts have been removed and
+  are replaced by the revoke-full script.
+
+* The "Organizational Unit" X509 field can be set using
+  the KEY_OU environmental variable before calling pkitool.
+
+* This release only affects the Linux/Unix version of easy-rsa.
+  The Windows version (written to use the Windows shell) is unchanged.
+
+* Use the revoke-full script to revoke a certificate, and generate
+  (or update) the crl.pem file in the keys directory (as set by the
+  vars script).  Then use "crl-verify crl.pem" in your OpenVPN server
+  config file, so that OpenVPN can reject any connections coming from
+  clients which present a revoked certificate.  Usage for the script is:
+
+    revoke-full <common-name>
+
+  Note this this procedure is primarily designed to revoke client
+  certificates. You could theoretically use this method to revoke
+  server certificates as well, but then you would need to propagate
+  the crl.pem file to all clients as well, and have them include
+  "crl-verify crl.pem" in their configuration files.
+
+* PKCS#11 support was added.
+
+* For those interested in using this tool to generate web certificates,
+  A variant of the easy-rsa package that allows the creation of multi-domain
+  certificates with subjectAltName can be obtained from here:
+
+  http://www.bisente.com/proyectos/easy-rsa-subjectaltname/
+
+INSTALL easy-rsa
+
+1. Edit vars.
+2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf
+   file included in this distribution.
+3. Set KEY_DIR to point to a directory which will
+   contain all keys, certificates, etc.  This
+   directory need not exist, and if it does,
+   it will be deleted with rm -rf, so BE
+   CAREFUL how you set KEY_DIR.
+4. (Optional) Edit other fields in vars
+   per your site data.  You may want to
+   increase KEY_SIZE to 2048 if you are
+   paranoid and don't mind slower key
+   processing, but certainly 1024 is
+   fine for testing purposes.  KEY_SIZE
+   must be compatible across both peers
+   participating in a secure SSL/TLS
+   connection.
+5. (Optional) If you intend to use PKCS#11,
+   install openssl >= 0.9.7, install the 
+   following components from www.opensc.org:
+   - opensc >= 0.10.0
+   - engine_pkcs11 >= 0.1.3
+   Update the openssl.cnf to load the engine:
+   - Uncomment pkcs11 under engine_section.
+   - Validate path at dynamic_path under pkcs11_section.
+6. . vars
+7. ./clean-all
+8. As you create certificates, keys, and
+   certificate signing requests, understand that
+   only .key files should be kept confidential.
+   .crt and .csr files can be sent over insecure
+   channels such as plaintext email.
+
+IMPORTANT
+
+To avoid a possible Man-in-the-Middle attack where an authorized
+client tries to connect to another client by impersonating the
+server, make sure to enforce some kind of server certificate
+verification by clients.  There are currently four different ways
+of accomplishing this, listed in the order of preference:
+
+(1) Build your server certificates with specific key usage and
+    extended key usage. The RFC3280 determine that the following
+    attributes should be provided for TLS connections:
+
+    Mode      Key usage	                         Extended key usage
+    ---------------------------------------------------------------------------
+    Client    digitalSignature	                 TLS Web Client Authentication
+              keyAgreement
+              digitalSignature, keyAgreement
+	      
+    Server    digitalSignature, keyEncipherment  TLS Web Server Authentication
+              digitalSignature, keyAgreement
+
+    Now add the following line to your client configuration:
+      
+    remote-cert-tls server
+
+    This will block clients from connecting to any
+    server which lacks the required extension designation
+    in its certificate, even if the certificate has been
+    signed by the CA which is cited in the OpenVPN configuration
+    file (--ca directive).
+
+(3) Use the --tls-remote directive on the client to
+    accept/reject the server connection based on the common
+    name of the server certificate.
+
+(3) Use a --tls-verify script or plugin to accept/reject the
+    server connection based on a custom test of the server
+    certificate's embedded X509 subject details.
+
+(4) Sign server certificates with one CA and client certificates
+    with a different CA.  The client config "ca" directive should
+    reference the server-signing CA while the server config "ca"
+    directive should reference the client-signing CA.
+
+NOTES
+
+Show certificate fields:
+  openssl x509 -in cert.crt -text
+
+PKITOOL documentation
+
+pkitool 2.0
+Usage: pkitool [options...] [common-name]
+Options:
+  --batch    : batch mode (default)
+  --keysize  : Set keysize
+      size   : size (default=1024)
+  --interact : interactive mode
+  --server   : build server cert
+  --initca   : build root CA
+  --inter    : build intermediate CA
+  --pass     : encrypt private key with password
+  --csr      : only generate a CSR, do not sign
+  --sign     : sign an existing CSR
+  --pkcs12   : generate a combined PKCS#12 file
+  --pkcs11   : generate certificate on PKCS#11 token
+      lib    : PKCS#11 library
+      slot   : PKCS#11 slot
+      id     : PKCS#11 object id (hex string)
+      label  : PKCS#11 object label
+Standalone options:
+  --pkcs11-slots   : list PKCS#11 slots
+      lib    : PKCS#11 library
+  --pkcs11-objects : list PKCS#11 token objects
+      lib    : PKCS#11 library
+      slot   : PKCS#11 slot
+  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!
+      lib    : PKCS#11 library
+      slot   : PKCS#11 slot
+      label  : PKCS#11 token label
+Notes:
+  Please edit the vars script to reflect your configuration,
+  then source it with "source ./vars".
+  Next, to start with a fresh PKI configuration and to delete any
+  previous certificates and keys, run "./clean-all".
+  Finally, you can run this tool (pkitool) to build certificates/keys.
+  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
+Generated files and corresponding OpenVPN directives:
+(Files will be placed in the $KEY_DIR directory, defined in ./vars)
+  ca.crt     -> root certificate (--ca)
+  ca.key     -> root key, keep secure (not directly used by OpenVPN)
+  .crt files -> client/server certificates (--cert)
+  .key files -> private keys, keep secure (--key)
+  .csr files -> certificate signing request (not directly used by OpenVPN)
+  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
+Examples:
+  pkitool --initca          -> Build root certificate
+  pkitool --initca --pass   -> Build root certificate with password-protected key
+  pkitool --server server1  -> Build "server1" certificate/key
+  pkitool client1           -> Build "client1" certificate/key
+  pkitool --pass client2    -> Build password-protected "client2" certificate/key
+  pkitool --pkcs12 client3  -> Build "client3" certificate/key in PKCS#12 format
+  pkitool --csr client4     -> Build "client4" CSR to be signed by another CA
+  pkitool --sign client4    -> Sign "client4" CSR
+  pkitool --inter interca   -> Build an intermediate key-signing certificate/key
+                               Also see ./inherit-inter script.
+  pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
+                              -> Build "client5" certificate/key in PKCS#11 token
+Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys.
+Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :
+  [edit vars with your site-specific info]
+  source ./vars
+  ./clean-all
+  ./build-dh     -> takes a long time, consider backgrounding
+  ./pkitool --initca
+  ./pkitool --server myserver
+  ./pkitool client1
+  ./pkitool --pass client2
+Typical usage for adding client cert to existing PKI:
+  source ./vars
+  ./pkitool client-new