15 files changed, 170 insertions, 0 deletions

diff --git a/easy-rsa/Windows/README.txt b/easy-rsa/Windows/README.txt
new file mode 100644
index 0000000..2ede7b1
--- /dev/null
+++ b/easy-rsa/Windows/README.txt
@@ -0,0 +1,44 @@
+Extract all zip'd files to the OpenVPN home directory,
+including the openssl.cnf file from the top-level
+"easy-rsa" directory.
+
+First run init-config.bat
+
+Next, edit vars.bat to adapt it to your environment, and
+create the directory that will hold your key files.
+
+To generate TLS keys:
+
+Create new empty index and serial files (once only)
+1. vars
+2. clean-all
+
+Build a CA key (once only)
+1. vars
+2. build-ca
+
+Build a DH file (for server side, once only)
+1. vars
+2. build-dh
+
+Build a private key/certficate for the openvpn server
+1. vars
+2. build-key-server <machine-name>
+
+Build key files in PEM format (for each client machine)
+1. vars
+2. build-key <machine-name>
+   (use <machine name> for specific name within script)
+
+or
+
+Build key files in PKCS #12 format (for each client machine)
+1. vars
+2. build-key-pkcs12 <machine-name>
+   (use <machine name> for specific name within script)
+
+To revoke a TLS certificate and generate a CRL file:
+1. vars
+2. revoke-full <machine-name>
+3. verify last line of output confirms revokation
+4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>"
diff --git a/easy-rsa/Windows/build-ca-pass.bat b/easy-rsa/Windows/build-ca-pass.bat
new file mode 100644
index 0000000..ab0b2a4
--- /dev/null
+++ b/easy-rsa/Windows/build-ca-pass.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-ca.bat b/easy-rsa/Windows/build-ca.bat
new file mode 100644
index 0000000..a3f234b
--- /dev/null
+++ b/easy-rsa/Windows/build-ca.bat
@@ -0,0 +1,4 @@
+@echo off
+cd %HOME%
+rem build a cert authority valid for ten years, starting now
+openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
diff --git a/easy-rsa/Windows/build-dh.bat b/easy-rsa/Windows/build-dh.bat
new file mode 100644
index 0000000..74bc603
--- /dev/null
+++ b/easy-rsa/Windows/build-dh.bat
@@ -0,0 +1,4 @@
+@echo off
+cd %HOME%
+rem build a dh file for the server side
+openssl dhparam -out %KEY_DIR%/dh%KEY_SIZE%.pem %KEY_SIZE%
diff --git a/easy-rsa/Windows/build-key-pass.bat b/easy-rsa/Windows/build-key-pass.bat
new file mode 100644
index 0000000..ab0b2a4
--- /dev/null
+++ b/easy-rsa/Windows/build-key-pass.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key-pkcs12.bat b/easy-rsa/Windows/build-key-pkcs12.bat
new file mode 100644
index 0000000..1fc083e
--- /dev/null
+++ b/easy-rsa/Windows/build-key-pkcs12.bat
@@ -0,0 +1,10 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem convert the key/cert and embed the ca cert into a pkcs12 file.
+openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key-server-pass.bat b/easy-rsa/Windows/build-key-server-pass.bat
new file mode 100644
index 0000000..99ed4d3
--- /dev/null
+++ b/easy-rsa/Windows/build-key-server-pass.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key-server.bat b/easy-rsa/Windows/build-key-server.bat
new file mode 100644
index 0000000..20e3605
--- /dev/null
+++ b/easy-rsa/Windows/build-key-server.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key.bat b/easy-rsa/Windows/build-key.bat
new file mode 100644
index 0000000..c040904
--- /dev/null
+++ b/easy-rsa/Windows/build-key.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/clean-all.bat b/easy-rsa/Windows/clean-all.bat
new file mode 100644
index 0000000..71cbf4d
--- /dev/null
+++ b/easy-rsa/Windows/clean-all.bat
@@ -0,0 +1,13 @@
+@echo off
+rem move to the HOME directory specified in VARS script
+cd %HOME%
+rem set a temporary KEY_DIR variable
+set d=%KEY_DIR%
+rem delete the KEY_DIR and any subdirs quietly
+rmdir /s /q %d%
+rem make a new KEY_DIR
+mkdir %d%
+rem copy in a fesh index file so we begin with an empty database
+copy index.txt.start %d%\index.txt
+rem copy in a fresh serial file so we begin generating keys at index 01
+copy serial.start %d%\serial.
diff --git a/easy-rsa/Windows/index.txt.start b/easy-rsa/Windows/index.txt.start
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/easy-rsa/Windows/index.txt.start
diff --git a/easy-rsa/Windows/init-config.bat b/easy-rsa/Windows/init-config.bat
new file mode 100755
index 0000000..12e6d78
--- /dev/null
+++ b/easy-rsa/Windows/init-config.bat
@@ -0,0 +1 @@
+copy vars.bat.sample vars.bat
diff --git a/easy-rsa/Windows/revoke-full.bat b/easy-rsa/Windows/revoke-full.bat
new file mode 100644
index 0000000..ef2e4b5
--- /dev/null
+++ b/easy-rsa/Windows/revoke-full.bat
@@ -0,0 +1,13 @@
+@echo off
+cd %HOME%
+rem revoke cert
+openssl ca -revoke %KEY_DIR%\%1.crt -config %KEY_CONFIG%
+rem generate new crl
+openssl ca -gencrl -out %KEY_DIR%\crl.pem -config %KEY_CONFIG%
+rem test revocation
+rem first concatinate ca cert with newly generated crl
+copy %KEY_DIR%\ca.crt+%KEY_DIR%\crl.pem %KEY_DIR%\revoke_test_file.pem
+rem now verify the revocation
+openssl verify -CAfile %KEY_DIR%\revoke_test_file.pem -crl_check %KEY_DIR%\%1.crt
+rem delete temporary test file
+del /q %KEY_DIR%\revoke_test_file.pem
diff --git a/easy-rsa/Windows/serial.start b/easy-rsa/Windows/serial.start
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/easy-rsa/Windows/serial.start
@@ -0,0 +1 @@
+01
diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample
new file mode 100644
index 0000000..36e6f71
--- /dev/null
+++ b/easy-rsa/Windows/vars.bat.sample
@@ -0,0 +1,40 @@
+@echo off
+rem Edit this variable to point to
+rem the openssl.cnf file included
+rem with easy-rsa.
+
+set HOME=%ProgramFiles%\OpenVPN\easy-rsa
+set KEY_CONFIG=openssl-1.0.0.cnf
+
+rem Edit this variable to point to
+rem your soon-to-be-created key
+rem directory.
+rem
+rem WARNING: clean-all will do
+rem a rm -rf on this directory
+rem so make sure you define
+rem it correctly!
+set KEY_DIR=keys
+
+rem Increase this to 2048 if you
+rem are paranoid.  This will slow
+rem down TLS negotiation performance
+rem as well as the one-time DH parms
+rem generation process.
+set KEY_SIZE=1024
+
+rem These are the default values for fields
+rem which will be placed in the certificate.
+rem Change these to reflect your site.
+rem Don't leave any of these parms blank.
+
+set KEY_COUNTRY=US
+set KEY_PROVINCE=CA
+set KEY_CITY=SanFrancisco
+set KEY_ORG=OpenVPN
+set KEY_EMAIL=mail@host.domain
+set KEY_CN=changeme
+set KEY_NAME=changeme
+set KEY_OU=changeme
+set PKCS11_MODULE_PATH=changeme
+set PKCS11_PIN=1234