diff options
author | Othmar Gsenger <otti@anytun.org> | 2008-04-12 11:24:13 +0000 |
---|---|---|
committer | Othmar Gsenger <otti@anytun.org> | 2008-04-12 11:24:13 +0000 |
commit | 572823f65b365cd27345ee59d89b115df34c5338 (patch) | |
tree | 8f9ae97b3480b5fe7f049ec040b0e8aeefab7bd9 /ssltools | |
parent | makefile fixes (diff) |
svn cleanup
Diffstat (limited to 'ssltools')
57 files changed, 0 insertions, 1738 deletions
diff --git a/ssltools/build-all.sh b/ssltools/build-all.sh deleted file mode 100755 index c052739..0000000 --- a/ssltools/build-all.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -. ./vars -./easy-rsa/clean-all -./easy-rsa/build-ca -./easy-rsa/build-key server1 -./easy-rsa/build-key server2 -./easy-rsa/build-key server3 -./easy-rsa/build-key server4 diff --git a/ssltools/easy-rsa/.externals b/ssltools/easy-rsa/.externals deleted file mode 100644 index 3712eb8..0000000 --- a/ssltools/easy-rsa/.externals +++ /dev/null @@ -1 +0,0 @@ -./2.0 http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0 diff --git a/ssltools/easy-rsa/2.0/Makefile b/ssltools/easy-rsa/2.0/Makefile deleted file mode 100644 index 902d78f..0000000 --- a/ssltools/easy-rsa/2.0/Makefile +++ /dev/null @@ -1,13 +0,0 @@ - -DESTDIR= -PREFIX= - -all: - echo "All done." - echo "Run make install DESTDIR=/usr/share/somewhere" - -install: - install -c --directory "${DESTDIR}/${PREFIX}" - install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}" - install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}" - install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}" diff --git a/ssltools/easy-rsa/2.0/README.gz b/ssltools/easy-rsa/2.0/README.gz Binary files differdeleted file mode 100644 index 116d85b..0000000 --- a/ssltools/easy-rsa/2.0/README.gz +++ /dev/null diff --git a/ssltools/easy-rsa/2.0/build-ca b/ssltools/easy-rsa/2.0/build-ca deleted file mode 100755 index fb1e2ca..0000000 --- a/ssltools/easy-rsa/2.0/build-ca +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# -# Build a root certificate -# - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --initca $* diff --git a/ssltools/easy-rsa/2.0/build-dh b/ssltools/easy-rsa/2.0/build-dh deleted file mode 100755 index f019222..0000000 --- a/ssltools/easy-rsa/2.0/build-dh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -# Build Diffie-Hellman parameters for the server side -# of an SSL/TLS connection. - -if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then - $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/ssltools/easy-rsa/2.0/build-inter b/ssltools/easy-rsa/2.0/build-inter deleted file mode 100755 index f831d6f..0000000 --- a/ssltools/easy-rsa/2.0/build-inter +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Make an intermediate CA certificate/private key pair using a locally generated -# root certificate. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --inter $* diff --git a/ssltools/easy-rsa/2.0/build-key b/ssltools/easy-rsa/2.0/build-key deleted file mode 100755 index 6196308..0000000 --- a/ssltools/easy-rsa/2.0/build-key +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Make a certificate/private key pair using a locally generated -# root certificate. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact $* diff --git a/ssltools/easy-rsa/2.0/build-key-pass b/ssltools/easy-rsa/2.0/build-key-pass deleted file mode 100755 index 35543e0..0000000 --- a/ssltools/easy-rsa/2.0/build-key-pass +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Similar to build-key, but protect the private key -# with a password. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --pass $* diff --git a/ssltools/easy-rsa/2.0/build-key-pkcs12 b/ssltools/easy-rsa/2.0/build-key-pkcs12 deleted file mode 100755 index 5ef064f..0000000 --- a/ssltools/easy-rsa/2.0/build-key-pkcs12 +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# Make a certificate/private key pair using a locally generated -# root certificate and convert it to a PKCS #12 file including the -# the CA certificate as well. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/ssltools/easy-rsa/2.0/build-key-server b/ssltools/easy-rsa/2.0/build-key-server deleted file mode 100755 index 5502675..0000000 --- a/ssltools/easy-rsa/2.0/build-key-server +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# Make a certificate/private key pair using a locally generated -# root certificate. -# -# Explicitly set nsCertType to server using the "server" -# extension in the openssl.cnf file. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --server $* diff --git a/ssltools/easy-rsa/2.0/build-req b/ssltools/easy-rsa/2.0/build-req deleted file mode 100755 index 26587d1..0000000 --- a/ssltools/easy-rsa/2.0/build-req +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Build a certificate signing request and private key. Use this -# when your root certificate and key is not available locally. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --csr $* diff --git a/ssltools/easy-rsa/2.0/build-req-pass b/ssltools/easy-rsa/2.0/build-req-pass deleted file mode 100755 index 6e6c863..0000000 --- a/ssltools/easy-rsa/2.0/build-req-pass +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Like build-req, but protect your private key -# with a password. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/ssltools/easy-rsa/2.0/clean-all b/ssltools/easy-rsa/2.0/clean-all deleted file mode 100755 index 0576db5..0000000 --- a/ssltools/easy-rsa/2.0/clean-all +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -# Initialize the $KEY_DIR directory. -# Note that this script does a -# rm -rf on $KEY_DIR so be careful! - -if [ "$KEY_DIR" ]; then - rm -rf "$KEY_DIR" - mkdir "$KEY_DIR" && \ - chmod go-rwx "$KEY_DIR" && \ - touch "$KEY_DIR/index.txt" && \ - echo 01 >"$KEY_DIR/serial" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/ssltools/easy-rsa/2.0/inherit-inter b/ssltools/easy-rsa/2.0/inherit-inter deleted file mode 100755 index 2101951..0000000 --- a/ssltools/easy-rsa/2.0/inherit-inter +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -# Build a new PKI which is rooted on an intermediate certificate generated -# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should -# have independent vars settings, and must use a different KEY_DIR directory -# from the parent. This tool can be used to generate arbitrary depth -# certificate chains. -# -# To build an intermediate CA, follow the same steps for a regular PKI but -# replace ./build-key or ./pkitool --initca with this script. - -# The EXPORT_CA file will contain the CA certificate chain and should be -# referenced by the OpenVPN "ca" directive in config files. The ca.crt file -# will only contain the local intermediate CA -- it's needed by the easy-rsa -# scripts but not by OpenVPN directly. -EXPORT_CA="export-ca.crt" - -if [ $# -ne 2 ]; then - echo "usage: $0 <parent-key-dir> <common-name>" - echo "parent-key-dir: the KEY_DIR directory of the parent PKI" - echo "common-name: the common name of the intermediate certificate in the parent PKI" - exit 1; -fi - -if [ "$KEY_DIR" ]; then - cp "$1/$2.crt" "$KEY_DIR/ca.crt" - cp "$1/$2.key" "$KEY_DIR/ca.key" - - if [ -e "$1/$EXPORT_CA" ]; then - PARENT_CA="$1/$EXPORT_CA" - else - PARENT_CA="$1/ca.crt" - fi - cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" - cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/ssltools/easy-rsa/2.0/list-crl b/ssltools/easy-rsa/2.0/list-crl deleted file mode 100755 index afc0cd6..0000000 --- a/ssltools/easy-rsa/2.0/list-crl +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -# list revoked certificates - -CRL="${1:-crl.pem}" - -if [ "$KEY_DIR" ]; then - cd "$KEY_DIR" && \ - $OPENSSL crl -text -noout -in "$CRL" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz b/ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz Binary files differdeleted file mode 100644 index d2afde0..0000000 --- a/ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz +++ /dev/null diff --git a/ssltools/easy-rsa/2.0/openssl.cnf b/ssltools/easy-rsa/2.0/openssl.cnf deleted file mode 100755 index a781dda..0000000 --- a/ssltools/easy-rsa/2.0/openssl.cnf +++ /dev/null @@ -1,285 +0,0 @@ -# For use with easy-rsa version 2.0 - -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_init - -[ openssl_init ] -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids -engines = engine_section - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $ENV::KEY_DIR # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_anything - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = $ENV::KEY_SIZE -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = $ENV::KEY_COUNTRY -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::KEY_PROVINCE - -localityName = Locality Name (eg, city) -localityName_default = $ENV::KEY_CITY - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::KEY_ORG - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = $ENV::KEY_EMAIL -emailAddress_max = 40 - -# JY -- added for batch mode -organizationalUnitName_default = $ENV::KEY_OU -commonName_default = $ENV::KEY_CN - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "Easy-RSA Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=clientAuth -keyUsage = digitalSignature - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ server ] - -# JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "Easy-RSA Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=serverAuth -keyUsage = digitalSignature, keyEncipherment - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always - -[ engine_section ] -# -# If you are using PKCS#11 -# Install engine_pkcs11 of opensc (www.opensc.org) -# And uncomment the following -# verify that dynamic_path points to the correct location -# -#pkcs11 = pkcs11_section - -[ pkcs11_section ] -engine_id = pkcs11 -dynamic_path = /usr/lib/engines/engine_pkcs11.so -MODULE_PATH = $ENV::PKCS11_MODULE_PATH -PIN = $ENV::PKCS11_PIN -init = 0 - diff --git a/ssltools/easy-rsa/2.0/pkitool b/ssltools/easy-rsa/2.0/pkitool deleted file mode 100755 index 5f95162..0000000 --- a/ssltools/easy-rsa/2.0/pkitool +++ /dev/null @@ -1,353 +0,0 @@ -#!/bin/sh - -# OpenVPN -- An application to securely tunnel IP networks -# over a single TCP/UDP port, with support for SSL/TLS-based -# session authentication and key exchange, -# packet encryption, packet authentication, and -# packet compression. -# -# Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program (see the file COPYING included with this -# distribution); if not, write to the Free Software Foundation, Inc., -# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# pkitool is a front-end for the openssl tool. - -# Calling scripts can set the certificate organizational -# unit with the KEY_OU environmental variable. - -PROGNAME=pkitool -VERSION=2.0 -DEBUG=0 - -die() -{ - local m="$1" - - echo "$m" >&2 - exit 1 -} - -need_vars() -{ - echo ' Please edit the vars script to reflect your configuration,' - echo ' then source it with "source ./vars".' - echo ' Next, to start with a fresh PKI configuration and to delete any' - echo ' previous certificates and keys, run "./clean-all".' - echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." -} - -usage() -{ - echo "$PROGNAME $VERSION" - echo "Usage: $PROGNAME [options...] [common-name]" - echo "Options:" - echo " --batch : batch mode (default)" - echo " --keysize : Set keysize" - echo " size : size (default=1024)" - echo " --interact : interactive mode" - echo " --server : build server cert" - echo " --initca : build root CA" - echo " --inter : build intermediate CA" - echo " --pass : encrypt private key with password" - echo " --csr : only generate a CSR, do not sign" - echo " --sign : sign an existing CSR" - echo " --pkcs12 : generate a combined PKCS#12 file" - echo " --pkcs11 : generate certificate on PKCS#11 token" - echo " lib : PKCS#11 library" - echo " slot : PKCS#11 slot" - echo " id : PKCS#11 object id (hex string)" - echo " label : PKCS#11 object label" - echo "Standalone options:" - echo " --pkcs11-slots : list PKCS#11 slots" - echo " lib : PKCS#11 library" - echo " --pkcs11-objects : list PKCS#11 token objects" - echo " lib : PKCS#11 library" - echo " slot : PKCS#11 slot" - echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!" - echo " lib : PKCS#11 library" - echo " slot : PKCS#11 slot" - echo " label : PKCS#11 token label" - echo "Notes:" - need_vars - echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher." - echo "Generated files and corresponding OpenVPN directives:" - echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' - echo " ca.crt -> root certificate (--ca)" - echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" - echo " .crt files -> client/server certificates (--cert)" - echo " .key files -> private keys, keep secure (--key)" - echo " .csr files -> certificate signing request (not directly used by OpenVPN)" - echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" - echo "Examples:" - echo " $PROGNAME --initca -> Build root certificate" - echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" - echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" - echo " $PROGNAME client1 -> Build \"client1\" certificate/key" - echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" - echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" - echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" - echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" - echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" - echo " Also see ./inherit-inter script." - echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" - echo " -> Build \"client5\" certificate/key in PKCS#11 token" - echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." - echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" - echo " [edit vars with your site-specific info]" - echo " source ./vars" - echo " ./clean-all" - echo " ./build-dh -> takes a long time, consider backgrounding" - echo " ./$PROGNAME --initca" - echo " ./$PROGNAME --server myserver" - echo " ./$PROGNAME client1" - echo " ./$PROGNAME --pass client2" - echo "Typical usage for adding client cert to existing PKI:" - echo " source ./vars" - echo " ./$PROGNAME client-new" -} - -# Set defaults -DO_REQ="1" -REQ_EXT="" -DO_CA="1" -CA_EXT="" -DO_P12="0" -DO_P11="0" -DO_ROOT="0" -NODES_REQ="-nodes" -NODES_P12="" -BATCH="-batch" -CA="ca" -# must be set or errors of openssl.cnf -PKCS11_MODULE_PATH="dummy" -PKCS11_PIN="dummy" - -# Process options -while [ $# -gt 0 ]; do - case "$1" in - --keysize ) KEY_SIZE=$2 - shift;; - --server ) REQ_EXT="$REQ_EXT -extensions server" - CA_EXT="$CA_EXT -extensions server" ;; - --batch ) BATCH="-batch" ;; - --interact ) BATCH="" ;; - --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; - --initca ) DO_ROOT="1" ;; - --pass ) NODES_REQ="" ;; - --csr ) DO_CA="0" ;; - --sign ) DO_REQ="0" ;; - --pkcs12 ) DO_P12="1" ;; - --pkcs11 ) DO_P11="1" - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - PKCS11_ID="$4" - PKCS11_LABEL="$5" - shift 4;; - - # standalone - --pkcs11-init) - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - PKCS11_LABEL="$4" - if [ -z "$PKCS11_LABEL" ]; then - die "Please specify library name, slot and label" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ - --label "$PKCS11_LABEL" && - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" - exit $?;; - --pkcs11-slots) - PKCS11_MODULE_PATH="$2" - if [ -z "$PKCS11_MODULE_PATH" ]; then - die "Please specify library name" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots - exit 0;; - --pkcs11-objects) - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - if [ -z "$PKCS11_SLOT" ]; then - die "Please specify library name and slot" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" - exit 0;; - - # errors - --* ) die "$PROGNAME: unknown option: $1" ;; - * ) break ;; - esac - shift -done - -if ! [ -z "$BATCH" ]; then - if $OPENSSL version | grep 0.9.6 > /dev/null; then - die "Batch mode is unsupported in openssl<0.9.7" - fi -fi - -if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then - die "PKCS#11 and PKCS#12 cannot be specified together" -fi - -if [ $DO_P11 -eq 1 ]; then - if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then - die "Please edit $KEY_CONFIG and setup PKCS#11 engine" - fi -fi - -# If we are generating pkcs12, only encrypt the final step -if [ $DO_P12 -eq 1 ]; then - NODES_P12="$NODES_REQ" - NODES_REQ="-nodes" -fi - -if [ $DO_P11 -eq 1 ]; then - if [ -z "$PKCS11_LABEL" ]; then - die "PKCS#11 arguments incomplete" - fi -fi - -# If undefined, set default key expiration intervals -if [ -z "$KEY_EXPIRE" ]; then - KEY_EXPIRE=3650 -fi -if [ -z "$CA_EXPIRE" ]; then - CA_EXPIRE=3650 -fi - -# Set organizational unit to empty string if undefined -if [ -z "$KEY_OU" ]; then - KEY_OU="" -fi - -# Set KEY_CN -if [ $DO_ROOT -eq 1 ]; then - if [ -z "$KEY_CN" ]; then - if [ "$1" ]; then - KEY_CN="$1" - elif [ "$KEY_ORG" ]; then - KEY_CN="$KEY_ORG CA" - fi - fi - if [ $BATCH ] && [ "$KEY_CN" ]; then - echo "Using CA Common Name:" $KEY_CN - fi -elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then - echo "Using Common Name:" $KEY_CN -else - if [ $# -ne 1 ]; then - usage - exit 1 - else - KEY_CN="$1" - fi -fi - -export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN - -# Show parameters (debugging) -if [ $DEBUG -eq 1 ]; then - echo DO_REQ $DO_REQ - echo REQ_EXT $REQ_EXT - echo DO_CA $DO_CA - echo CA_EXT $CA_EXT - echo NODES_REQ $NODES_REQ - echo NODES_P12 $NODES_P12 - echo DO_P12 $DO_P12 - echo KEY_CN $KEY_CN - echo BATCH $BATCH - echo DO_ROOT $DO_ROOT - echo KEY_EXPIRE $KEY_EXPIRE - echo CA_EXPIRE $CA_EXPIRE - echo KEY_OU $KEY_OU - echo DO_P11 $DO_P11 - echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH - echo PKCS11_SLOT $PKCS11_SLOT - echo PKCS11_ID $PKCS11_ID - echo PKCS11_LABEL $PKCS11_LABEL -fi - -# Make sure ./vars was sourced beforehand -if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then - cd "$KEY_DIR" - - # Make sure $KEY_CONFIG points to the correct version - # of openssl.cnf - if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then - : - else - echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" - echo "version of openssl.cnf: $KEY_CONFIG" - echo "The correct version should have a comment that says: easy-rsa version 2.x"; - exit 1; - fi - - # Build root CA - if [ $DO_ROOT -eq 1 ]; then - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ - -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ - chmod 0600 "$CA.key" - else - # Make sure CA key/cert is available - if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then - if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then - echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" - echo "Try $PROGNAME --initca to build a root certificate/key." - exit 1 - fi - fi - - # Generate key for PKCS#11 token - PKCS11_ARGS= - if [ $DO_P11 -eq 1 ]; then - stty -echo - echo -n "User PIN: " - read -r PKCS11_PIN - stty echo - export PKCS11_PIN - - echo "Generating key pair on PKCS#11 token..." - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ - --login --pin "$PKCS11_PIN" \ - --key-type rsa:1024 \ - --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 - PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" - fi - - # Build cert/key - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ - -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ - -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \ - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ - -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ - ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \ - ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) - - # Load certificate into PKCS#11 token - if [ $DO_P11 -eq 1 ]; then - $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \ - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \ - --login --pin "$PKCS11_PIN" \ - --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" - [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der" - fi - - fi - -# Need definitions -else - need_vars -fi diff --git a/ssltools/easy-rsa/2.0/revoke-full b/ssltools/easy-rsa/2.0/revoke-full deleted file mode 100755 index bf3e5fb..0000000 --- a/ssltools/easy-rsa/2.0/revoke-full +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -# revoke a certificate, regenerate CRL, -# and verify revocation - -CRL="crl.pem" -RT="revoke-test.pem" - -if [ $# -ne 1 ]; then - echo "usage: revoke-full <common-name>"; - exit 1 -fi - -if [ "$KEY_DIR" ]; then - cd "$KEY_DIR" - rm -f "$RT" - - # set defaults - export KEY_CN="" - export KEY_OU="" - - # revoke key and generate a new CRL - $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" - - # generate a new CRL -- try to be compatible with - # intermediate PKIs - $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" - if [ -e export-ca.crt ]; then - cat export-ca.crt "$CRL" >"$RT" - else - cat ca.crt "$CRL" >"$RT" - fi - - # verify the revocation - $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" -else - echo 'Please source the vars script first (i.e. "source ./vars")' - echo 'Make sure you have edited it to reflect your configuration.' -fi diff --git a/ssltools/easy-rsa/2.0/sign-req b/ssltools/easy-rsa/2.0/sign-req deleted file mode 100755 index 38655d3..0000000 --- a/ssltools/easy-rsa/2.0/sign-req +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Sign a certificate signing request (a .csr file) -# with a local root certificate and key. - -export EASY_RSA="${EASY_RSA:-.}" -"$EASY_RSA/pkitool" --interact --sign $* diff --git a/ssltools/easy-rsa/2.0/vars b/ssltools/easy-rsa/2.0/vars deleted file mode 100755 index a904547..0000000 --- a/ssltools/easy-rsa/2.0/vars +++ /dev/null @@ -1,64 +0,0 @@ -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export EASY_RSA="`pwd`" - -# -# This variable should point to -# the requested executables -# -export OPENSSL="openssl" -export PKCS11TOOL="pkcs11-tool" -export GREP="grep" - - -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` - -# Edit this variable to point to -# your soon-to-be-created key -# directory. -# -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR="$EASY_RSA/keys" - -# Issue rm -rf warning -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=1024 - -# In how many days should the root CA key expire? -export CA_EXPIRE=3650 - -# In how many days should certificates expire? -export KEY_EXPIRE=3650 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY="US" -export KEY_PROVINCE="CA" -export KEY_CITY="SanFrancisco" -export KEY_ORG="Fort-Funston" -export KEY_EMAIL="me@myhost.mydomain" diff --git a/ssltools/easy-rsa/2.0/whichopensslcnf b/ssltools/easy-rsa/2.0/whichopensslcnf deleted file mode 100755 index 2260aa8..0000000 --- a/ssltools/easy-rsa/2.0/whichopensslcnf +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -if [ "$OPENSSL" ]; then - if $OPENSSL version | grep 0.9.6 > /dev/null; then - echo "$1/openssl-0.9.6.cnf" - else - echo "$1/openssl.cnf" - fi -else - echo "$1/openssl.cnf" -fi - -exit 0 diff --git a/ssltools/easy-rsa/README.gz b/ssltools/easy-rsa/README.gz Binary files differdeleted file mode 100644 index 70ce70f..0000000 --- a/ssltools/easy-rsa/README.gz +++ /dev/null diff --git a/ssltools/easy-rsa/build-ca b/ssltools/easy-rsa/build-ca deleted file mode 100755 index 5ad59cc..0000000 --- a/ssltools/easy-rsa/build-ca +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -# -# Build a root certificate -# - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ - chmod 0600 ca.key -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-dh b/ssltools/easy-rsa/build-dh deleted file mode 100755 index 6de4baf..0000000 --- a/ssltools/easy-rsa/build-dh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -# -# Build Diffie-Hellman parameters for the server side -# of an SSL/TLS connection. -# - -if test $KEY_DIR; then - openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-inter b/ssltools/easy-rsa/build-inter deleted file mode 100755 index 8b3a6b2..0000000 --- a/ssltools/easy-rsa/build-inter +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -# -# Make an intermediate CA certificate/private key pair using a locally generated -# root certificate. -# - -if test $# -ne 1; then - echo "usage: build-inter <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-key b/ssltools/easy-rsa/build-key deleted file mode 100755 index 3159d2b..0000000 --- a/ssltools/easy-rsa/build-key +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# -# Make a certificate/private key pair using a locally generated -# root certificate. -# - -if test $# -ne 1; then - echo "usage: build-key <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - chmod 0600 $1.key -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-key-pass b/ssltools/easy-rsa/build-key-pass deleted file mode 100755 index 03ab304..0000000 --- a/ssltools/easy-rsa/build-key-pass +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# -# Similar to build-key, but protect the private key -# with a password. -# - -if test $# -ne 1; then - echo "usage: build-key-pass <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - chmod 0600 $1.key -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-key-pkcs12 b/ssltools/easy-rsa/build-key-pkcs12 deleted file mode 100755 index f8a057b..0000000 --- a/ssltools/easy-rsa/build-key-pkcs12 +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -# -# Make a certificate/private key pair using a locally generated -# root certificate and convert it to a PKCS #12 file including the -# the CA certificate as well. - -if test $# -ne 1; then - echo "usage: build-key-pkcs12 <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ - chmod 0600 $1.key $1.p12 -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-key-server b/ssltools/easy-rsa/build-key-server deleted file mode 100755 index 30dc41e..0000000 --- a/ssltools/easy-rsa/build-key-server +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# -# Make a certificate/private key pair using a locally generated -# root certificate. -# -# Explicitly set nsCertType to server using the "server" -# extension in the openssl.cnf file. - -if test $# -ne 1; then - echo "usage: build-key-server <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ - chmod 0600 $1.key -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-req b/ssltools/easy-rsa/build-req deleted file mode 100755 index 30f62f5..0000000 --- a/ssltools/easy-rsa/build-req +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# Build a certificate signing request and private key. Use this -# when your root certificate and key is not available locally. -# - -if test $# -ne 1; then - echo "usage: build-req <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/build-req-pass b/ssltools/easy-rsa/build-req-pass deleted file mode 100755 index 829b286..0000000 --- a/ssltools/easy-rsa/build-req-pass +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# Like build-req, but protect your private key -# with a password. -# - -if test $# -ne 1; then - echo "usage: build-req-pass <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/clean-all b/ssltools/easy-rsa/clean-all deleted file mode 100755 index d10aef5..0000000 --- a/ssltools/easy-rsa/clean-all +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -# -# Initialize the $KEY_DIR directory. -# Note that this script does a -# rm -rf on $KEY_DIR so be careful! -# - -d=$KEY_DIR - -if test $d; then - rm -rf $d - mkdir $d && \ - chmod go-rwx $d && \ - touch $d/index.txt && \ - echo 01 >$d/serial -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/list-crl b/ssltools/easy-rsa/list-crl deleted file mode 100644 index b214dbd..0000000 --- a/ssltools/easy-rsa/list-crl +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# list revoked certificates -# -# - -if test $# -ne 1; then - echo "usage: list-crl <crlfile.pem>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl crl -text -noout -in $1 -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/make-crl b/ssltools/easy-rsa/make-crl deleted file mode 100644 index 62fe6c1..0000000 --- a/ssltools/easy-rsa/make-crl +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# generate a CRL -# -# - -if test $# -ne 1; then - echo "usage: make-crl <crlfile.pem>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -gencrl -out $1 -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/revoke-crt b/ssltools/easy-rsa/revoke-crt deleted file mode 100644 index 35b071a..0000000 --- a/ssltools/easy-rsa/revoke-crt +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# revoke a certificate -# -# - -if test $# -ne 1; then - echo "usage: revoke-crt <file.crt>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -revoke $1 -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/revoke-full b/ssltools/easy-rsa/revoke-full deleted file mode 100755 index 66ea03f..0000000 --- a/ssltools/easy-rsa/revoke-full +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# revoke a certificate, regenerate CRL, -# and verify revocation - -CRL=crl.pem -RT=revoke-test.pem - -if test $# -ne 1; then - echo "usage: revoke-full <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR - rm -f $RT - - # revoke key and generate a new CRL - openssl ca -revoke $1.crt -config $KEY_CONFIG - - # generate a new CRL - openssl ca -gencrl -out $CRL -config $KEY_CONFIG - cat ca.crt $CRL >$RT - - # verify the revocation - openssl verify -CAfile $RT -crl_check $1.crt -else - echo you must define KEY_DIR -fi diff --git a/ssltools/easy-rsa/sign-req b/ssltools/easy-rsa/sign-req deleted file mode 100755 index 59edc42..0000000 --- a/ssltools/easy-rsa/sign-req +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# Sign a certificate signing request (a .csr file) -# with a local root certificate and key. -# - -if test $# -ne 1; then - echo "usage: sign-req <name>"; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/ssltools/keys/ca.crt b/ssltools/keys/ca.crt deleted file mode 100644 index c4dd94b..0000000 --- a/ssltools/keys/ca.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEGDCCAwCgAwIBAgIJAIKnIVmOHh/kMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNV -BAYTAkFUMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEUMBIGA1UEChML -QU5ZVFVOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAe -Fw0wNzEyMDMwOTQwNTlaFw0xNzExMzAwOTQwNTlaMGUxCzAJBgNVBAYTAkFUMQsw -CQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEUMBIGA1UEChMLQU5ZVFVOLVRF -U1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBANrdoDDCweNMNoPt0OHTSH04szK0cQdB84QB -2aFPITLOLK1jpp08I3pudz5FSwRHjsZPMJomoEXrruko/bA7q8O/xoORVNpwN3SG -lK3aqvwZfHm3Tbx7CBS/5JPlYOB5Q37femu0Gdak0oMrEBaqIxsA2Ne2D0GVnVYk -Ab2j1zuGR6eor+KhdTcdn63/zTVsARz1mcTweJxROtXRcmB3CkvO68gxs+iz4vVN -nebkW/VxbiUzNSAyQ193v177LYvxREpqSwgSscdwOTuNpDpF4Gr1YTOTlmm4tkG5 -DW8oSaT/sp8ugi5uUVGbSe9YKnVoPjZw4ARGDWQPiA7qYeHHPDsCAwEAAaOByjCB -xzAdBgNVHQ4EFgQUKIb1DfBeNiUyAA6AJgFMWoqVaZwwgZcGA1UdIwSBjzCBjIAU -KIb1DfBeNiUyAA6AJgFMWoqVaZyhaaRnMGUxCzAJBgNVBAYTAkFUMQswCQYDVQQI -EwJOQTEQMA4GA1UEBxMHQklTSEtFSzEUMBIGA1UEChMLQU5ZVFVOLVRFU1QxITAf -BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIJAIKnIVmOHh/kMAwGA1Ud -EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKjvyWpVfauz7f12N3B/T8RClAq4 -NBL922F/OSx9eo7nVpdJ+ULG2ZPxU/umGGgUYP9kO1OTjCdfWSzzSer6eXBlOS4X -WgNI3Am3UhybSi0rRIPfhYPBIRudN8o/8fdzOyfIXNZRzVIK7H21/DrBC1G8JyLP -fVOO6HjiGBQMTCuYNbkWy1gV6HDz4+shyvEDamBIQZVKqEPI2QrvTwbGAtFmoajb -WSd+v8bNtXXNt3QPpp3JIcDUvWtjiaFCgAifYkv+tp/1lAY5/G01HlBsTEx+lDWw -oKeS8p0mB3sbKV8xS0VXiVAWojTzc3nL1oDv3Wt5bP0M1SF/puQB+FIidTc= ------END CERTIFICATE----- diff --git a/ssltools/keys/ca.key b/ssltools/keys/ca.key deleted file mode 100644 index dc2e523..0000000 --- a/ssltools/keys/ca.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA2t2gMMLB40w2g+3Q4dNIfTizMrRxB0HzhAHZoU8hMs4srWOm -nTwjem53PkVLBEeOxk8wmiagReuu6Sj9sDurw7/Gg5FU2nA3dIaUrdqq/Bl8ebdN -vHsIFL/kk+Vg4HlDft96a7QZ1qTSgysQFqojGwDY17YPQZWdViQBvaPXO4ZHp6iv -4qF1Nx2frf/NNWwBHPWZxPB4nFE61dFyYHcKS87ryDGz6LPi9U2d5uRb9XFuJTM1 -IDJDX3e/Xvsti/FESmpLCBKxx3A5O42kOkXgavVhM5OWabi2QbkNbyhJpP+yny6C -Lm5RUZtJ71gqdWg+NnDgBEYNZA+IDuph4cc8OwIDAQABAoIBAQCutAP/iCauYhKO -AtIewMF3O0BHdCNY8LsKH1Px4DEW1d5x1T6U+gEz5GOIsFUuKFR+VY3tLnH2/idT -dGX0O91i1n0GXobGCpcpi5e4ovijXVCv87K4hdiwf3Bc4dcPt5w59PdKa6vIWy6y -hzhDbzGwh1+P6IKLDntV3E4La3INzyr/8nFeoybCf0tHyK15j0PVycGExU+q54Jr -/LM6y1mAY9CbE+k8C5QwvkO8H2fyQcfqiHIZlBT08y+bP7/zuUAvjcX1oaVk2Qtt -dX3N02kIw+C053oxxoQ+K9MSohF5KPdm9FFmalxvMbdWcFD+s6nNtPBGXbBvZy5/ -8c7nDx9xAoGBAPGsH0znvKWq0RNU8rho7SlMRZ2wY0LpMgjLcAMbKZ1xr16kdrHY -RZANVL0jm1hQi0pnJlEJ2B87zjXCOjytFqF5xoGKWjiHYc+yYVpzQTMXdzHxSmG6 -rPGqCCMi6z+QaC1RcFwVXD1po7UMx8c18sy4/ERIIHcQwy5VJVtJIiK5AoGBAOfX -XaGX8nZFQg/yXRI0O1Lk9rXv+37CqcL7dtkbhxSVCdfe3q0XcIUac9oy1uoK2B+Z -0PNne4mafky4B2r4DOEWWEBjsYAGhRTKYEHVYUecgtTL6IqnVwWe2aEDerkTQPbo -0/A5sVJimbvn7xtDO8E9Vezoqg25cdYK54RKIayTAoGAY013exFJqcUbrdbc+Ttc -H/kQLfBZiRfrEEQPnacenWwmRDxN7VvRkZR4ulMUNOC7q3HhA7GI1aSsYdiSN3Zj -8yvnjjj8Q3gVj9NbP2BWbRj6SFI+XxPmllJoj498nJzIwb5R7fR092Md+nnq6QdY -4hgsyB3fAS2pFbO06uKNHTkCgYBsngnP21BM+MWqkvHnxXDFtV+gfX5mNO0z3Hwh -2zO+ANVLva61iXW95lbAs3Dc1ZfLtlSetKy8GxVw/Ab9ppjiG4XdJNfUEznmM6pF -LaMV2c2xxJZ930h16aYsOWUVsF+PTiV9NopM/sTntBHhw+4K6qGHDLofE/KxRQqS -f+im4QKBgQDOTT16WHPzbq3JnY8Rt4ABE9GmkKih42+XdYBYh7a/AQDiriY2tfPX -EFEpc3dRFr/yhgRecaBVk4SYJy+qxKnl7Ekk4lQ8y0zH53E/D+BDOh6EpbsUtkvS -lUc6N0SKKoStE3bX8pOkniJfS9Vfpzf9KUnwVCp5T+2Lzt8vzCK08g== ------END RSA PRIVATE KEY----- diff --git a/ssltools/keys/index.txt b/ssltools/keys/index.txt deleted file mode 100644 index e69de29..0000000 --- a/ssltools/keys/index.txt +++ /dev/null diff --git a/ssltools/keys/serial b/ssltools/keys/serial deleted file mode 100644 index 8a0f05e..0000000 --- a/ssltools/keys/serial +++ /dev/null @@ -1 +0,0 @@ -01 diff --git a/ssltools/keys/server1.crt b/ssltools/keys/server1.crt deleted file mode 100644 index e69de29..0000000 --- a/ssltools/keys/server1.crt +++ /dev/null diff --git a/ssltools/keys/server1.csr b/ssltools/keys/server1.csr deleted file mode 100644 index 059c169..0000000 --- a/ssltools/keys/server1.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH -EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS -bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAv88G8qUEqOiCvchwUeBSadUeGs0Md26ROUAMUw6G58OlzjRgT+tzbSiOzIdN -bxmSeHPCa8bYATYTTThnHmVg4CE7xP9U+tA+tJAIkpkBZZYotnV/OnJR0F4TtfKZ -K+O8+Yybaiblad1wSzXjrzX4QQ9ueh3Dg+7QEwSCq9GNP1x/2nyJi9c9Dpko2z71 -b2K1oPKhjTuVSbwL7gkp7E9TaaKfRhyj5w3eVOz+QcYR2HHClmL244VjJhQ/K99V -Rs+RrFbustiV76NNU57ibeBWMbQofIcaX0nuw0m7uZELEu0QZQuV7ARo+0Y5OIuU -XecaRwItaCJSscKE4UVeFABGHQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBACF4 -pOn14suzMMpniCfSAUVNa6yhsQ5yik3N+5/UF8z08xests0huzXFU62Cv2QSXCQx -EwjAJSBgA4oS6Xr+QmI8P3UN1QeY4NqgxOmURZTdG5oWAPTcHE7SMulzjKP5ZxoZ -FyWmSNXolMNqGwcrbhrqF3xXkPVC+HkK2qX9C4p7IZm8lWGJ+g4Mbf5Sh924BoJ2 -RCNWZbtwtli88IvWUzQUqkJXjVVChigxbwOmwEk3JNWxXcyKt1SdjY0poIzf013V -+b8np6CIFxq0MyihMpI0gSkXy0Yhs36sjopiYAJ2nD+3Q17/pBhRKnnyAxWH3ZsD -Stga9FJHLzITwLF1ASo= ------END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server1.key b/ssltools/keys/server1.key deleted file mode 100644 index 7ad0455..0000000 --- a/ssltools/keys/server1.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAv88G8qUEqOiCvchwUeBSadUeGs0Md26ROUAMUw6G58OlzjRg -T+tzbSiOzIdNbxmSeHPCa8bYATYTTThnHmVg4CE7xP9U+tA+tJAIkpkBZZYotnV/ -OnJR0F4TtfKZK+O8+Yybaiblad1wSzXjrzX4QQ9ueh3Dg+7QEwSCq9GNP1x/2nyJ -i9c9Dpko2z71b2K1oPKhjTuVSbwL7gkp7E9TaaKfRhyj5w3eVOz+QcYR2HHClmL2 -44VjJhQ/K99VRs+RrFbustiV76NNU57ibeBWMbQofIcaX0nuw0m7uZELEu0QZQuV -7ARo+0Y5OIuUXecaRwItaCJSscKE4UVeFABGHQIDAQABAoIBAHRd1YlANCOFbExX -Xk1OGrG6ahk4bWfH3LMu+EsrdQ0G1YDUpdnWrqB7CqdrLr9IdGQ/VqSsbj/N3sfq -gCUgvDU99FT/0z6XOHOzLoBB82b+QpTvk9CRqrEPYkXweJz3/Z4of+FW17fycD4w -44FY7NQL2KqdhBB2wiXHhr9W0qqtFZWuJTOskVpG6pkGhI8wHSL8jz1vI+0KAa6c -FEUe65jVvnBHg2qMwizpqiHm0Yf2gv3D5Mgk3MDww79V3LdQ7UEqiclYOG3nBfzj -HWo/ptKK3vGhzN5v09rDGHIAbHCWg6YzGe5Dvj7GhkKqvtdJCPXje8mMfc7xXEfh -pUJkBgECgYEA81yXC7BD+fpHAc0MZSf+8i9C6ENm5ZaDt0wlg5UnGKlTk+9n66p6 -V/GXmur7HJaL72RVYeUvXxKkzDQ4j3i+qCrkgHMpc9hjkCZ+nZWjwSFZEnxjXcUh -yhHcvnrfRwgNGLqwsIoUSTVhptbZc932n8jpq6PNZYrEUNlsdkpgpYUCgYEAycUO -1bhvRr50Hf2AW5mRbJRxsUqqVk4Rz1/eevZMsXssy6J9K0to5YO1QKaFz4+FiRkU -DkV1nGb/v02cFY8jHe2rOeP8LeYChWsVl3tvrCA1rkio2ITAFI3W+WaBW3j7cizV -5hhLhg3Ez08lZP5lF+lB6M3b740W2vaoF9791bkCgYBAkketnUZcFJE0pCBu0q7t -uaaKFCBAOLCYOQcXI8Ms4vi/Ht23BRPTM9IjE8gvLK7ShQ+2muX31u2NFSoQv1vv -KPpaLrRH/ZllTSF5VJQPkXad1g1TexPdFuI4VEfcBAHdluN85BY/2n8fkpA+Ex32 -BYwis6KzF5/BR/9kX5XHNQKBgH7LNudXX5Y1WQL/qwnlF14Eau3e3eweY1LODCF5 -ZfiiTyQomD/8w453lg9qlew5ZNEi0VemjqIal9zACLYDnS3RjShz/KVbRXpSMN9g -0mx4UUOUpYZq5coE2HMh12iEPn8hbcmKuusi++rK8dTliOHd021Y8D05jINNPZTC -rQEBAoGBAO8Ozk9FK3r68vkYlLNmwu2Z5XPS7ZLDwgmfTVJRl+n6ikZCr7uo7+Xc -6rkPeueTV15MSMPQDqY12gbAlIrSpOhINEKt5T/inxUIpU6VItFy9bk1+OXwUfE0 -2gHRzohq1tFSd9E+A+9Z0rHDpYfsuXZIro+nBXqn9OxPap15mx+5 ------END RSA PRIVATE KEY----- diff --git a/ssltools/keys/server2.crt b/ssltools/keys/server2.crt deleted file mode 100644 index e69de29..0000000 --- a/ssltools/keys/server2.crt +++ /dev/null diff --git a/ssltools/keys/server2.csr b/ssltools/keys/server2.csr deleted file mode 100644 index 993c2e0..0000000 --- a/ssltools/keys/server2.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH -EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS -bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAysIXEbv0kDcGX0XMWUVN5QrMgmshAo0CJswB1V771B81TJrat+9bxxzuGKWf -6tdBLGyT7S5BYKbCF/h6Z8oT7KRSQ3qmK4CtvNt05d8TW6sbZf6UWPXMLwii4ztA -193Otrk0Z6adyF1AJJtFkPUf1XmJHeAHFBRPzy4zV8oFrFX4Fc97gsxULPANs763 -9KBz8TuGxomzO6gRPJ+HTKpC/CG1tvJxM36T8pZfGlqi/jLlfR/2JUkvjzP2WW7S -/FGS3sAioSkSd09TbupSmf1R90kRBRdlt/BhgvCvSFDndWXGNuoDXPDgkYZJ3BUN -7C2lPCqorvNxsY/iCW8m+66hSwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAGwp -QT5j8ZPEnMh3T3krCE94pheM9nsbTxpn4/NyQsijZVJ0PoL5iqo8IXjFymC4IzfN -PwqxanPeDBlDpJtgUucDAmhNSo4XAj8IldO5ZpGostta2BKbw8kZHe6lA95v7Myu -tVlnbXp15XQJWlAoVkdZGkqOlmNbBveqCL9IcGrDrxusZNhPRKeBZcyIzDKQYXJ8 -F0t55aGbMl0rZUbobvsGgHImfhZ1E3uuD1ePlSxGbHPv7KWelf5fVj58KuGOfTYC -RX5S/N7ERaH2627oXYekJJRrtCh/Nn5ZAr2p3ThmoWr7tzwKm4BctMA9PWjLsuJV -yMTFavGRp6g8YvZ2NGA= ------END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server2.key b/ssltools/keys/server2.key deleted file mode 100644 index ae183a9..0000000 --- a/ssltools/keys/server2.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAysIXEbv0kDcGX0XMWUVN5QrMgmshAo0CJswB1V771B81TJra -t+9bxxzuGKWf6tdBLGyT7S5BYKbCF/h6Z8oT7KRSQ3qmK4CtvNt05d8TW6sbZf6U -WPXMLwii4ztA193Otrk0Z6adyF1AJJtFkPUf1XmJHeAHFBRPzy4zV8oFrFX4Fc97 -gsxULPANs7639KBz8TuGxomzO6gRPJ+HTKpC/CG1tvJxM36T8pZfGlqi/jLlfR/2 -JUkvjzP2WW7S/FGS3sAioSkSd09TbupSmf1R90kRBRdlt/BhgvCvSFDndWXGNuoD -XPDgkYZJ3BUN7C2lPCqorvNxsY/iCW8m+66hSwIDAQABAoIBAHmylXYnglstK73z -fvv2BRL8sFN3SZDmYew3dsJDCJQBR1R7fdv45vVT//T7NEkYeh3X7dHmeYcxkD4i -/hVdzSe0WUv3SdXCnoVEk52Fj3Dt+rv1WcUrgyqX3GzXG8x1baVu9G1iLEIe9mkC -aXbgKgNPt2UfGiCLMHwCFv8SWuVcgZg2ZjM15c8zadEC0y/fAlk8O620cVuVnBFf -bIoiGJFcV4ZPOzrx6D1VFsOI06AGyNQR5c5dOl9qeacguSQdZ9+G+ujIPp0qm+Em -YE02AFyzxXVHa3DDyhzObAzkfv6jOTYtwLxpSBMiP5CCg4VqyCXi8pbtlvOykE7H -wGbNJoECgYEA+org3sbvpFipKF/UWuCKpZ485U4S8a1p+IAcUloM152PIMFPIcyb -ECtjZu1N/jXSYjyCOeTCXM33xMaoUCNzJibrVEe/u2BLrcYgadm4VLRWjwzDEBON -Avg9/QJr+RsithRryslkeF0sD9GL8OQkCXH919+kD8hkL2+10gMPSwkCgYEAzyy/ -c80EP8D0ALyjeg+Kklg11sWR/eXfmiy9iErfa1jQRbNQ7zmch8rBwUvScPklQgyj -Ze2ENxrBDgDFknysKB4Kd+yTnsybQF6vw3MfDNz6gvPR9f+2we24haHjZVniEXqy -WCpQPl4/wrEgssTIE1MwJQme81Fku+lHG7W8WrMCgYBh3tiDDhFVEPFbfTvWGDrx -AYRmSv5pfEWWNm1Z2iWEIN9lez4vRN8aDOjyrya1dE7v4xU4Cl3GpQrxymy7iW2U -7MUnEjQavT4y7t+AmfVA2YWqseCNKiX+j/yfFlAZank/yXBmMg/WWQc6UrAo9OYC -7o2rw4gyRiSkxy2ukVVrCQKBgQCyat8WY2FdZla8q7g9zlSQY9c59zwbZHSE2jL/ -xTtTv1DeNedlnj/n0f268glxsZ8cmrW9eid7LVdFL/T2itfYVMa/MMaQ47RwYxsL -P4FmGojDbidLq8VAjfFzZE/pYNcIJpqgwxAIJjLTAKggTMfhnKrBut9gvJ/8FJJg -ksp7cQKBgGOSnCskEs05TSLhKN+kdq/IDInQGPw8MI+dFCek4KpuK4IOjToLtG5D -Fz24+KcU/11EBMLQp3JAMwF9DFNNQQ0hzBo1ILDVJuk9QOT1FaYMIfZFjQgtGHyU -FSlG7RfVjV6pk3ayYqAlkEL31g3bXlYJC+yAGEDypF5ScgiX+d1d ------END RSA PRIVATE KEY----- diff --git a/ssltools/keys/server3.crt b/ssltools/keys/server3.crt deleted file mode 100644 index e69de29..0000000 --- a/ssltools/keys/server3.crt +++ /dev/null diff --git a/ssltools/keys/server3.csr b/ssltools/keys/server3.csr deleted file mode 100644 index e0a6ac3..0000000 --- a/ssltools/keys/server3.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH -EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS -bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyiyj24Xp9w3trMbzGyR0gQpGDMhIdJHU1AwW8EskMtNs1eCw5CYZZM20mm7k -vkWXMFdgwjFqKJjjnZuO/HUcYcJcmfJI91srEepThTGrNYiYTKnfJopWTALSRW5E -8F7P4pDby261jzQNCAlaOfWdXUagAOd8Tx7Dk5CNxY7M0Z4kuWt5x3AI1gFG0tb/ -heZrS1NSQ2RS4+BH/z9WY+f9l2QgchkieKZ+RFf5wsrvbkfaJy5kGirPP2+OxwDf -8zMIiee1SDaHRr8cb1b2xM7hbZyvWVDECfrHjf7lXWXMP0V6lxk3Z5Hi7Piaog7F -BJ0AB6Sg33jayt2Ett4p+2VsoQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBABwd -OecA3Qodoa2xNm1JTJwRLhi841VRX9tKhrMhm0DbqX5Ifema5ALR1jigcldTh0VA -bfOolXS+kOlw33d9kHGGj/eQfOk5TJuc28jycMYFBAy9bpCSckrz9o7XTGA6h8LZ -sbA5oXdRU9IYPX6Q/fBdST6BdPZfllLYsNIaSxkg2waWuBIuH8gidtUNe1uUuA1X -OzleKi4PPy30bdGfcgjRUQyiTyas5KaCb5QpGjp3q0MfOVUq71BwLFmdSv60d+Rk -I0IbxzWcfrHuPjT29OYBZ8osQeyTLnDc4hEAePe3LxGp+KNqe4BZbMyoWg3TTKK7 -O7v3I7o+/06zLJPwG48= ------END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server3.key b/ssltools/keys/server3.key deleted file mode 100644 index 7a95892..0000000 --- a/ssltools/keys/server3.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAyiyj24Xp9w3trMbzGyR0gQpGDMhIdJHU1AwW8EskMtNs1eCw -5CYZZM20mm7kvkWXMFdgwjFqKJjjnZuO/HUcYcJcmfJI91srEepThTGrNYiYTKnf -JopWTALSRW5E8F7P4pDby261jzQNCAlaOfWdXUagAOd8Tx7Dk5CNxY7M0Z4kuWt5 -x3AI1gFG0tb/heZrS1NSQ2RS4+BH/z9WY+f9l2QgchkieKZ+RFf5wsrvbkfaJy5k -GirPP2+OxwDf8zMIiee1SDaHRr8cb1b2xM7hbZyvWVDECfrHjf7lXWXMP0V6lxk3 -Z5Hi7Piaog7FBJ0AB6Sg33jayt2Ett4p+2VsoQIDAQABAoIBAQDFXwcojHd4hNR/ -VEqJOPGz+D+iwvRZOPU5fgP22qSgKd+afRyz3q3zxw6FpbUSPAX5X5RKgMtOjtPH -TdItjHcEySZ19B5fvVUyzDx1T6QBQzTLwxrjGTJeSnLU7W3H7Aeu/BRXaeE9yGbg -baDz7GCQax5RQ6wL4dC1Au4k69/w0mJpcKxTPlyF+7/PZIPGLV4uS0G88t6EjOQq -xoGYRtT5VwuVO2AGZaCjanbF/b6c3Vr2uuSmd/cItuclbltcVxs4OU7L4vY732XR -VK5X7/0Jy2/7OgHFHx4DnTrzG/QUQyOZ/SkeWv5rr/RVgjSE9y0AEdOmMw4lsRdv -b3pZG6xxAoGBAOfAyL/gTqgv6rlPG7SLtGatgPRbUyeho15bk0v1Zp3tfD7mqeH2 -IMwXblENag7uZ5mDwQoOk5mSWwHMtJbTsYio1YuTAsmK57mveCS6T5QuDO6GE2Aw -K4Vpi7Hx0LCUvxSklBMxDpaYIogqBYmLCgV6FgsmwzjQ1iVfo0VjvwJbAoGBAN9T -oLPWWKz9wyzxnuMoei7jFex+hxR4TiGUAimEq6t+pOmT/ERcJtJ8QMwoY2dATeMv -UccQ3q6XVnW4m4HZmiYkTkwxnjKrxAuA2USeS0wvUIa/k+Sha6F1DeECVoQIq2b/ -yQGYl1E79HcuuRZQid0v0gPaEbEtrhN1e925UQWzAoGAED3pk9DzkkPxblVF+sxD -s2J7hCSWWlOwsF84nn0vWOgY6gueYlCukb8eox2OjkdVCWQ7din5XCzupdyj12I0 -sgArHyIJcviCLvhGMkTAaQElNN4+o2Ic2re/65On7YgvMBIssn+gpxs4aFSRmMce -x617uAJacjPonivqtGU+MLsCgYEAvaHERpCO0a3U6jftA9ReE6wt9Jfn2aDiLy7/ -uwN1xfSO0ewf/GgHaxmo5/KvnYAD4xJOLWuMutG0z9dG7La6ZwLTHW3QeBRULrRl -SRfktjdC+Hh6e1v6Capcc6DJl+nIqXgu1VUdwBPZ3M3myiTvO8scWLr15O31734G -BNsUCnMCgYB9qQP0CrvA2EnNzu7KrC9a73dzpTF61faqycdc0fpVJ0a/HYUMY0nj -RCcykFFyUc/SKiBszSQ4/qjmN/3QEd60iamVVyqRlhUKwVq7i4PTnU/TQ6AErSwr -uisU8Gtw8F3FtiwJ6ww6flNvPu/oLWRtzWeRZjLK5pfybY74qqknvQ== ------END RSA PRIVATE KEY----- diff --git a/ssltools/keys/server4.crt b/ssltools/keys/server4.crt deleted file mode 100644 index e69de29..0000000 --- a/ssltools/keys/server4.crt +++ /dev/null diff --git a/ssltools/keys/server4.csr b/ssltools/keys/server4.csr deleted file mode 100644 index 6ec80ed..0000000 --- a/ssltools/keys/server4.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH -EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS -bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAqmTK2Os0JYsNKnmbgtXOSDqIrcJa15UrJ4lWS/5k+Ub5jkzbYD6NX1DwmKXc -4w50/HOklL+jex+drLvUlPEStpcDy+MIKhOpY+v2jSidGEApStZUEZLpRHgE0s95 -gx4R9FhR/8vbjJfnjC58F/ZmWJN9XYEsImggMnLVL328SSlseTHcvh5lrtbFX/w1 -kWtcUjjLOq4UdEsTxiu0/MCU44xcLy9818u1iC2VlTKSUTUaMNS3tFitNnN8qkbG -gLB5YjmNm4X7jqIWrFqFGDxJquatRCECTuaWW314eZA6rap85S2Wp0yMO80DgheD -X9mR3S5Bzj2lHMFdpxcpuEdTzQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAAkK -42VWAAHM3lEqqOJUlx5sfHh3t1H+1lE6cVyFcoSu5hdazb9w+0tstlCsvYPQ8aIw -5T88DO5UyIvZuptM883sQFUONRjr45x5+xW+fGPuLS0nBfSnWEF02OBYq9C7n5+Y -l/aPLT9ft7O+Z89Lv9yDPTcx/cxpALFrHRtUAw9tqfMiuAr+NGu7dTeA421aFcB9 -b6aagWAZBx6TN+b0snxfJmPNun+HhoR2vT6yoxE8tEAeRdYTASaZpR7HBUgquYrJ -EyFlfRRynGYKGOO300FqT8Jzxu7OJcqKQVdKLIyVDyn4F2NHiOuRVElZQVkVf5CN -a+mNb4V8Z9WDCb6ueeI= ------END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server4.key b/ssltools/keys/server4.key deleted file mode 100644 index 8f5e2bc..0000000 --- a/ssltools/keys/server4.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAqmTK2Os0JYsNKnmbgtXOSDqIrcJa15UrJ4lWS/5k+Ub5jkzb -YD6NX1DwmKXc4w50/HOklL+jex+drLvUlPEStpcDy+MIKhOpY+v2jSidGEApStZU -EZLpRHgE0s95gx4R9FhR/8vbjJfnjC58F/ZmWJN9XYEsImggMnLVL328SSlseTHc -vh5lrtbFX/w1kWtcUjjLOq4UdEsTxiu0/MCU44xcLy9818u1iC2VlTKSUTUaMNS3 -tFitNnN8qkbGgLB5YjmNm4X7jqIWrFqFGDxJquatRCECTuaWW314eZA6rap85S2W -p0yMO80DgheDX9mR3S5Bzj2lHMFdpxcpuEdTzQIDAQABAoIBAAkJl4ix0O481dHu -6USjOnGySRWOPWs5yjQqoJ0fPRPLo+jcQrZ0GuN3U4uFIJYaajIJoC0TjQQ2xRIo -VDoiHy/4CoeB3yj8KfvWxBjwkoR6wrXpcEQOWrj69KaJwpQlwCYJmS/MDDUEyY8x -1/sdYohIKloPQ9v/UdXbKVt/e8EVjzd++Lls+2Cn5/dH61BcJsIHgzhA9cXSr8i3 -K8gD9T2drO5EOjf59g5HHIX5glotSLJoT+KLCUX3VhH/lz/OqBT1xVwz8t1eNT1G -0pEHPHAbGbTbbHdjB7B3DsOmHJLUWu+RapyJluCmd+2WJGJ2Ohe6FuTD72TNYPOs -6vicjgECgYEA0d9BO6vZ7Ch0/xjbD+VzYtWoLwMkCzeK5apRCk5qPGE+prLcLBAz -3TuK2E/gaqeKHuanLhvSsIk45i1drAf8XLFrFHKZrNJF8hAYuhryJOf8ZbaPkx91 -YJxQfbKvoZpzxdGz1jf3QCEo9ITaplbV6T6s6SbBEpXl/6YtcljHoiECgYEAz9g7 -cG87k+rj8CtyQ2eprZ2vvrOMicTRcVHXY76PHAB38Uq/sIHDAA02av/xNdOG1G0o -8yTUETlo1gV6iip/GAFjXZ4S97v8gNsAHE7COpwQJfkCwSta45fK7/jktLKE8kts -CjvDz+qF97ZiIaFrm87OCqv94uVdJyHE/fZdVC0CgYEAwqKlEdz3tr9yeZ4okx59 -mzyAxFDKXai+JO6GR+OfPK4G93xLGoZQQy1UP/YcL21/d9b7VpSxGc25Oib6h2/E -iIZ1wzng8Vj1S1/IPth8luOavQ3JK21yYw20zE4p+dqO4ffwK4wtvojCPbr0OG2x -5qWcoIGzbzQbYLNR1IknY2ECgYEAoDt3N2rJZ3OCXjlgUY6tROd4AXCyO9O8E7yg -bIkQEupZjW+u8AhZqMSG216NOo3kOAgftbMCunSj2btHiRTR/lOzowymWs5WD5DG -OQyOuFhwKpYaBYnC/AqdrPsYdiXaUGDM3ebNQpDuztWQOZUUPH3mYlvN0wo4El76 -Wz9/G9ECgYA/kXdXp5M3OjtKxg3fYx7fKVbfmYv+jfLURVwwiM1bwRufCEIqz91P -+lPb7QKSZufOYKl/TaUhbpmEq2m+//hoDaARTebUGe6lHnovSvkDryUG4wl+b5p0 -teGRlNahYUzTsiWTQCDo4FZPvpcaVANJJZZXzIONfDPdT5oj05c5Qg== ------END RSA PRIVATE KEY----- diff --git a/ssltools/openssl.cnf b/ssltools/openssl.cnf deleted file mode 100644 index 270b069..0000000 --- a/ssltools/openssl.cnf +++ /dev/null @@ -1,255 +0,0 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $ENV::KEY_DIR # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = $ENV::KEY_SIZE -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = $ENV::KEY_COUNTRY -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::KEY_PROVINCE - -localityName = Locality Name (eg, city) -localityName_default = $ENV::KEY_CITY - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::KEY_ORG - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = $ENV::KEY_EMAIL -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ server ] - -# JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/ssltools/vars b/ssltools/vars deleted file mode 100755 index ed16f9d..0000000 --- a/ssltools/vars +++ /dev/null @@ -1,49 +0,0 @@ -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export D=`pwd` - -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG=$D/openssl.cnf - -# Edit this variable to point to -# your soon-to-be-created key -# directory. -# -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR=$D/keys - -# Issue rm -rf warning -echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=2048 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY=AT -export KEY_PROVINCE=NA -export KEY_CITY=BISHKEK -export KEY_ORG="ANYTUN-TEST" -export KEY_EMAIL="me@myhost.mydomain" |