nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add vars.example here-doc and move here-docs code to lower section

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-07-15 21:13:13 +01:00
parent 8cdfbb2ffe
commit 7039d02952
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 375 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

588
easyrsa3/easyrsa
View File

@ -1522,219 +1522,6 @@ install_data_to_pki - Missing: '$x509_types_dir'"
verbose "install_data_to_pki: $context - COMPLETED"
} # => install_data_to_pki ()
# Create X509-type files
create_x509_type() {
x509_type="$1"
[ "$x509_type" ] || \
die "create_x509_type - type undefined"
case "$x509_type" in
COMMON)
cat <<- "X509_TYPE_COMMON"
X509_TYPE_COMMON
;;
serverClient)
create_x509_type_easyrsa
cat <<- "X509_TYPE_SERV_CLI"
extendedKeyUsage = serverAuth,clientAuth
X509_TYPE_SERV_CLI
;;
server)
create_x509_type_easyrsa
cat <<- "X509_TYPE_SERV"
extendedKeyUsage = serverAuth
X509_TYPE_SERV
;;
client)
create_x509_type_easyrsa
cat <<- "X509_TYPE_CLI"
extendedKeyUsage = clientAuth
X509_TYPE_CLI
;;
ca)
cat <<- "X509_TYPE_CA"
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
X509_TYPE_CA
;;
*)
# Unknown type: User MUST supply the X509 file
die "Unknown X509 type: $x509_type"
esac
} # => create_x509_type()
# Create x509-type/easyrsa
# This could be COMMON but not is not suitable for a CA
create_x509_type_easyrsa() {
cat <<- "X509_TYPE_EASYRSA"
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature,keyEncipherment
X509_TYPE_EASYRSA
} # => create_x509_type_easyrsa()
# Create vars.example - Not used
# TODO
create_vars_example() {
cat << "VARSEXFILECOMPLETE"
VARSEXFILECOMPLETE
} # => create_vars_example()
# Create openssl-easyrsa.cnf
create_openssl_easyrsa_cnf() {
cat << "SSLCONFCOMPLETE"
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# A placeholder to handle the --copy-ext feature:
#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
serialNumber = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
serialNumber = Serial-number (eg, device serial-number)
serialNumber_default = $ENV::EASYRSA_REQ_SERIAL
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always'
SSLCONFCOMPLETE
} # => create_openssl_easyrsa_cnf()
# Disable terminal echo, if possible, otherwise warn
hide_read_pass()
{
@ -5943,6 +5730,381 @@ force_set_var() {
############################################################################
#
# Create X509-type files
create_x509_type() {
case "$1" in
COMMON)
cat <<- "X509_TYPE_COMMON"
X509_TYPE_COMMON
;;
serverClient)
create_x509_type_easyrsa
cat <<- "X509_TYPE_SERV_CLI"
extendedKeyUsage = serverAuth,clientAuth
X509_TYPE_SERV_CLI
;;
server)
create_x509_type_easyrsa
cat <<- "X509_TYPE_SERV"
extendedKeyUsage = serverAuth
X509_TYPE_SERV
;;
client)
create_x509_type_easyrsa
cat <<- "X509_TYPE_CLI"
extendedKeyUsage = clientAuth
X509_TYPE_CLI
;;
ca)
cat <<- "X509_TYPE_CA"
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
X509_TYPE_CA
;;
*)
# Unknown type: User MUST supply the X509 file
die "create_x509_type - Unknown X509 type: '$1'"
esac
} # => create_x509_type()
# Create x509-type/easyrsa
# This could be COMMON but not is not suitable for a CA
create_x509_type_easyrsa() {
cat <<- "X509_TYPE_EASYRSA"
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature,keyEncipherment
X509_TYPE_EASYRSA
} # => create_x509_type_easyrsa()
# Create vars.example - Minimum settings only
create_vars_example() {
cat << "VARS_EXAMPLE"
# Easy-RSA 3 parameter settings
# NOTE: If you installed Easy-RSA from your package manager, do not edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades do not wipe out your changes.
# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file "vars" if you want it to be used as a configuration file. If you
# do not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without
# the need to copy and edit the "vars" file.
#
# All of the editable settings are shown commented and start with the command
# "set_var" -- this means any set_var command that is uncommented has been
# modified by the user. If you are happy with a default, there is no need to
# define the value to its default.
# NOTES FOR WINDOWS USERS
#
# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
# backslashes (single forward slashes are recommended.) This means your path
# to the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# A little housekeeping: DO NOT EDIT THIS SECTION
#
# Easy-RSA 3.x does not source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
echo "no longer necessary and is disallowed. See the section called" >&2
echo "*How to use this file* near the top comments for more details." >&2
return 1
fi
# DO YOUR EDITS BELOW THIS POINT
# This variable is used as the base location of configuration files needed by
# easyrsa. More specific variables for specific files (eg: EASYRSA_SSL_CONF)
# may override this default.
#
# The default value of this variable is the location of the easyrsa script
# itself, which is also where the configuration files are located in the
# easy-rsa tree.
#
#set_var EASYRSA "${0%/*}"
# If your OpenSSL command is not in the system PATH, you will need to define
# the path here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.
#
#set_var EASYRSA_OPENSSL "openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# Edit this variable to point to your soon-to-be-created key directory.
# By default, this will be "$PWD/pki" (ie: the "pki" subdirectory of the
# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! Interactive mode will prompt before acting.
#
#set_var EASYRSA_PKI "$PWD/pki"
# Define directory for temporary subdirectories.
#
#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
# Define X509 DN mode.
#
# This is used to adjust which elements are included in the Subject field
# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the
# Organizational fields, listed further below, are not used.
#
# Choices are:
# cn_only - Use just a commonName value.
# org - Use the "traditional" format:
# Country/Province/City/Org/Org.Unit/email/commonName
#
#set_var EASYRSA_DN "cn_only"
# Organizational fields (used with "org" mode and ignored in "cn_only" mode).
# These are the default values for fields which will be placed in the
# certificate. Do not leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email).
#
# NOTE: The following characters are not supported
# in these "Organizational fields" by Easy-RSA:
# back-tick (`)
#
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Preserve the Distinguished Name field order
# of the certificate signing request
# *Only* effective in --dn-mode=org
#
#set_var EASYRSA_PRESERVE_DN 1
# Set no password mode - This will create the entire PKI without passwords.
# This can be better managed by choosing which entity private keys should be
# encrypted with the following command line options:
# Global option '--no-pass' or command option 'nopass'.
#
#set_var EASYRSA_NO_PASS 1
# Choose a size in bits for your keypairs. The recommended value is 2048.
# Using 2048-bit keys is considered more than sufficient for many years into
# the future. Larger keysizes will slow down TLS negotiation and make key/DH
# param generation take much longer. Values up to 4096 should be accepted by
# most software. Only used when the crypto alg is rsa, see below.
#
#set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
# * ed
#
#set_var EASYRSA_ALGO rsa
# Define the named curve, used in ec & ed modes:
#
#set_var EASYRSA_CURVE secp384r1
# In how many days should the root CA key expire?
#
#set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
#
#set_var EASYRSA_CERT_EXPIRE 825
# How many days until the next CRL publish date? Note that the CRL can still
# be parsed after this timeframe passes. It is only used for an expected next
# publication date.
#
#set_var EASYRSA_CRL_DAYS 180
# Random serial numbers by default.
# Set to 'no' for the old incremental serial numbers.
#
#set_var EASYRSA_RAND_SN "yes"
# Cut-off window for checking expiring certificates.
#
#set_var EASYRSA_PRE_EXPIRY_WINDOW 90
VARS_EXAMPLE
} # => create_vars_example()
# Create openssl-easyrsa.cnf
create_openssl_easyrsa_cnf() {
cat << "SSL_CONFIG"
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# A placeholder to handle the --copy-ext feature:
#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
serialNumber = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
serialNumber = Serial-number (eg, device serial-number)
serialNumber_default = $ENV::EASYRSA_REQ_SERIAL
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always'
SSL_CONFIG
} # => create_openssl_easyrsa_cnf()
############################################################################
# Upgrade v2 PKI to v3 PKI