diff options
Diffstat (limited to 'easy-rsa/Windows')
-rw-r--r-- | easy-rsa/Windows/README.txt | 44 | ||||
-rw-r--r-- | easy-rsa/Windows/build-ca-pass.bat | 8 | ||||
-rw-r--r-- | easy-rsa/Windows/build-ca.bat | 4 | ||||
-rw-r--r-- | easy-rsa/Windows/build-dh.bat | 4 | ||||
-rw-r--r-- | easy-rsa/Windows/build-key-pass.bat | 8 | ||||
-rw-r--r-- | easy-rsa/Windows/build-key-pkcs12.bat | 10 | ||||
-rw-r--r-- | easy-rsa/Windows/build-key-server-pass.bat | 8 | ||||
-rw-r--r-- | easy-rsa/Windows/build-key-server.bat | 8 | ||||
-rw-r--r-- | easy-rsa/Windows/build-key.bat | 8 | ||||
-rw-r--r-- | easy-rsa/Windows/clean-all.bat | 13 | ||||
-rw-r--r-- | easy-rsa/Windows/index.txt.start | 0 | ||||
-rwxr-xr-x | easy-rsa/Windows/init-config.bat | 1 | ||||
-rw-r--r-- | easy-rsa/Windows/revoke-full.bat | 13 | ||||
-rw-r--r-- | easy-rsa/Windows/serial.start | 1 | ||||
-rw-r--r-- | easy-rsa/Windows/vars.bat.sample | 40 |
15 files changed, 170 insertions, 0 deletions
diff --git a/easy-rsa/Windows/README.txt b/easy-rsa/Windows/README.txt new file mode 100644 index 0000000..2ede7b1 --- /dev/null +++ b/easy-rsa/Windows/README.txt @@ -0,0 +1,44 @@ +Extract all zip'd files to the OpenVPN home directory, +including the openssl.cnf file from the top-level +"easy-rsa" directory. + +First run init-config.bat + +Next, edit vars.bat to adapt it to your environment, and +create the directory that will hold your key files. + +To generate TLS keys: + +Create new empty index and serial files (once only) +1. vars +2. clean-all + +Build a CA key (once only) +1. vars +2. build-ca + +Build a DH file (for server side, once only) +1. vars +2. build-dh + +Build a private key/certficate for the openvpn server +1. vars +2. build-key-server <machine-name> + +Build key files in PEM format (for each client machine) +1. vars +2. build-key <machine-name> + (use <machine name> for specific name within script) + +or + +Build key files in PKCS #12 format (for each client machine) +1. vars +2. build-key-pkcs12 <machine-name> + (use <machine name> for specific name within script) + +To revoke a TLS certificate and generate a CRL file: +1. vars +2. revoke-full <machine-name> +3. verify last line of output confirms revokation +4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>" diff --git a/easy-rsa/Windows/build-ca-pass.bat b/easy-rsa/Windows/build-ca-pass.bat new file mode 100644 index 0000000..ab0b2a4 --- /dev/null +++ b/easy-rsa/Windows/build-ca-pass.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-ca.bat b/easy-rsa/Windows/build-ca.bat new file mode 100644 index 0000000..a3f234b --- /dev/null +++ b/easy-rsa/Windows/build-ca.bat @@ -0,0 +1,4 @@ +@echo off +cd %HOME% +rem build a cert authority valid for ten years, starting now +openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG% diff --git a/easy-rsa/Windows/build-dh.bat b/easy-rsa/Windows/build-dh.bat new file mode 100644 index 0000000..74bc603 --- /dev/null +++ b/easy-rsa/Windows/build-dh.bat @@ -0,0 +1,4 @@ +@echo off +cd %HOME% +rem build a dh file for the server side +openssl dhparam -out %KEY_DIR%/dh%KEY_SIZE%.pem %KEY_SIZE% diff --git a/easy-rsa/Windows/build-key-pass.bat b/easy-rsa/Windows/build-key-pass.bat new file mode 100644 index 0000000..ab0b2a4 --- /dev/null +++ b/easy-rsa/Windows/build-key-pass.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-key-pkcs12.bat b/easy-rsa/Windows/build-key-pkcs12.bat new file mode 100644 index 0000000..1fc083e --- /dev/null +++ b/easy-rsa/Windows/build-key-pkcs12.bat @@ -0,0 +1,10 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem convert the key/cert and embed the ca cert into a pkcs12 file. +openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12 +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-key-server-pass.bat b/easy-rsa/Windows/build-key-server-pass.bat new file mode 100644 index 0000000..99ed4d3 --- /dev/null +++ b/easy-rsa/Windows/build-key-server-pass.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-key-server.bat b/easy-rsa/Windows/build-key-server.bat new file mode 100644 index 0000000..20e3605 --- /dev/null +++ b/easy-rsa/Windows/build-key-server.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/build-key.bat b/easy-rsa/Windows/build-key.bat new file mode 100644 index 0000000..c040904 --- /dev/null +++ b/easy-rsa/Windows/build-key.bat @@ -0,0 +1,8 @@ +@echo off +cd %HOME% +rem build a request for a cert that will be valid for ten years +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem sign the cert request with our ca, creating a cert/key pair +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% +rem delete any .old files created in this process, to avoid future file creation errors +del /q %KEY_DIR%\*.old diff --git a/easy-rsa/Windows/clean-all.bat b/easy-rsa/Windows/clean-all.bat new file mode 100644 index 0000000..71cbf4d --- /dev/null +++ b/easy-rsa/Windows/clean-all.bat @@ -0,0 +1,13 @@ +@echo off +rem move to the HOME directory specified in VARS script +cd %HOME% +rem set a temporary KEY_DIR variable +set d=%KEY_DIR% +rem delete the KEY_DIR and any subdirs quietly +rmdir /s /q %d% +rem make a new KEY_DIR +mkdir %d% +rem copy in a fesh index file so we begin with an empty database +copy index.txt.start %d%\index.txt +rem copy in a fresh serial file so we begin generating keys at index 01 +copy serial.start %d%\serial. diff --git a/easy-rsa/Windows/index.txt.start b/easy-rsa/Windows/index.txt.start new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/easy-rsa/Windows/index.txt.start diff --git a/easy-rsa/Windows/init-config.bat b/easy-rsa/Windows/init-config.bat new file mode 100755 index 0000000..12e6d78 --- /dev/null +++ b/easy-rsa/Windows/init-config.bat @@ -0,0 +1 @@ +copy vars.bat.sample vars.bat diff --git a/easy-rsa/Windows/revoke-full.bat b/easy-rsa/Windows/revoke-full.bat new file mode 100644 index 0000000..ef2e4b5 --- /dev/null +++ b/easy-rsa/Windows/revoke-full.bat @@ -0,0 +1,13 @@ +@echo off +cd %HOME% +rem revoke cert +openssl ca -revoke %KEY_DIR%\%1.crt -config %KEY_CONFIG% +rem generate new crl +openssl ca -gencrl -out %KEY_DIR%\crl.pem -config %KEY_CONFIG% +rem test revocation +rem first concatinate ca cert with newly generated crl +copy %KEY_DIR%\ca.crt+%KEY_DIR%\crl.pem %KEY_DIR%\revoke_test_file.pem +rem now verify the revocation +openssl verify -CAfile %KEY_DIR%\revoke_test_file.pem -crl_check %KEY_DIR%\%1.crt +rem delete temporary test file +del /q %KEY_DIR%\revoke_test_file.pem diff --git a/easy-rsa/Windows/serial.start b/easy-rsa/Windows/serial.start new file mode 100644 index 0000000..8a0f05e --- /dev/null +++ b/easy-rsa/Windows/serial.start @@ -0,0 +1 @@ +01 diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample new file mode 100644 index 0000000..36e6f71 --- /dev/null +++ b/easy-rsa/Windows/vars.bat.sample @@ -0,0 +1,40 @@ +@echo off +rem Edit this variable to point to +rem the openssl.cnf file included +rem with easy-rsa. + +set HOME=%ProgramFiles%\OpenVPN\easy-rsa +set KEY_CONFIG=openssl-1.0.0.cnf + +rem Edit this variable to point to +rem your soon-to-be-created key +rem directory. +rem +rem WARNING: clean-all will do +rem a rm -rf on this directory +rem so make sure you define +rem it correctly! +set KEY_DIR=keys + +rem Increase this to 2048 if you +rem are paranoid. This will slow +rem down TLS negotiation performance +rem as well as the one-time DH parms +rem generation process. +set KEY_SIZE=1024 + +rem These are the default values for fields +rem which will be placed in the certificate. +rem Change these to reflect your site. +rem Don't leave any of these parms blank. + +set KEY_COUNTRY=US +set KEY_PROVINCE=CA +set KEY_CITY=SanFrancisco +set KEY_ORG=OpenVPN +set KEY_EMAIL=mail@host.domain +set KEY_CN=changeme +set KEY_NAME=changeme +set KEY_OU=changeme +set PKCS11_MODULE_PATH=changeme +set PKCS11_PIN=1234 |