From 58ff485edbe4bb93ebc922d14df24247846132b6 Mon Sep 17 00:00:00 2001 From: Othmar Gsenger Date: Mon, 3 Dec 2007 09:42:38 +0000 Subject: added ssl tools --- ssltools/build-all.sh | 8 + ssltools/easy-rsa/.externals | 1 + ssltools/easy-rsa/2.0/Makefile | 13 ++ ssltools/easy-rsa/2.0/README.gz | Bin 0 -> 3578 bytes ssltools/easy-rsa/2.0/build-ca | 8 + ssltools/easy-rsa/2.0/build-dh | 11 + ssltools/easy-rsa/2.0/build-inter | 7 + ssltools/easy-rsa/2.0/build-key | 7 + ssltools/easy-rsa/2.0/build-key-pass | 7 + ssltools/easy-rsa/2.0/build-key-pkcs12 | 8 + ssltools/easy-rsa/2.0/build-key-server | 10 + ssltools/easy-rsa/2.0/build-req | 7 + ssltools/easy-rsa/2.0/build-req-pass | 7 + ssltools/easy-rsa/2.0/clean-all | 16 ++ ssltools/easy-rsa/2.0/inherit-inter | 39 ++++ ssltools/easy-rsa/2.0/list-crl | 13 ++ ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz | Bin 0 -> 2994 bytes ssltools/easy-rsa/2.0/openssl.cnf | 285 +++++++++++++++++++++++ ssltools/easy-rsa/2.0/pkitool | 353 +++++++++++++++++++++++++++++ ssltools/easy-rsa/2.0/revoke-full | 39 ++++ ssltools/easy-rsa/2.0/sign-req | 7 + ssltools/easy-rsa/2.0/vars | 64 ++++++ ssltools/easy-rsa/2.0/whichopensslcnf | 13 ++ ssltools/easy-rsa/README.gz | Bin 0 -> 2619 bytes ssltools/easy-rsa/build-ca | 13 ++ ssltools/easy-rsa/build-dh | 12 + ssltools/easy-rsa/build-inter | 19 ++ ssltools/easy-rsa/build-key | 20 ++ ssltools/easy-rsa/build-key-pass | 20 ++ ssltools/easy-rsa/build-key-pkcs12 | 21 ++ ssltools/easy-rsa/build-key-server | 22 ++ ssltools/easy-rsa/build-req | 18 ++ ssltools/easy-rsa/build-req-pass | 18 ++ ssltools/easy-rsa/clean-all | 19 ++ ssltools/easy-rsa/list-crl | 18 ++ ssltools/easy-rsa/make-crl | 18 ++ ssltools/easy-rsa/revoke-crt | 18 ++ ssltools/easy-rsa/revoke-full | 29 +++ ssltools/easy-rsa/sign-req | 18 ++ ssltools/keys/ca.crt | 24 ++ ssltools/keys/ca.key | 27 +++ ssltools/keys/index.txt | 0 ssltools/keys/serial | 1 + ssltools/keys/server1.crt | 0 ssltools/keys/server1.csr | 17 ++ ssltools/keys/server1.key | 27 +++ ssltools/keys/server2.crt | 0 ssltools/keys/server2.csr | 17 ++ ssltools/keys/server2.key | 27 +++ ssltools/keys/server3.crt | 0 ssltools/keys/server3.csr | 17 ++ ssltools/keys/server3.key | 27 +++ ssltools/keys/server4.crt | 0 ssltools/keys/server4.csr | 17 ++ ssltools/keys/server4.key | 27 +++ ssltools/openssl.cnf | 255 +++++++++++++++++++++ ssltools/vars | 49 ++++ 57 files changed, 1738 insertions(+) create mode 100755 ssltools/build-all.sh create mode 100644 ssltools/easy-rsa/.externals create mode 100644 ssltools/easy-rsa/2.0/Makefile create mode 100644 ssltools/easy-rsa/2.0/README.gz create mode 100755 ssltools/easy-rsa/2.0/build-ca create mode 100755 ssltools/easy-rsa/2.0/build-dh create mode 100755 ssltools/easy-rsa/2.0/build-inter create mode 100755 ssltools/easy-rsa/2.0/build-key create mode 100755 ssltools/easy-rsa/2.0/build-key-pass create mode 100755 ssltools/easy-rsa/2.0/build-key-pkcs12 create mode 100755 ssltools/easy-rsa/2.0/build-key-server create mode 100755 ssltools/easy-rsa/2.0/build-req create mode 100755 ssltools/easy-rsa/2.0/build-req-pass create mode 100755 ssltools/easy-rsa/2.0/clean-all create mode 100755 ssltools/easy-rsa/2.0/inherit-inter create mode 100755 ssltools/easy-rsa/2.0/list-crl create mode 100644 ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz create mode 100755 ssltools/easy-rsa/2.0/openssl.cnf create mode 100755 ssltools/easy-rsa/2.0/pkitool create mode 100755 ssltools/easy-rsa/2.0/revoke-full create mode 100755 ssltools/easy-rsa/2.0/sign-req create mode 100755 ssltools/easy-rsa/2.0/vars create mode 100755 ssltools/easy-rsa/2.0/whichopensslcnf create mode 100644 ssltools/easy-rsa/README.gz create mode 100755 ssltools/easy-rsa/build-ca create mode 100755 ssltools/easy-rsa/build-dh create mode 100755 ssltools/easy-rsa/build-inter create mode 100755 ssltools/easy-rsa/build-key create mode 100755 ssltools/easy-rsa/build-key-pass create mode 100755 ssltools/easy-rsa/build-key-pkcs12 create mode 100755 ssltools/easy-rsa/build-key-server create mode 100755 ssltools/easy-rsa/build-req create mode 100755 ssltools/easy-rsa/build-req-pass create mode 100755 ssltools/easy-rsa/clean-all create mode 100644 ssltools/easy-rsa/list-crl create mode 100644 ssltools/easy-rsa/make-crl create mode 100644 ssltools/easy-rsa/revoke-crt create mode 100755 ssltools/easy-rsa/revoke-full create mode 100755 ssltools/easy-rsa/sign-req create mode 100644 ssltools/keys/ca.crt create mode 100644 ssltools/keys/ca.key create mode 100644 ssltools/keys/index.txt create mode 100644 ssltools/keys/serial create mode 100644 ssltools/keys/server1.crt create mode 100644 ssltools/keys/server1.csr create mode 100644 ssltools/keys/server1.key create mode 100644 ssltools/keys/server2.crt create mode 100644 ssltools/keys/server2.csr create mode 100644 ssltools/keys/server2.key create mode 100644 ssltools/keys/server3.crt create mode 100644 ssltools/keys/server3.csr create mode 100644 ssltools/keys/server3.key create mode 100644 ssltools/keys/server4.crt create mode 100644 ssltools/keys/server4.csr create mode 100644 ssltools/keys/server4.key create mode 100644 ssltools/openssl.cnf create mode 100755 ssltools/vars (limited to 'ssltools') diff --git a/ssltools/build-all.sh b/ssltools/build-all.sh new file mode 100755 index 0000000..c052739 --- /dev/null +++ b/ssltools/build-all.sh @@ -0,0 +1,8 @@ +#!/bin/sh +. ./vars +./easy-rsa/clean-all +./easy-rsa/build-ca +./easy-rsa/build-key server1 +./easy-rsa/build-key server2 +./easy-rsa/build-key server3 +./easy-rsa/build-key server4 diff --git a/ssltools/easy-rsa/.externals b/ssltools/easy-rsa/.externals new file mode 100644 index 0000000..3712eb8 --- /dev/null +++ b/ssltools/easy-rsa/.externals @@ -0,0 +1 @@ +./2.0 http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0 diff --git a/ssltools/easy-rsa/2.0/Makefile b/ssltools/easy-rsa/2.0/Makefile new file mode 100644 index 0000000..902d78f --- /dev/null +++ b/ssltools/easy-rsa/2.0/Makefile @@ -0,0 +1,13 @@ + +DESTDIR= +PREFIX= + +all: + echo "All done." + echo "Run make install DESTDIR=/usr/share/somewhere" + +install: + install -c --directory "${DESTDIR}/${PREFIX}" + install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}" + install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}" + install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}" diff --git a/ssltools/easy-rsa/2.0/README.gz b/ssltools/easy-rsa/2.0/README.gz new file mode 100644 index 0000000..116d85b Binary files /dev/null and b/ssltools/easy-rsa/2.0/README.gz differ diff --git a/ssltools/easy-rsa/2.0/build-ca b/ssltools/easy-rsa/2.0/build-ca new file mode 100755 index 0000000..fb1e2ca --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-ca @@ -0,0 +1,8 @@ +#!/bin/bash + +# +# Build a root certificate +# + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --initca $* diff --git a/ssltools/easy-rsa/2.0/build-dh b/ssltools/easy-rsa/2.0/build-dh new file mode 100755 index 0000000..f019222 --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-dh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. + +if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then + $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/ssltools/easy-rsa/2.0/build-inter b/ssltools/easy-rsa/2.0/build-inter new file mode 100755 index 0000000..f831d6f --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-inter @@ -0,0 +1,7 @@ +#!/bin/bash + +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --inter $* diff --git a/ssltools/easy-rsa/2.0/build-key b/ssltools/easy-rsa/2.0/build-key new file mode 100755 index 0000000..6196308 --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-key @@ -0,0 +1,7 @@ +#!/bin/bash + +# Make a certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact $* diff --git a/ssltools/easy-rsa/2.0/build-key-pass b/ssltools/easy-rsa/2.0/build-key-pass new file mode 100755 index 0000000..35543e0 --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-key-pass @@ -0,0 +1,7 @@ +#!/bin/bash + +# Similar to build-key, but protect the private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pass $* diff --git a/ssltools/easy-rsa/2.0/build-key-pkcs12 b/ssltools/easy-rsa/2.0/build-key-pkcs12 new file mode 100755 index 0000000..5ef064f --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-key-pkcs12 @@ -0,0 +1,8 @@ +#!/bin/bash + +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/ssltools/easy-rsa/2.0/build-key-server b/ssltools/easy-rsa/2.0/build-key-server new file mode 100755 index 0000000..5502675 --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-key-server @@ -0,0 +1,10 @@ +#!/bin/bash + +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --server $* diff --git a/ssltools/easy-rsa/2.0/build-req b/ssltools/easy-rsa/2.0/build-req new file mode 100755 index 0000000..26587d1 --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-req @@ -0,0 +1,7 @@ +#!/bin/bash + +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr $* diff --git a/ssltools/easy-rsa/2.0/build-req-pass b/ssltools/easy-rsa/2.0/build-req-pass new file mode 100755 index 0000000..6e6c863 --- /dev/null +++ b/ssltools/easy-rsa/2.0/build-req-pass @@ -0,0 +1,7 @@ +#!/bin/bash + +# Like build-req, but protect your private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/ssltools/easy-rsa/2.0/clean-all b/ssltools/easy-rsa/2.0/clean-all new file mode 100755 index 0000000..0576db5 --- /dev/null +++ b/ssltools/easy-rsa/2.0/clean-all @@ -0,0 +1,16 @@ +#!/bin/bash + +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! + +if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/ssltools/easy-rsa/2.0/inherit-inter b/ssltools/easy-rsa/2.0/inherit-inter new file mode 100755 index 0000000..2101951 --- /dev/null +++ b/ssltools/easy-rsa/2.0/inherit-inter @@ -0,0 +1,39 @@ +#!/bin/bash + +# Build a new PKI which is rooted on an intermediate certificate generated +# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +# have independent vars settings, and must use a different KEY_DIR directory +# from the parent. This tool can be used to generate arbitrary depth +# certificate chains. +# +# To build an intermediate CA, follow the same steps for a regular PKI but +# replace ./build-key or ./pkitool --initca with this script. + +# The EXPORT_CA file will contain the CA certificate chain and should be +# referenced by the OpenVPN "ca" directive in config files. The ca.crt file +# will only contain the local intermediate CA -- it's needed by the easy-rsa +# scripts but not by OpenVPN directly. +EXPORT_CA="export-ca.crt" + +if [ $# -ne 2 ]; then + echo "usage: $0 " + echo "parent-key-dir: the KEY_DIR directory of the parent PKI" + echo "common-name: the common name of the intermediate certificate in the parent PKI" + exit 1; +fi + +if [ "$KEY_DIR" ]; then + cp "$1/$2.crt" "$KEY_DIR/ca.crt" + cp "$1/$2.key" "$KEY_DIR/ca.key" + + if [ -e "$1/$EXPORT_CA" ]; then + PARENT_CA="$1/$EXPORT_CA" + else + PARENT_CA="$1/ca.crt" + fi + cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" + cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/ssltools/easy-rsa/2.0/list-crl b/ssltools/easy-rsa/2.0/list-crl new file mode 100755 index 0000000..afc0cd6 --- /dev/null +++ b/ssltools/easy-rsa/2.0/list-crl @@ -0,0 +1,13 @@ +#!/bin/bash + +# list revoked certificates + +CRL="${1:-crl.pem}" + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ + $OPENSSL crl -text -noout -in "$CRL" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz b/ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz new file mode 100644 index 0000000..d2afde0 Binary files /dev/null and b/ssltools/easy-rsa/2.0/openssl-0.9.6.cnf.gz differ diff --git a/ssltools/easy-rsa/2.0/openssl.cnf b/ssltools/easy-rsa/2.0/openssl.cnf new file mode 100755 index 0000000..a781dda --- /dev/null +++ b/ssltools/easy-rsa/2.0/openssl.cnf @@ -0,0 +1,285 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 + diff --git a/ssltools/easy-rsa/2.0/pkitool b/ssltools/easy-rsa/2.0/pkitool new file mode 100755 index 0000000..5f95162 --- /dev/null +++ b/ssltools/easy-rsa/2.0/pkitool @@ -0,0 +1,353 @@ +#!/bin/sh + +# OpenVPN -- An application to securely tunnel IP networks +# over a single TCP/UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2005 OpenVPN Solutions LLC +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING included with this +# distribution); if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# pkitool is a front-end for the openssl tool. + +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. + +PROGNAME=pkitool +VERSION=2.0 +DEBUG=0 + +die() +{ + local m="$1" + + echo "$m" >&2 + exit 1 +} + +need_vars() +{ + echo ' Please edit the vars script to reflect your configuration,' + echo ' then source it with "source ./vars".' + echo ' Next, to start with a fresh PKI configuration and to delete any' + echo ' previous certificates and keys, run "./clean-all".' + echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." +} + +usage() +{ + echo "$PROGNAME $VERSION" + echo "Usage: $PROGNAME [options...] [common-name]" + echo "Options:" + echo " --batch : batch mode (default)" + echo " --keysize : Set keysize" + echo " size : size (default=1024)" + echo " --interact : interactive mode" + echo " --server : build server cert" + echo " --initca : build root CA" + echo " --inter : build intermediate CA" + echo " --pass : encrypt private key with password" + echo " --csr : only generate a CSR, do not sign" + echo " --sign : sign an existing CSR" + echo " --pkcs12 : generate a combined PKCS#12 file" + echo " --pkcs11 : generate certificate on PKCS#11 token" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " id : PKCS#11 object id (hex string)" + echo " label : PKCS#11 object label" + echo "Standalone options:" + echo " --pkcs11-slots : list PKCS#11 slots" + echo " lib : PKCS#11 library" + echo " --pkcs11-objects : list PKCS#11 token objects" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " label : PKCS#11 token label" + echo "Notes:" + need_vars + echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher." + echo "Generated files and corresponding OpenVPN directives:" + echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' + echo " ca.crt -> root certificate (--ca)" + echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" + echo " .crt files -> client/server certificates (--cert)" + echo " .key files -> private keys, keep secure (--key)" + echo " .csr files -> certificate signing request (not directly used by OpenVPN)" + echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" + echo "Examples:" + echo " $PROGNAME --initca -> Build root certificate" + echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" + echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" + echo " $PROGNAME client1 -> Build \"client1\" certificate/key" + echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" + echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" + echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" + echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" + echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" + echo " Also see ./inherit-inter script." + echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" + echo " -> Build \"client5\" certificate/key in PKCS#11 token" + echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." + echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" + echo " [edit vars with your site-specific info]" + echo " source ./vars" + echo " ./clean-all" + echo " ./build-dh -> takes a long time, consider backgrounding" + echo " ./$PROGNAME --initca" + echo " ./$PROGNAME --server myserver" + echo " ./$PROGNAME client1" + echo " ./$PROGNAME --pass client2" + echo "Typical usage for adding client cert to existing PKI:" + echo " source ./vars" + echo " ./$PROGNAME client-new" +} + +# Set defaults +DO_REQ="1" +REQ_EXT="" +DO_CA="1" +CA_EXT="" +DO_P12="0" +DO_P11="0" +DO_ROOT="0" +NODES_REQ="-nodes" +NODES_P12="" +BATCH="-batch" +CA="ca" +# must be set or errors of openssl.cnf +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +# Process options +while [ $# -gt 0 ]; do + case "$1" in + --keysize ) KEY_SIZE=$2 + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; + --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; + --initca ) DO_ROOT="1" ;; + --pass ) NODES_REQ="" ;; + --csr ) DO_CA="0" ;; + --sign ) DO_REQ="0" ;; + --pkcs12 ) DO_P12="1" ;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; + + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; + esac + shift +done + +if ! [ -z "$BATCH" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi +fi + +if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then + die "PKCS#11 and PKCS#12 cannot be specified together" +fi + +if [ $DO_P11 -eq 1 ]; then + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi +fi + +# If we are generating pkcs12, only encrypt the final step +if [ $DO_P12 -eq 1 ]; then + NODES_P12="$NODES_REQ" + NODES_REQ="-nodes" +fi + +if [ $DO_P11 -eq 1 ]; then + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi +fi + +# If undefined, set default key expiration intervals +if [ -z "$KEY_EXPIRE" ]; then + KEY_EXPIRE=3650 +fi +if [ -z "$CA_EXPIRE" ]; then + CA_EXPIRE=3650 +fi + +# Set organizational unit to empty string if undefined +if [ -z "$KEY_OU" ]; then + KEY_OU="" +fi + +# Set KEY_CN +if [ $DO_ROOT -eq 1 ]; then + if [ -z "$KEY_CN" ]; then + if [ "$1" ]; then + KEY_CN="$1" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + fi + fi + if [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using CA Common Name:" $KEY_CN + fi +elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then + echo "Using Common Name:" $KEY_CN +else + if [ $# -ne 1 ]; then + usage + exit 1 + else + KEY_CN="$1" + fi +fi + +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN + +# Show parameters (debugging) +if [ $DEBUG -eq 1 ]; then + echo DO_REQ $DO_REQ + echo REQ_EXT $REQ_EXT + echo DO_CA $DO_CA + echo CA_EXT $CA_EXT + echo NODES_REQ $NODES_REQ + echo NODES_P12 $NODES_P12 + echo DO_P12 $DO_P12 + echo KEY_CN $KEY_CN + echo BATCH $BATCH + echo DO_ROOT $DO_ROOT + echo KEY_EXPIRE $KEY_EXPIRE + echo CA_EXPIRE $CA_EXPIRE + echo KEY_OU $KEY_OU + echo DO_P11 $DO_P11 + echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH + echo PKCS11_SLOT $PKCS11_SLOT + echo PKCS11_ID $PKCS11_ID + echo PKCS11_LABEL $PKCS11_LABEL +fi + +# Make sure ./vars was sourced beforehand +if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then + cd "$KEY_DIR" + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf + if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "version of openssl.cnf: $KEY_CONFIG" + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; + fi + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else + # Make sure CA key/cert is available + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi + + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi + + # Build cert/key + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ + -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ + -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) + + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der" + fi + + fi + +# Need definitions +else + need_vars +fi diff --git a/ssltools/easy-rsa/2.0/revoke-full b/ssltools/easy-rsa/2.0/revoke-full new file mode 100755 index 0000000..bf3e5fb --- /dev/null +++ b/ssltools/easy-rsa/2.0/revoke-full @@ -0,0 +1,39 @@ +#!/bin/bash + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL="crl.pem" +RT="revoke-test.pem" + +if [ $# -ne 1 ]; then + echo "usage: revoke-full "; + exit 1 +fi + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" + rm -f "$RT" + + # set defaults + export KEY_CN="" + export KEY_OU="" + + # revoke key and generate a new CRL + $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else + cat ca.crt "$CRL" >"$RT" + fi + + # verify the revocation + $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/ssltools/easy-rsa/2.0/sign-req b/ssltools/easy-rsa/2.0/sign-req new file mode 100755 index 0000000..38655d3 --- /dev/null +++ b/ssltools/easy-rsa/2.0/sign-req @@ -0,0 +1,7 @@ +#!/bin/bash + +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --sign $* diff --git a/ssltools/easy-rsa/2.0/vars b/ssltools/easy-rsa/2.0/vars new file mode 100755 index 0000000..a904547 --- /dev/null +++ b/ssltools/easy-rsa/2.0/vars @@ -0,0 +1,64 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="$EASY_RSA/keys" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=1024 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="US" +export KEY_PROVINCE="CA" +export KEY_CITY="SanFrancisco" +export KEY_ORG="Fort-Funston" +export KEY_EMAIL="me@myhost.mydomain" diff --git a/ssltools/easy-rsa/2.0/whichopensslcnf b/ssltools/easy-rsa/2.0/whichopensslcnf new file mode 100755 index 0000000..2260aa8 --- /dev/null +++ b/ssltools/easy-rsa/2.0/whichopensslcnf @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ "$OPENSSL" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + echo "$1/openssl-0.9.6.cnf" + else + echo "$1/openssl.cnf" + fi +else + echo "$1/openssl.cnf" +fi + +exit 0 diff --git a/ssltools/easy-rsa/README.gz b/ssltools/easy-rsa/README.gz new file mode 100644 index 0000000..70ce70f Binary files /dev/null and b/ssltools/easy-rsa/README.gz differ diff --git a/ssltools/easy-rsa/build-ca b/ssltools/easy-rsa/build-ca new file mode 100755 index 0000000..5ad59cc --- /dev/null +++ b/ssltools/easy-rsa/build-ca @@ -0,0 +1,13 @@ +#!/bin/sh + +# +# Build a root certificate +# + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ + chmod 0600 ca.key +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-dh b/ssltools/easy-rsa/build-dh new file mode 100755 index 0000000..6de4baf --- /dev/null +++ b/ssltools/easy-rsa/build-dh @@ -0,0 +1,12 @@ +#!/bin/sh + +# +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. +# + +if test $KEY_DIR; then + openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-inter b/ssltools/easy-rsa/build-inter new file mode 100755 index 0000000..8b3a6b2 --- /dev/null +++ b/ssltools/easy-rsa/build-inter @@ -0,0 +1,19 @@ +#!/bin/sh + +# +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. +# + +if test $# -ne 1; then + echo "usage: build-inter "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-key b/ssltools/easy-rsa/build-key new file mode 100755 index 0000000..3159d2b --- /dev/null +++ b/ssltools/easy-rsa/build-key @@ -0,0 +1,20 @@ +#!/bin/sh + +# +# Make a certificate/private key pair using a locally generated +# root certificate. +# + +if test $# -ne 1; then + echo "usage: build-key "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + chmod 0600 $1.key +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-key-pass b/ssltools/easy-rsa/build-key-pass new file mode 100755 index 0000000..03ab304 --- /dev/null +++ b/ssltools/easy-rsa/build-key-pass @@ -0,0 +1,20 @@ +#!/bin/sh + +# +# Similar to build-key, but protect the private key +# with a password. +# + +if test $# -ne 1; then + echo "usage: build-key-pass "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + chmod 0600 $1.key +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-key-pkcs12 b/ssltools/easy-rsa/build-key-pkcs12 new file mode 100755 index 0000000..f8a057b --- /dev/null +++ b/ssltools/easy-rsa/build-key-pkcs12 @@ -0,0 +1,21 @@ +#!/bin/sh + +# +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +if test $# -ne 1; then + echo "usage: build-key-pkcs12 "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ + chmod 0600 $1.key $1.p12 +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-key-server b/ssltools/easy-rsa/build-key-server new file mode 100755 index 0000000..30dc41e --- /dev/null +++ b/ssltools/easy-rsa/build-key-server @@ -0,0 +1,22 @@ +#!/bin/sh + +# +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +if test $# -ne 1; then + echo "usage: build-key-server "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ + chmod 0600 $1.key +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-req b/ssltools/easy-rsa/build-req new file mode 100755 index 0000000..30f62f5 --- /dev/null +++ b/ssltools/easy-rsa/build-req @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. +# + +if test $# -ne 1; then + echo "usage: build-req "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/build-req-pass b/ssltools/easy-rsa/build-req-pass new file mode 100755 index 0000000..829b286 --- /dev/null +++ b/ssltools/easy-rsa/build-req-pass @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# Like build-req, but protect your private key +# with a password. +# + +if test $# -ne 1; then + echo "usage: build-req-pass "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/clean-all b/ssltools/easy-rsa/clean-all new file mode 100755 index 0000000..d10aef5 --- /dev/null +++ b/ssltools/easy-rsa/clean-all @@ -0,0 +1,19 @@ +#!/bin/sh + +# +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! +# + +d=$KEY_DIR + +if test $d; then + rm -rf $d + mkdir $d && \ + chmod go-rwx $d && \ + touch $d/index.txt && \ + echo 01 >$d/serial +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/list-crl b/ssltools/easy-rsa/list-crl new file mode 100644 index 0000000..b214dbd --- /dev/null +++ b/ssltools/easy-rsa/list-crl @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# list revoked certificates +# +# + +if test $# -ne 1; then + echo "usage: list-crl "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl crl -text -noout -in $1 +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/make-crl b/ssltools/easy-rsa/make-crl new file mode 100644 index 0000000..62fe6c1 --- /dev/null +++ b/ssltools/easy-rsa/make-crl @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# generate a CRL +# +# + +if test $# -ne 1; then + echo "usage: make-crl "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl ca -gencrl -out $1 -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/revoke-crt b/ssltools/easy-rsa/revoke-crt new file mode 100644 index 0000000..35b071a --- /dev/null +++ b/ssltools/easy-rsa/revoke-crt @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# revoke a certificate +# +# + +if test $# -ne 1; then + echo "usage: revoke-crt "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl ca -revoke $1 -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/revoke-full b/ssltools/easy-rsa/revoke-full new file mode 100755 index 0000000..66ea03f --- /dev/null +++ b/ssltools/easy-rsa/revoke-full @@ -0,0 +1,29 @@ +#!/bin/sh + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL=crl.pem +RT=revoke-test.pem + +if test $# -ne 1; then + echo "usage: revoke-full "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR + rm -f $RT + + # revoke key and generate a new CRL + openssl ca -revoke $1.crt -config $KEY_CONFIG + + # generate a new CRL + openssl ca -gencrl -out $CRL -config $KEY_CONFIG + cat ca.crt $CRL >$RT + + # verify the revocation + openssl verify -CAfile $RT -crl_check $1.crt +else + echo you must define KEY_DIR +fi diff --git a/ssltools/easy-rsa/sign-req b/ssltools/easy-rsa/sign-req new file mode 100755 index 0000000..59edc42 --- /dev/null +++ b/ssltools/easy-rsa/sign-req @@ -0,0 +1,18 @@ +#!/bin/sh + +# +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. +# + +if test $# -ne 1; then + echo "usage: sign-req "; + exit 1 +fi + +if test $KEY_DIR; then + cd $KEY_DIR && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG +else + echo you must define KEY_DIR +fi diff --git a/ssltools/keys/ca.crt b/ssltools/keys/ca.crt new file mode 100644 index 0000000..c4dd94b --- /dev/null +++ b/ssltools/keys/ca.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGDCCAwCgAwIBAgIJAIKnIVmOHh/kMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNV +BAYTAkFUMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEUMBIGA1UEChML +QU5ZVFVOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAe +Fw0wNzEyMDMwOTQwNTlaFw0xNzExMzAwOTQwNTlaMGUxCzAJBgNVBAYTAkFUMQsw +CQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEUMBIGA1UEChMLQU5ZVFVOLVRF +U1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANrdoDDCweNMNoPt0OHTSH04szK0cQdB84QB +2aFPITLOLK1jpp08I3pudz5FSwRHjsZPMJomoEXrruko/bA7q8O/xoORVNpwN3SG +lK3aqvwZfHm3Tbx7CBS/5JPlYOB5Q37femu0Gdak0oMrEBaqIxsA2Ne2D0GVnVYk +Ab2j1zuGR6eor+KhdTcdn63/zTVsARz1mcTweJxROtXRcmB3CkvO68gxs+iz4vVN +nebkW/VxbiUzNSAyQ193v177LYvxREpqSwgSscdwOTuNpDpF4Gr1YTOTlmm4tkG5 +DW8oSaT/sp8ugi5uUVGbSe9YKnVoPjZw4ARGDWQPiA7qYeHHPDsCAwEAAaOByjCB +xzAdBgNVHQ4EFgQUKIb1DfBeNiUyAA6AJgFMWoqVaZwwgZcGA1UdIwSBjzCBjIAU +KIb1DfBeNiUyAA6AJgFMWoqVaZyhaaRnMGUxCzAJBgNVBAYTAkFUMQswCQYDVQQI +EwJOQTEQMA4GA1UEBxMHQklTSEtFSzEUMBIGA1UEChMLQU5ZVFVOLVRFU1QxITAf +BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIJAIKnIVmOHh/kMAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKjvyWpVfauz7f12N3B/T8RClAq4 +NBL922F/OSx9eo7nVpdJ+ULG2ZPxU/umGGgUYP9kO1OTjCdfWSzzSer6eXBlOS4X +WgNI3Am3UhybSi0rRIPfhYPBIRudN8o/8fdzOyfIXNZRzVIK7H21/DrBC1G8JyLP +fVOO6HjiGBQMTCuYNbkWy1gV6HDz4+shyvEDamBIQZVKqEPI2QrvTwbGAtFmoajb +WSd+v8bNtXXNt3QPpp3JIcDUvWtjiaFCgAifYkv+tp/1lAY5/G01HlBsTEx+lDWw +oKeS8p0mB3sbKV8xS0VXiVAWojTzc3nL1oDv3Wt5bP0M1SF/puQB+FIidTc= +-----END CERTIFICATE----- diff --git a/ssltools/keys/ca.key b/ssltools/keys/ca.key new file mode 100644 index 0000000..dc2e523 --- /dev/null +++ b/ssltools/keys/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA2t2gMMLB40w2g+3Q4dNIfTizMrRxB0HzhAHZoU8hMs4srWOm +nTwjem53PkVLBEeOxk8wmiagReuu6Sj9sDurw7/Gg5FU2nA3dIaUrdqq/Bl8ebdN +vHsIFL/kk+Vg4HlDft96a7QZ1qTSgysQFqojGwDY17YPQZWdViQBvaPXO4ZHp6iv +4qF1Nx2frf/NNWwBHPWZxPB4nFE61dFyYHcKS87ryDGz6LPi9U2d5uRb9XFuJTM1 +IDJDX3e/Xvsti/FESmpLCBKxx3A5O42kOkXgavVhM5OWabi2QbkNbyhJpP+yny6C +Lm5RUZtJ71gqdWg+NnDgBEYNZA+IDuph4cc8OwIDAQABAoIBAQCutAP/iCauYhKO +AtIewMF3O0BHdCNY8LsKH1Px4DEW1d5x1T6U+gEz5GOIsFUuKFR+VY3tLnH2/idT +dGX0O91i1n0GXobGCpcpi5e4ovijXVCv87K4hdiwf3Bc4dcPt5w59PdKa6vIWy6y +hzhDbzGwh1+P6IKLDntV3E4La3INzyr/8nFeoybCf0tHyK15j0PVycGExU+q54Jr +/LM6y1mAY9CbE+k8C5QwvkO8H2fyQcfqiHIZlBT08y+bP7/zuUAvjcX1oaVk2Qtt +dX3N02kIw+C053oxxoQ+K9MSohF5KPdm9FFmalxvMbdWcFD+s6nNtPBGXbBvZy5/ +8c7nDx9xAoGBAPGsH0znvKWq0RNU8rho7SlMRZ2wY0LpMgjLcAMbKZ1xr16kdrHY +RZANVL0jm1hQi0pnJlEJ2B87zjXCOjytFqF5xoGKWjiHYc+yYVpzQTMXdzHxSmG6 +rPGqCCMi6z+QaC1RcFwVXD1po7UMx8c18sy4/ERIIHcQwy5VJVtJIiK5AoGBAOfX +XaGX8nZFQg/yXRI0O1Lk9rXv+37CqcL7dtkbhxSVCdfe3q0XcIUac9oy1uoK2B+Z +0PNne4mafky4B2r4DOEWWEBjsYAGhRTKYEHVYUecgtTL6IqnVwWe2aEDerkTQPbo +0/A5sVJimbvn7xtDO8E9Vezoqg25cdYK54RKIayTAoGAY013exFJqcUbrdbc+Ttc +H/kQLfBZiRfrEEQPnacenWwmRDxN7VvRkZR4ulMUNOC7q3HhA7GI1aSsYdiSN3Zj +8yvnjjj8Q3gVj9NbP2BWbRj6SFI+XxPmllJoj498nJzIwb5R7fR092Md+nnq6QdY +4hgsyB3fAS2pFbO06uKNHTkCgYBsngnP21BM+MWqkvHnxXDFtV+gfX5mNO0z3Hwh +2zO+ANVLva61iXW95lbAs3Dc1ZfLtlSetKy8GxVw/Ab9ppjiG4XdJNfUEznmM6pF +LaMV2c2xxJZ930h16aYsOWUVsF+PTiV9NopM/sTntBHhw+4K6qGHDLofE/KxRQqS +f+im4QKBgQDOTT16WHPzbq3JnY8Rt4ABE9GmkKih42+XdYBYh7a/AQDiriY2tfPX +EFEpc3dRFr/yhgRecaBVk4SYJy+qxKnl7Ekk4lQ8y0zH53E/D+BDOh6EpbsUtkvS +lUc6N0SKKoStE3bX8pOkniJfS9Vfpzf9KUnwVCp5T+2Lzt8vzCK08g== +-----END RSA PRIVATE KEY----- diff --git a/ssltools/keys/index.txt b/ssltools/keys/index.txt new file mode 100644 index 0000000..e69de29 diff --git a/ssltools/keys/serial b/ssltools/keys/serial new file mode 100644 index 0000000..8a0f05e --- /dev/null +++ b/ssltools/keys/serial @@ -0,0 +1 @@ +01 diff --git a/ssltools/keys/server1.crt b/ssltools/keys/server1.crt new file mode 100644 index 0000000..e69de29 diff --git a/ssltools/keys/server1.csr b/ssltools/keys/server1.csr new file mode 100644 index 0000000..059c169 --- /dev/null +++ b/ssltools/keys/server1.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH +EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS +bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAv88G8qUEqOiCvchwUeBSadUeGs0Md26ROUAMUw6G58OlzjRgT+tzbSiOzIdN +bxmSeHPCa8bYATYTTThnHmVg4CE7xP9U+tA+tJAIkpkBZZYotnV/OnJR0F4TtfKZ +K+O8+Yybaiblad1wSzXjrzX4QQ9ueh3Dg+7QEwSCq9GNP1x/2nyJi9c9Dpko2z71 +b2K1oPKhjTuVSbwL7gkp7E9TaaKfRhyj5w3eVOz+QcYR2HHClmL244VjJhQ/K99V +Rs+RrFbustiV76NNU57ibeBWMbQofIcaX0nuw0m7uZELEu0QZQuV7ARo+0Y5OIuU +XecaRwItaCJSscKE4UVeFABGHQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBACF4 +pOn14suzMMpniCfSAUVNa6yhsQ5yik3N+5/UF8z08xests0huzXFU62Cv2QSXCQx +EwjAJSBgA4oS6Xr+QmI8P3UN1QeY4NqgxOmURZTdG5oWAPTcHE7SMulzjKP5ZxoZ +FyWmSNXolMNqGwcrbhrqF3xXkPVC+HkK2qX9C4p7IZm8lWGJ+g4Mbf5Sh924BoJ2 +RCNWZbtwtli88IvWUzQUqkJXjVVChigxbwOmwEk3JNWxXcyKt1SdjY0poIzf013V ++b8np6CIFxq0MyihMpI0gSkXy0Yhs36sjopiYAJ2nD+3Q17/pBhRKnnyAxWH3ZsD +Stga9FJHLzITwLF1ASo= +-----END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server1.key b/ssltools/keys/server1.key new file mode 100644 index 0000000..7ad0455 --- /dev/null +++ b/ssltools/keys/server1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAv88G8qUEqOiCvchwUeBSadUeGs0Md26ROUAMUw6G58OlzjRg +T+tzbSiOzIdNbxmSeHPCa8bYATYTTThnHmVg4CE7xP9U+tA+tJAIkpkBZZYotnV/ +OnJR0F4TtfKZK+O8+Yybaiblad1wSzXjrzX4QQ9ueh3Dg+7QEwSCq9GNP1x/2nyJ +i9c9Dpko2z71b2K1oPKhjTuVSbwL7gkp7E9TaaKfRhyj5w3eVOz+QcYR2HHClmL2 +44VjJhQ/K99VRs+RrFbustiV76NNU57ibeBWMbQofIcaX0nuw0m7uZELEu0QZQuV +7ARo+0Y5OIuUXecaRwItaCJSscKE4UVeFABGHQIDAQABAoIBAHRd1YlANCOFbExX +Xk1OGrG6ahk4bWfH3LMu+EsrdQ0G1YDUpdnWrqB7CqdrLr9IdGQ/VqSsbj/N3sfq +gCUgvDU99FT/0z6XOHOzLoBB82b+QpTvk9CRqrEPYkXweJz3/Z4of+FW17fycD4w +44FY7NQL2KqdhBB2wiXHhr9W0qqtFZWuJTOskVpG6pkGhI8wHSL8jz1vI+0KAa6c +FEUe65jVvnBHg2qMwizpqiHm0Yf2gv3D5Mgk3MDww79V3LdQ7UEqiclYOG3nBfzj +HWo/ptKK3vGhzN5v09rDGHIAbHCWg6YzGe5Dvj7GhkKqvtdJCPXje8mMfc7xXEfh +pUJkBgECgYEA81yXC7BD+fpHAc0MZSf+8i9C6ENm5ZaDt0wlg5UnGKlTk+9n66p6 +V/GXmur7HJaL72RVYeUvXxKkzDQ4j3i+qCrkgHMpc9hjkCZ+nZWjwSFZEnxjXcUh +yhHcvnrfRwgNGLqwsIoUSTVhptbZc932n8jpq6PNZYrEUNlsdkpgpYUCgYEAycUO +1bhvRr50Hf2AW5mRbJRxsUqqVk4Rz1/eevZMsXssy6J9K0to5YO1QKaFz4+FiRkU +DkV1nGb/v02cFY8jHe2rOeP8LeYChWsVl3tvrCA1rkio2ITAFI3W+WaBW3j7cizV +5hhLhg3Ez08lZP5lF+lB6M3b740W2vaoF9791bkCgYBAkketnUZcFJE0pCBu0q7t +uaaKFCBAOLCYOQcXI8Ms4vi/Ht23BRPTM9IjE8gvLK7ShQ+2muX31u2NFSoQv1vv +KPpaLrRH/ZllTSF5VJQPkXad1g1TexPdFuI4VEfcBAHdluN85BY/2n8fkpA+Ex32 +BYwis6KzF5/BR/9kX5XHNQKBgH7LNudXX5Y1WQL/qwnlF14Eau3e3eweY1LODCF5 +ZfiiTyQomD/8w453lg9qlew5ZNEi0VemjqIal9zACLYDnS3RjShz/KVbRXpSMN9g +0mx4UUOUpYZq5coE2HMh12iEPn8hbcmKuusi++rK8dTliOHd021Y8D05jINNPZTC +rQEBAoGBAO8Ozk9FK3r68vkYlLNmwu2Z5XPS7ZLDwgmfTVJRl+n6ikZCr7uo7+Xc +6rkPeueTV15MSMPQDqY12gbAlIrSpOhINEKt5T/inxUIpU6VItFy9bk1+OXwUfE0 +2gHRzohq1tFSd9E+A+9Z0rHDpYfsuXZIro+nBXqn9OxPap15mx+5 +-----END RSA PRIVATE KEY----- diff --git a/ssltools/keys/server2.crt b/ssltools/keys/server2.crt new file mode 100644 index 0000000..e69de29 diff --git a/ssltools/keys/server2.csr b/ssltools/keys/server2.csr new file mode 100644 index 0000000..993c2e0 --- /dev/null +++ b/ssltools/keys/server2.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH +EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS +bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAysIXEbv0kDcGX0XMWUVN5QrMgmshAo0CJswB1V771B81TJrat+9bxxzuGKWf +6tdBLGyT7S5BYKbCF/h6Z8oT7KRSQ3qmK4CtvNt05d8TW6sbZf6UWPXMLwii4ztA +193Otrk0Z6adyF1AJJtFkPUf1XmJHeAHFBRPzy4zV8oFrFX4Fc97gsxULPANs763 +9KBz8TuGxomzO6gRPJ+HTKpC/CG1tvJxM36T8pZfGlqi/jLlfR/2JUkvjzP2WW7S +/FGS3sAioSkSd09TbupSmf1R90kRBRdlt/BhgvCvSFDndWXGNuoDXPDgkYZJ3BUN +7C2lPCqorvNxsY/iCW8m+66hSwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAGwp +QT5j8ZPEnMh3T3krCE94pheM9nsbTxpn4/NyQsijZVJ0PoL5iqo8IXjFymC4IzfN +PwqxanPeDBlDpJtgUucDAmhNSo4XAj8IldO5ZpGostta2BKbw8kZHe6lA95v7Myu +tVlnbXp15XQJWlAoVkdZGkqOlmNbBveqCL9IcGrDrxusZNhPRKeBZcyIzDKQYXJ8 +F0t55aGbMl0rZUbobvsGgHImfhZ1E3uuD1ePlSxGbHPv7KWelf5fVj58KuGOfTYC +RX5S/N7ERaH2627oXYekJJRrtCh/Nn5ZAr2p3ThmoWr7tzwKm4BctMA9PWjLsuJV +yMTFavGRp6g8YvZ2NGA= +-----END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server2.key b/ssltools/keys/server2.key new file mode 100644 index 0000000..ae183a9 --- /dev/null +++ b/ssltools/keys/server2.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAysIXEbv0kDcGX0XMWUVN5QrMgmshAo0CJswB1V771B81TJra +t+9bxxzuGKWf6tdBLGyT7S5BYKbCF/h6Z8oT7KRSQ3qmK4CtvNt05d8TW6sbZf6U +WPXMLwii4ztA193Otrk0Z6adyF1AJJtFkPUf1XmJHeAHFBRPzy4zV8oFrFX4Fc97 +gsxULPANs7639KBz8TuGxomzO6gRPJ+HTKpC/CG1tvJxM36T8pZfGlqi/jLlfR/2 +JUkvjzP2WW7S/FGS3sAioSkSd09TbupSmf1R90kRBRdlt/BhgvCvSFDndWXGNuoD +XPDgkYZJ3BUN7C2lPCqorvNxsY/iCW8m+66hSwIDAQABAoIBAHmylXYnglstK73z +fvv2BRL8sFN3SZDmYew3dsJDCJQBR1R7fdv45vVT//T7NEkYeh3X7dHmeYcxkD4i +/hVdzSe0WUv3SdXCnoVEk52Fj3Dt+rv1WcUrgyqX3GzXG8x1baVu9G1iLEIe9mkC +aXbgKgNPt2UfGiCLMHwCFv8SWuVcgZg2ZjM15c8zadEC0y/fAlk8O620cVuVnBFf +bIoiGJFcV4ZPOzrx6D1VFsOI06AGyNQR5c5dOl9qeacguSQdZ9+G+ujIPp0qm+Em +YE02AFyzxXVHa3DDyhzObAzkfv6jOTYtwLxpSBMiP5CCg4VqyCXi8pbtlvOykE7H +wGbNJoECgYEA+org3sbvpFipKF/UWuCKpZ485U4S8a1p+IAcUloM152PIMFPIcyb +ECtjZu1N/jXSYjyCOeTCXM33xMaoUCNzJibrVEe/u2BLrcYgadm4VLRWjwzDEBON +Avg9/QJr+RsithRryslkeF0sD9GL8OQkCXH919+kD8hkL2+10gMPSwkCgYEAzyy/ +c80EP8D0ALyjeg+Kklg11sWR/eXfmiy9iErfa1jQRbNQ7zmch8rBwUvScPklQgyj +Ze2ENxrBDgDFknysKB4Kd+yTnsybQF6vw3MfDNz6gvPR9f+2we24haHjZVniEXqy +WCpQPl4/wrEgssTIE1MwJQme81Fku+lHG7W8WrMCgYBh3tiDDhFVEPFbfTvWGDrx +AYRmSv5pfEWWNm1Z2iWEIN9lez4vRN8aDOjyrya1dE7v4xU4Cl3GpQrxymy7iW2U +7MUnEjQavT4y7t+AmfVA2YWqseCNKiX+j/yfFlAZank/yXBmMg/WWQc6UrAo9OYC +7o2rw4gyRiSkxy2ukVVrCQKBgQCyat8WY2FdZla8q7g9zlSQY9c59zwbZHSE2jL/ +xTtTv1DeNedlnj/n0f268glxsZ8cmrW9eid7LVdFL/T2itfYVMa/MMaQ47RwYxsL +P4FmGojDbidLq8VAjfFzZE/pYNcIJpqgwxAIJjLTAKggTMfhnKrBut9gvJ/8FJJg +ksp7cQKBgGOSnCskEs05TSLhKN+kdq/IDInQGPw8MI+dFCek4KpuK4IOjToLtG5D +Fz24+KcU/11EBMLQp3JAMwF9DFNNQQ0hzBo1ILDVJuk9QOT1FaYMIfZFjQgtGHyU +FSlG7RfVjV6pk3ayYqAlkEL31g3bXlYJC+yAGEDypF5ScgiX+d1d +-----END RSA PRIVATE KEY----- diff --git a/ssltools/keys/server3.crt b/ssltools/keys/server3.crt new file mode 100644 index 0000000..e69de29 diff --git a/ssltools/keys/server3.csr b/ssltools/keys/server3.csr new file mode 100644 index 0000000..e0a6ac3 --- /dev/null +++ b/ssltools/keys/server3.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH +EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS +bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyiyj24Xp9w3trMbzGyR0gQpGDMhIdJHU1AwW8EskMtNs1eCw5CYZZM20mm7k +vkWXMFdgwjFqKJjjnZuO/HUcYcJcmfJI91srEepThTGrNYiYTKnfJopWTALSRW5E +8F7P4pDby261jzQNCAlaOfWdXUagAOd8Tx7Dk5CNxY7M0Z4kuWt5x3AI1gFG0tb/ +heZrS1NSQ2RS4+BH/z9WY+f9l2QgchkieKZ+RFf5wsrvbkfaJy5kGirPP2+OxwDf +8zMIiee1SDaHRr8cb1b2xM7hbZyvWVDECfrHjf7lXWXMP0V6lxk3Z5Hi7Piaog7F +BJ0AB6Sg33jayt2Ett4p+2VsoQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBABwd +OecA3Qodoa2xNm1JTJwRLhi841VRX9tKhrMhm0DbqX5Ifema5ALR1jigcldTh0VA +bfOolXS+kOlw33d9kHGGj/eQfOk5TJuc28jycMYFBAy9bpCSckrz9o7XTGA6h8LZ +sbA5oXdRU9IYPX6Q/fBdST6BdPZfllLYsNIaSxkg2waWuBIuH8gidtUNe1uUuA1X +OzleKi4PPy30bdGfcgjRUQyiTyas5KaCb5QpGjp3q0MfOVUq71BwLFmdSv60d+Rk +I0IbxzWcfrHuPjT29OYBZ8osQeyTLnDc4hEAePe3LxGp+KNqe4BZbMyoWg3TTKK7 +O7v3I7o+/06zLJPwG48= +-----END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server3.key b/ssltools/keys/server3.key new file mode 100644 index 0000000..7a95892 --- /dev/null +++ b/ssltools/keys/server3.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyiyj24Xp9w3trMbzGyR0gQpGDMhIdJHU1AwW8EskMtNs1eCw +5CYZZM20mm7kvkWXMFdgwjFqKJjjnZuO/HUcYcJcmfJI91srEepThTGrNYiYTKnf +JopWTALSRW5E8F7P4pDby261jzQNCAlaOfWdXUagAOd8Tx7Dk5CNxY7M0Z4kuWt5 +x3AI1gFG0tb/heZrS1NSQ2RS4+BH/z9WY+f9l2QgchkieKZ+RFf5wsrvbkfaJy5k +GirPP2+OxwDf8zMIiee1SDaHRr8cb1b2xM7hbZyvWVDECfrHjf7lXWXMP0V6lxk3 +Z5Hi7Piaog7FBJ0AB6Sg33jayt2Ett4p+2VsoQIDAQABAoIBAQDFXwcojHd4hNR/ +VEqJOPGz+D+iwvRZOPU5fgP22qSgKd+afRyz3q3zxw6FpbUSPAX5X5RKgMtOjtPH +TdItjHcEySZ19B5fvVUyzDx1T6QBQzTLwxrjGTJeSnLU7W3H7Aeu/BRXaeE9yGbg +baDz7GCQax5RQ6wL4dC1Au4k69/w0mJpcKxTPlyF+7/PZIPGLV4uS0G88t6EjOQq +xoGYRtT5VwuVO2AGZaCjanbF/b6c3Vr2uuSmd/cItuclbltcVxs4OU7L4vY732XR +VK5X7/0Jy2/7OgHFHx4DnTrzG/QUQyOZ/SkeWv5rr/RVgjSE9y0AEdOmMw4lsRdv +b3pZG6xxAoGBAOfAyL/gTqgv6rlPG7SLtGatgPRbUyeho15bk0v1Zp3tfD7mqeH2 +IMwXblENag7uZ5mDwQoOk5mSWwHMtJbTsYio1YuTAsmK57mveCS6T5QuDO6GE2Aw +K4Vpi7Hx0LCUvxSklBMxDpaYIogqBYmLCgV6FgsmwzjQ1iVfo0VjvwJbAoGBAN9T +oLPWWKz9wyzxnuMoei7jFex+hxR4TiGUAimEq6t+pOmT/ERcJtJ8QMwoY2dATeMv +UccQ3q6XVnW4m4HZmiYkTkwxnjKrxAuA2USeS0wvUIa/k+Sha6F1DeECVoQIq2b/ +yQGYl1E79HcuuRZQid0v0gPaEbEtrhN1e925UQWzAoGAED3pk9DzkkPxblVF+sxD +s2J7hCSWWlOwsF84nn0vWOgY6gueYlCukb8eox2OjkdVCWQ7din5XCzupdyj12I0 +sgArHyIJcviCLvhGMkTAaQElNN4+o2Ic2re/65On7YgvMBIssn+gpxs4aFSRmMce +x617uAJacjPonivqtGU+MLsCgYEAvaHERpCO0a3U6jftA9ReE6wt9Jfn2aDiLy7/ +uwN1xfSO0ewf/GgHaxmo5/KvnYAD4xJOLWuMutG0z9dG7La6ZwLTHW3QeBRULrRl +SRfktjdC+Hh6e1v6Capcc6DJl+nIqXgu1VUdwBPZ3M3myiTvO8scWLr15O31734G +BNsUCnMCgYB9qQP0CrvA2EnNzu7KrC9a73dzpTF61faqycdc0fpVJ0a/HYUMY0nj +RCcykFFyUc/SKiBszSQ4/qjmN/3QEd60iamVVyqRlhUKwVq7i4PTnU/TQ6AErSwr +uisU8Gtw8F3FtiwJ6ww6flNvPu/oLWRtzWeRZjLK5pfybY74qqknvQ== +-----END RSA PRIVATE KEY----- diff --git a/ssltools/keys/server4.crt b/ssltools/keys/server4.crt new file mode 100644 index 0000000..e69de29 diff --git a/ssltools/keys/server4.csr b/ssltools/keys/server4.csr new file mode 100644 index 0000000..6ec80ed --- /dev/null +++ b/ssltools/keys/server4.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQVQxCzAJBgNVBAgTAk5BMRAwDgYDVQQH +EwdCSVNIS0VLMRQwEgYDVQQKEwtBTllUVU4tVEVTVDEhMB8GCSqGSIb3DQEJARYS +bWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAqmTK2Os0JYsNKnmbgtXOSDqIrcJa15UrJ4lWS/5k+Ub5jkzbYD6NX1DwmKXc +4w50/HOklL+jex+drLvUlPEStpcDy+MIKhOpY+v2jSidGEApStZUEZLpRHgE0s95 +gx4R9FhR/8vbjJfnjC58F/ZmWJN9XYEsImggMnLVL328SSlseTHcvh5lrtbFX/w1 +kWtcUjjLOq4UdEsTxiu0/MCU44xcLy9818u1iC2VlTKSUTUaMNS3tFitNnN8qkbG +gLB5YjmNm4X7jqIWrFqFGDxJquatRCECTuaWW314eZA6rap85S2Wp0yMO80DgheD +X9mR3S5Bzj2lHMFdpxcpuEdTzQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAAkK +42VWAAHM3lEqqOJUlx5sfHh3t1H+1lE6cVyFcoSu5hdazb9w+0tstlCsvYPQ8aIw +5T88DO5UyIvZuptM883sQFUONRjr45x5+xW+fGPuLS0nBfSnWEF02OBYq9C7n5+Y +l/aPLT9ft7O+Z89Lv9yDPTcx/cxpALFrHRtUAw9tqfMiuAr+NGu7dTeA421aFcB9 +b6aagWAZBx6TN+b0snxfJmPNun+HhoR2vT6yoxE8tEAeRdYTASaZpR7HBUgquYrJ +EyFlfRRynGYKGOO300FqT8Jzxu7OJcqKQVdKLIyVDyn4F2NHiOuRVElZQVkVf5CN +a+mNb4V8Z9WDCb6ueeI= +-----END CERTIFICATE REQUEST----- diff --git a/ssltools/keys/server4.key b/ssltools/keys/server4.key new file mode 100644 index 0000000..8f5e2bc --- /dev/null +++ b/ssltools/keys/server4.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAqmTK2Os0JYsNKnmbgtXOSDqIrcJa15UrJ4lWS/5k+Ub5jkzb +YD6NX1DwmKXc4w50/HOklL+jex+drLvUlPEStpcDy+MIKhOpY+v2jSidGEApStZU +EZLpRHgE0s95gx4R9FhR/8vbjJfnjC58F/ZmWJN9XYEsImggMnLVL328SSlseTHc +vh5lrtbFX/w1kWtcUjjLOq4UdEsTxiu0/MCU44xcLy9818u1iC2VlTKSUTUaMNS3 +tFitNnN8qkbGgLB5YjmNm4X7jqIWrFqFGDxJquatRCECTuaWW314eZA6rap85S2W +p0yMO80DgheDX9mR3S5Bzj2lHMFdpxcpuEdTzQIDAQABAoIBAAkJl4ix0O481dHu +6USjOnGySRWOPWs5yjQqoJ0fPRPLo+jcQrZ0GuN3U4uFIJYaajIJoC0TjQQ2xRIo +VDoiHy/4CoeB3yj8KfvWxBjwkoR6wrXpcEQOWrj69KaJwpQlwCYJmS/MDDUEyY8x +1/sdYohIKloPQ9v/UdXbKVt/e8EVjzd++Lls+2Cn5/dH61BcJsIHgzhA9cXSr8i3 +K8gD9T2drO5EOjf59g5HHIX5glotSLJoT+KLCUX3VhH/lz/OqBT1xVwz8t1eNT1G +0pEHPHAbGbTbbHdjB7B3DsOmHJLUWu+RapyJluCmd+2WJGJ2Ohe6FuTD72TNYPOs +6vicjgECgYEA0d9BO6vZ7Ch0/xjbD+VzYtWoLwMkCzeK5apRCk5qPGE+prLcLBAz +3TuK2E/gaqeKHuanLhvSsIk45i1drAf8XLFrFHKZrNJF8hAYuhryJOf8ZbaPkx91 +YJxQfbKvoZpzxdGz1jf3QCEo9ITaplbV6T6s6SbBEpXl/6YtcljHoiECgYEAz9g7 +cG87k+rj8CtyQ2eprZ2vvrOMicTRcVHXY76PHAB38Uq/sIHDAA02av/xNdOG1G0o +8yTUETlo1gV6iip/GAFjXZ4S97v8gNsAHE7COpwQJfkCwSta45fK7/jktLKE8kts +CjvDz+qF97ZiIaFrm87OCqv94uVdJyHE/fZdVC0CgYEAwqKlEdz3tr9yeZ4okx59 +mzyAxFDKXai+JO6GR+OfPK4G93xLGoZQQy1UP/YcL21/d9b7VpSxGc25Oib6h2/E +iIZ1wzng8Vj1S1/IPth8luOavQ3JK21yYw20zE4p+dqO4ffwK4wtvojCPbr0OG2x +5qWcoIGzbzQbYLNR1IknY2ECgYEAoDt3N2rJZ3OCXjlgUY6tROd4AXCyO9O8E7yg +bIkQEupZjW+u8AhZqMSG216NOo3kOAgftbMCunSj2btHiRTR/lOzowymWs5WD5DG +OQyOuFhwKpYaBYnC/AqdrPsYdiXaUGDM3ebNQpDuztWQOZUUPH3mYlvN0wo4El76 +Wz9/G9ECgYA/kXdXp5M3OjtKxg3fYx7fKVbfmYv+jfLURVwwiM1bwRufCEIqz91P ++lPb7QKSZufOYKl/TaUhbpmEq2m+//hoDaARTebUGe6lHnovSvkDryUG4wl+b5p0 +teGRlNahYUzTsiWTQCDo4FZPvpcaVANJJZZXzIONfDPdT5oj05c5Qg== +-----END RSA PRIVATE KEY----- diff --git a/ssltools/openssl.cnf b/ssltools/openssl.cnf new file mode 100644 index 0000000..270b069 --- /dev/null +++ b/ssltools/openssl.cnf @@ -0,0 +1,255 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/ssltools/vars b/ssltools/vars new file mode 100755 index 0000000..ed16f9d --- /dev/null +++ b/ssltools/vars @@ -0,0 +1,49 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export D=`pwd` + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=$D/openssl.cnf + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR=$D/keys + +# Issue rm -rf warning +echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=2048 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY=AT +export KEY_PROVINCE=NA +export KEY_CITY=BISHKEK +export KEY_ORG="ANYTUN-TEST" +export KEY_EMAIL="me@myhost.mydomain" -- cgit v1.2.3