nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add initial 3.x codebase files

Browse Source 
This is the initial re-write for the 3.x release series.

Signed-off-by: Josh Cepek <josh.cepek@usa.net>
This commit is contained in:
Josh Cepek 2013-11-18 02:54:07 -06:00
parent 346adba3f3
commit b0494ab243
21 changed files with 2715 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
COPYING Normal file
View File

@ -0,0 +1,32 @@
Easy-RSA -- A Shell-based CA Utility
Copyright (C) 2013 by the Open-Source OpenVPN development community
Easy-RSA 3 license: GPLv2:
-------------------------
All the Easy-RSA code contained in this project falls under a GPLv2 license with
full text available in the Licensing/ directory. Additional components used by
this project fall under additional licenses:
Additional licenses for external components:
-------------------------------------------
The following components are under different licenses; while not part of the
Easy-RSA source code, these components are used by Easy-RSA or provided in
platform distributions as described below:
### OpenSSL
OpenSSL is not linked by Easy-RSA, nor is it currently provided in any release
package by Easy-RSA. However, Easy-RSA is tightly coupled with OpenSSL, so
effective use of this code will require your acceptance and installation of
OpenSSL.
### Additional Windows Components
The Windows binary package includes mksh/Win32 and unxutils binary components,
with full licensing details available in the distro/windows/Licensing/
subdirectory of this project. mksh/Win32 is under a MirOS license (with some
additional component licenses present there) and unxutils is under a GPLv2
license.

7
ChangeLog Normal file
View File

@ -0,0 +1,7 @@
Easy-RSA 3 ChangeLog
3.x: (Current development cycle; upcoming release series)
* The 3.x release is a nearly complete re-write of the 2.x codebase
* Initial 3.x series code by Josh Cepek <josh.cepek AT usa.net> with
ongoing maintenance by the OpenVPN community development team and
associated contributors

340
Licensing/gpl-2.0.txt Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

23
README Normal file
View File

@ -0,0 +1,23 @@
STRUCTURE:
The easy-rsa master branch is currently tracking development for the 3.x release
cycle. The prior 2.x and 1.x versions are available as release branches for
tracking and possible back-porting of relevant fixes. Branch layout is:
release/1.x
release/2.x
master <- 3.x, at present
DOWNLOADS:
If you are looking for release downloads, please see the releases section on
GitHub. Releases are also available as source checkouts using named tags.
DOCUMENTATION:
For 3.x project documentation and usage, see the README.quickstart.md file or
the more detailed docs under the doc/ directory. The .md files are in Markdown
format and can be converted to html files as desired for release packages, or
read as-is in plaintext.
LICENSING info for 3.x is in the COPYING file

84
README.quickstart.md Normal file
View File

@ -0,0 +1,84 @@
Easy-RSA 3 Quickstart README
============================
This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
and specific commands by running easyrsa with the 'help' command. Additional
documentation can be found in the doc/ directory.
Setup and signing the first request
-----------------------------------
A quick run-though of what needs to happen to start a new PKI and sign your
first entity certificate.
1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca
2. On the separate system that is requesting a certificate, init its own PKI and
generate a keypair/request. Note that the init-pki is used _only_ when this
is done on a separate system (or at least a separate PKI dir.) This is the
recommended procedure. If you are not using this recommended procedure, skip
the next import-req step as well.
./easyrsa init-pki
./easyrsa gen-req EntityName
3. Transport the request (.req file) to the CA system and import it. The name
given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName
4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
5. Transport the newly signed certificate to the requesting entity. This entity
may also need the CA cert (ca.crt) unless it had a prior copy.
6. The entity now has its own keypair, and signed cert, and the CA.
Signing subsequent requests
---------------------------
Follow steps 2-6 above to generate subsequent keypairs and have the CA returned
signed certificates.
Revoking certs and creating CRLs
--------------------------------
This is a CA-specific task.
To permanently revoke an issued certificate, provide the short name used during
import:
./easyrsa revoke EntityName
To create an updated CRL that contains all revoked certs up to that point:
./easyrsa gen-crl
After generation, the CRL will need to be sent to systems that reference it.
Generating Diffie-Hellman (DH) params
-------------------------------------
After initializing a PKI, any entity can create DH params that needs them. This
is normally only used by a TLS server. While the CA PKI can generate this, it
makes more sense to do it on the server itself to avoid the need to send the
files to another system after generation.
DH params can be generated with:
./easyrsa gen-dh
Showing details of requests or certs
------------------------------------
To show the details of a request or certificate by referencing the short
EntityName, use one of the following commands. It is an error to call these
without a matching file.
./easyrsa show-req EntityName
./easyrsa show-cert EntityName

5
distro/README Normal file
View File

@ -0,0 +1,5 @@
This distro/ directory contains distro/platform specific tools.
Components that are not platform neutral end up here, sorted into further dirs
based on the platform.

2
distro/windows/EasyRSA Start.bat Normal file
View File

@ -0,0 +1,2 @@
@echo OFF
bin\sh.exe bin\easyrsa-shell-init.sh

148
distro/windows/Licensing/mksh-Win32.txt Normal file
View File

@ -0,0 +1,148 @@
Licence
-------
mksh/Win32 is a derived work of The MirBSD Korn Shell and
recognised by The MirOS Project but realised by an independent
developer with support and legal permit by Scalaris AG.
The shell itself comes under The MirOS Licence:
Copyright (c) 2002-2013
The MirOS Project
Copyright (c) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
Thorsten Glaser <tg@mirbsd.org>
Copyright (c) 2010, 2011, 2012, 2013
Michael Langguth <lan@scalaris.com>
Provided that these terms and disclaimer and all copyright notices
are retained or reproduced in an accompanying document, permission
is granted to deal in this work without restriction, including un-
limited rights to use, publicly perform, distribute, sell, modify,
merge, give away, or sublicence.
This work is provided "AS IS" and WITHOUT WARRANTY of any kind, to
the utmost extent permitted by applicable law, neither express nor
implied; without malicious intent or gross negligence. In no event
may a licensor, author or contributor be held liable for indirect,
direct, other damage, loss, or other issues arising in any way out
of dealing in the work, even if advised of the possibility of such
damage or existence of a defect, except proven that it results out
of said person's immediate fault when using the work as intended.
The shell contains strlcpy() under the ISC licence:
Copyright (c) 2006, 2008, 2009
Thorsten Glaser <tg@mirbsd.org>
Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
This version of the shell contains setmode() under the UCB BSD licence:
Copyright (c) 1989, 1993, 1994
The Regents of the University of California. All rights reserved.
This code is derived from software contributed to Berkeley by
Dave Borman at Cray Research, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
The shell includes nedmalloc under the Boost Software License which,
in turn, includes dlmalloc under CC0 (eventually) in its binary.
The "liblan" portability library is covered by The MirOS Licence:
Copyright (c) 1996, 1998, 2003, 2004, 2005, 2010, 2011, 2012, 2013
Scalaris AG, Author: Michael Langguth <lan@scalaris.com>
Provided that these terms and disclaimer and all copyright notices
are retained or reproduced in an accompanying document, permission
is granted to deal in this work without restriction, including un-
limited rights to use, publicly perform, distribute, sell, modify,
merge, give away, or sublicence.
This work is provided "AS IS" and WITHOUT WARRANTY of any kind, to
the utmost extent permitted by applicable law, neither express nor
implied; without malicious intent or gross negligence. In no event
may a licensor, author or contributor be held liable for indirect,
direct, other damage, loss, or other issues arising in any way out
of dealing in the work, even if advised of the possibility of such
damage or existence of a defect, except proven that it results out
of said person's immediate fault when using the work as intended.
It includes an implementation of POSIX directory browsing functions
and types for Win32 under a Historical Permission Notice variant:
Copyright Kevlin Henney, 1997, 2003. All rights reserved.
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose is hereby granted without fee, provided
that this copyright and permissions notice appear in all copies and
derivatives.
This software is supplied "as is" without express or implied warranty.
But that said, if there are any problems please get in touch.
The program shortcut (mkshicon1.ico) is an unregistered trademark:
Copyright (c) 2013 Michael Langguth
Copyright (c) 2006 Benny Siegert
Copyright (c) 2005 Thorsten Glaser
This icon may be used to refer to The MirBSD Korn Shell and
its Win32 port. Distribution patches are acceptable as long
as they modify $KSH_VERSION according to the guidelines that
are published on the website; forks and works that are not
derivates are not allowed to use it.
The BSD daemon is Copyright (c) 1988 by Marshall Kirk McKusick.
All Rights Reserved. Individuals may use the daemon for their
personal use within the bounds of good taste. When reasonably
possible, the text shown above is to be included.
The Shilouette daemon is Copyright (c) 2003 by Rick Collette.
The MirOS Project may freely use the former ekkoBSD Logo,
the shilouette Daemon, for MirBSD, on anything the project
leader sees fit, so long as it pertains to MirBSD in some
way and the leader gives credit for the original daemon to
Marshall Kirk McKusick.

65
distro/windows/bin/easyrsa-shell-init.sh Normal file
View File

@ -0,0 +1,65 @@
#!/bin/sh
# This script is a frontend designed to create & launch a POSIX shell
# environment suitable for use with Easy-RSA. mksh/Win32 is used with this
# project; use with other POSIX shells for Windows may require modification to
# this wrapper script.
setup_path="${EASYRSA:-$PWD}"
export PATH="$setup_path;$setup_path/bin;$PATH"
export HOME="$setup_path"
# This prevents reading from a user's .mkshrc if they have one.
# A user who runs mksh for other purposes might have it
export ENV="/disable-env"
# Verify required externals are present
extern_list="which awk cp mkdir printf rm"
for f in $extern_list; do
if ! which "${f}.exe" >/dev/null 2>&1; then
echo ""
echo "FATAL: EasyRSA Shell init is missing a required external file:"
echo " ${f}.exe"
echo " Your installation is incomplete and cannot function without the required"
echo " files."
echo ""
echo " Press enter to exit."
read x
exit 1
fi
done
# set_var is defined as any vars file needs it.
# This is the same as in easyrsa, but we _don't_ export
set_var() {
local var=$1
shift
local value="$*"
eval "$var=\"\${$var-$value}\""
} #=> set_var()
# Check for a usable openssl bin, referencing vars if present
[ -r "vars" ] && EASYRSA_CALLER=1 . "vars" 2>/dev/null
if [ -z "$EASYRSA_OPENSSL" ] && ! which openssl.exe >/dev/null 2>&1; then
echo "WARNING: openssl isn't in your system PATH. The openssl binary must be"
echo " available in the PATH, defined in the 'vars' file, or defined in the"
echo " OPENSSL environment variable. See README-Windows.txt for more info."
fi
[ -f "$setup_path/easyrsa" ] || {
echo "Missing easyrsa script. Expected to find it at: $setup_path/easyrsa"
exit 2
}
# Set prompt and welcome message
export PS1='
EasyRSA Shell
# '
echo ""
echo "Welcome to the EasyRSA 3 Shell for Windows."
echo "Easy-RSA 3 is available under a GNU GPLv2 license."
echo ""
echo "Invoke './easyrsa' to call the program. Without commands, help is displayed."
# Drop to a shell and await input
bin/sh

117
distro/windows/doc/README-Windows.txt Normal file
View File

@ -0,0 +1,117 @@
Easy-RSA 3 Windows README
Easy-RSA 3 runs POSIX shell code, so use on Windows has some additional
requirements: an OpenSSL installation, and a usable shell environment.
Contents of this file:
1. OpenSSL
2. shell environment
3. Windows paths
4. Appendix:
4.1: reference links
4.2: license of included components
1. Obtaining OpenSSL for use with Easy-RSA
There are a couple of ways to do this:
(A) If you are using OpenVPN, the easiest solution is to install the OpenSSL
program components and add openvpn to the system PATH; this is offered as an
installation option as part of OpenVPN.
(B) Optionally, install an OpenSSL package, such as from the openssl.org
website (see appendix.) In this case it will be required to do one of the
following:
(1) Add the location of openssl.exe to the system PATH
(2) Define the OPENSSL env-var to reference the full path to openssl.exe
(3) Edit the vars file (copy vars.example as a starting point) as instructed
in the comments
NOTE: for options 2 & 3 above, see section 3 below called "Windows Paths"
2. Getting a POSIX shell
The binary release of Easy-RSA 3 comes bundled with the mksh/Win32 shell
environment and a handful of shell utility programs from the unxutils
project. This is the easiest way to get a usable shell environment.
(A) Using the mksh/Win32 shell
With the Windows binary Easy-RSA download, all the necessary utilities
are already present. Starting a shell environment is accomplished by
running the `EasyRSA Start.bat` file.
A basic collection of shell utilities is included, such as ls, cat, mv,
and so on. Additional programs can be manually installed from the
unxutils project (link in appendix); this is intentionally a limited set
of programs since most Windows users will use native methods to perform
filesystem manipulation.
(B) Using a full POSIX environment (Advanced users only)
An environment such as Cygwin can provide the necessary POSIX environment
for the Easy-RSA shell code to run. However, Cygwin paths are not usable
by native Win32 applications. This means that the OpenSSL installation
used must also understand Cygwin paths or command calls will fail.
Provided this requirement is met, Cygwin can directly run the easyrsa
script without any special interpreter or startup wrapper.
3. Windows Paths
The provided mksh/Win32 shell understands Windows paths. However, you MUST
either:
* Use forward slashes instead of single backslashes, or
* Use double-backslashes.
This means the following path formats are accepted:
"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
"C:\\Program Files\\OpenSSL-Win32\\bin\\openssl.exe"
This is primarily to reference a functioning OpenSSL installation (see
section 1 above) but applies to any other paths used in env-vars, the `vars`
file, or in shell commands such as ls, cd, and so on.
4. Appendix
4.1: Reference Links
* OpenSSL website:
https://www.openssl.org
* OpenSSL binary distribution links:
https://www.openssl.org/related/binaries.html
* OpenSSL download page, built by "Shining Light Productions"
http://slproweb.com/products/Win32OpenSSL.html
NOTE: if using the "Shining Light Productions" version, the "Light"
download is fine. 32 or 64-bit is also OK (if you have a 64-bit OS.)
* UnxUtils project:
http://sourceforge.net/projects/unxutils
4.2: License of included components
Text-format copies of these licenses are available in the Licensing/
directory.
(A) Easy-RSA 3 is released under a GPLv2 license:
https://www.gnu.org/licenses/gpl-2.0.html
(B) mksh/Win32 is under a MirOS license:
https://www.mirbsd.org/MirOS-Licence.htm
Additional library components of mksh/Win32 are covered under additional
licenses. See Licensing/mksh-Win32.txt for details.
(C) unxutils is released under a GPLv2 license
The full source for this win32 port can be found here:
http://sourceforge.net/projects/unxutils/
vim: wrap tw=80 expandtab

109
doc/EasyRSA-Advanced.md Normal file
View File

@ -0,0 +1,109 @@
Easy-RSA Advanced Reference
=============================
This is a technical reference for advanced users familiar with PKI processes. If
you need a more detailed description, see the `EasyRSA-Readme` or `Intro-To-PKI`
docs instead.
Configuration Reference
-----------------------
#### Configuration Sources
There are 3 possible ways to perform external configuration of Easy-RSA,
selected in the following order where the first defined result wins:
1. Commmand-line option
2. Environmental variable
3. 'vars' file, if one is present (see `vars Autodetection` below)
4. Built-in default
Note that not every possible config option can be set everywhere, although any
env-var can be added to the 'vars' file even if it's not shown by default.
#### vars Autodetection
A 'vars' file is a file named simply `vars` (without an extension) that
Easy-RSA will source for configuration. This file is specifically designed
*not* to replace variables that have been set with a higher-priority method
such as CLI opts or env-vars.
The following locations are checked, in this order, for a vars file. Only the
first one found is used:
1. File referenced by the --vars CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The `EASYRSA_PKI` directory
4. The `EASYRSA` directory
5. The location of the easyrsa program (usually will be the same as above)
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.
#### OpenSSL Config
Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the
flexibility the script provides. It is required that this file be available,
yet it is possible to use a different OpenSSL config file for a particular
PKI, or even change it for a particular invocation.
The OpenSSL config file is searched for in the following order:
1. The env-var `EASYRSA_SSL_CONF`
2. The 'vars' file (see `vars Autodetection` above)
3. The `EASYRSA_PKI` directory with a filename of `openssl-1.0.cnf`
4. The `EASYRSA` directory with a filename of `openssl-1.0.cnf`
Advanced extension handling
---------------------------
Normally the cert extensions are selected by the cert type given on the CLI
during signing; this causes the matching file in the x509-types subdirectory to
be processed for OpenSSL extensions to add. This can be overridden in a
particular PKI by placing another x509-types dir inside the `EASYRSA_PKI` dir
which will be used instead.
The file named `COMMON` in the x509-types dir is appended to every cert type;
this is designed for CDP usage, but can be used for any extension that should
apply to every signed cert.
Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with
its raw text added to the OpenSSL extensions. The contents are appended as-is to
the cert extensions; invalid OpenSSL configs will usually result in failure.
Environmental Variables Reference
---------------------------------
A list of env-vars, any matching global option (CLI) to set/override it, and a
possible terse description is shown below:
* `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD
* `EASYRSA_OPENSSL` - command to invoke openssl
* `EASYRSA_SSL_CONF` - the openssl config file to use
* `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files
* `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
alter the fields to include in the req DN
* `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
* `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with
org mode
* `EASYRSA_REQ_CITY` (CLI: `--req-city`) - set the DN city/locality with org
mode
* `EASYRSA_REQ_ORG` (CLI: `--req-org`) - set the DN organization with org mode
* `EASYRSA_REQ_EMAIL` (CLI: `--req-email`) - set the DN email with org mode
* `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org
mode
* `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the keysize in bits to generate
* `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days
* `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time
in days
* `EASYRSA_CRL_DAYS` (CLI: `--days`) - set the CRL 'next publish' time in days
* `EASYRSA_NS_SUPPORT` (CLI: `--ns-cert`) - string 'yes' or 'no' fields to
include the deprecated Netscape extensions
* `EASYRSA_NS_COMMENT` (CLI: `--ns-comment`) - string comment to include when
using the deprecated Netscape extensions
* `EASYRSA_TEMP_FILE` - a temp file to use when dynamically creating req/cert
extensions
* `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH
mode
* `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash diget to use for req/cert
signing

235
doc/EasyRSA-Readme.md Normal file
View File

@ -0,0 +1,235 @@
Easy-RSA 3 Documentation Readme
===============================
This document explains how Easy-RSA 3 and each of its assorted features work.
If you are looking for a quickstart with less background or detail, an
implementation-specific Howto or Readme may be available in this (the `doc/`)
directory.
Easy-RSA Overview
-----------------
Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A
PKI is based on the notion of trusting a particular authority to authenticate a
remote peer; for more background on how PKI works, see the `Intro-To-PKI`
document.
The code is written in platform-neutral POSIX shell, allowing use on a wide
range of host systems. The official Windows release also comes bundled with the
programs necessary to use Easy-RSA. The shell code attempts to limit the number
of external programs it depends on. Crypto-related tasks use openssl as the
functional backend.
Feature Highlights
------------------
Here's a non-exhaustive list of the more notable Easy-RSA features:
* Easy-RSA is able to manage multiple PKIs, each with their own independent
configuration, storage directory, and X.509 extension handling.
* Multiple Subject Name (X.509 DN field) formatting options are supported. For
VPNs, this means a cleaner commonName only setup can be used.
* A single backend is used across all supported platforms, ensuring that no
platform is 'left out' of the rich features. Unix-alikes (BSD, Linux, etc)
and Windows are all supported.
* Easy-RSA's X.509 support includes CRL, CDP, keyUsage/eKu attributes, and
additional features. The included support can be changed or extended as an
advanced feature.
* Interactive and automated (batch) modes of operation
* Flexible configuration: features can be enabled through command-line
options, environment variables, a config file, or a combination of these.
* Built-in defaults allow Easy-RSA to be used without first editing a config
file.
Obtaining and Using Easy-RSA
----------------------------
#### Download and extraction (installation)
Easy-RSA's main program is a script, supported by a couple of config files. As
such, there is no formal "installation" required. Preparing to use Easy-RSA is
as simple as downloading the compressed package (.tar.gz for Linux/Unix or
.zip for Windows) and extract it to a location of your choosing. There is no
compiling or OS-dependent setup required.
You should install and run Easy-RSA as a non-root (non-Administrator) account
as root access is not required.
#### Running Easy-RSA
Invoking Easy-RSA is done through your preferred shell. Under Windows, you
will use the `EasyRSA Start.bat` program to provide a POSIX-shell environment
suitable for using Easy-RSA.
The basic format for running commands is:
./easyrsa command [ cmd-opts ]
where `command` is the name of a command to run, and `cmd-opts` are any
options to supply to the command. Some commands have mandatory or optional
cmd-opts. Note the leading `./` component of the command: this is required in
Unix-like environments and may be a new concept to some Windows users.
General usage and command help can be shown with:
./easyrsa help [ command ]
When run without any command, general usage and a list of available commands
are shown; when a command is supplied, detailed help output for that command
is shown.
Configuring Easy-RSA
--------------------
Easy-RSA 3 no longer needs any configuration file prior to operation, unlike
earlier versions. However, the `vars.example` file contains many commented
options that can be used to control non-default behavior as required. Reading
this file will provide an idea of the basic configuration available. Note that
a vars file must be named just `vars` (without an extension) to actively use it.
Additionally, some options can be defined at runtime with options on the
command-line. A full list can be shown with:
./easyrsa help options
Any of these options can appear before the command as required as shown below:
./easyrsa [options] command [ cmd-opts ]
For experts, additional configuration flexibility is available by way of
env-vars and custom X.509 extensions. Consult the `EasyRSA-Advanced`
documentation for details
Getting Started: The Basics
---------------------------
Some of the terms used here will be common to those familiar with how PKI works.
Instead of describing PKI basics, please consult the document `Intro-To-PKI` if
you need a more basic description of how a PKI works.
#### Creating an Easy-RSA PKI
In order to do something useful, Easy-RSA needs to first initialize a
directory for the PKI. Multiple PKIs can be managed with a single installation
of Easy-RSA, but the default directory is called simply "pki" unless otherwise
specified.
To create or clear out (re-initialize) a new PKI, use the command:
./easyrsa init-pki
which will create a new, blank PKI structure ready to be used. Once created,
this PKI can be used to make a new CA or generate keypairs.
#### The PKI Directory Structure
An Easy-RSA PKI contains the following directory structure:
* private/ - dir with private keys generated on this host
* reqs/ - dir with locally generated certificate requests (for a CA imported
requests are stored here)
In a clean PKI no files will exist until, just the bare directories. Commands
called later will create the necessary files depending on the operation.
When building a CA, a number of new files are created by a combination of
Easy-RSA and (indirectly) openssl. The important CA files are:
* `ca.crt` - This is the CA certificate
* `index.txt` - This is the "master database" of all issued certs
* `serial` - Stores the next serial number (serial numbers increment)
* `private/ca.key` - This is the CA private key (security-critical)
* `certs_by_serial/` - dir with all CA-signed certs by serial number
* `issued/` - dir with issued certs by commonName
#### After Creating a PKI
Once you have created a PKI, the next useful step will be to either create a
CA, or generate keypairs for a system that needs them. Continue with the
relevant section below.
Using Easy-RSA as a CA
----------------------
#### Building the CA
In order to sign requests to produce certificates, you need a CA. To create a
new CA in a PKI you have created, run:
./easyrsa build-ca
Be sure to use a strong passphrase to protect the CA private key. Note that
you must supply this passphrase in the future when performing signing
operations with your CA, so be sure to remember it.
During the creation process, you will also select a name for the CA called the
Common Name (CN.) This name is purely for display purposes and can be set as
you like.
#### Importing requests to the CA
Once a CA is built, the PKI is intended to be used to import requests from
external systems that are requesting a signed certificate from this CA. In
order to sign the request, it must first be imported so Easy-RSA knows about
it. This request file must be a standard CSR in PKCS#10 format.
Regardless of the file name to import, Easy-RSA uses a "short name" defined
during import to refer to this request. Importing works like this:
./easyrsa import-req /path/to/request.req nameOfRequest
The nameOfRequest should normally refer to the system or person making the
request.
#### Signing a request
Once Easy-RSA has imported a request, it can be reviewed and signed. Every
certificate needs a "type" which controls what extensions the certificate gets
Easy-RSA ships with 3 possible types: `client`, `server`, and `ca`, described
below:
* client - A TLS client, suitable for a VPN user or web browser (web client)
* server - A TLS server, suitable for a VPN or web server
* ca - A subordinate CA, used when chaining multiple CAs together
Additional types of certs may be defined by local sites as needed; see the
advanced documentation for details.
#### Revoking and publishing CRLs
If an issue certificate needs to be revoked, this can be done as follows:
./easyrsa revoke nameOfRequest
To generate a CRL suitable for publishing to systems that use it, run:
./easyrsa gen-crl
Note that this will need to be published or sent to systems that rely on an
up-to-date CRL as the certificate is still otherwise valid.
Using Easy-RSA to generate keypairs & requests
----------------------------------------------
Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This
request is what a CA needs in order to generate and return a signed certificate.
Ideally you should never generate entity keypairs for a client or server in a
PKI you are using for your CA. It is best to separate this process and generate
keypairs only on the systems you plan to use them.
Easy-RSA can generate a keypair and request with the following command:
./easyrsa gen-req nameOfRequest
You will then be given a chance to modify the Subject details of your request.
By default Easy-RSA uses the short name supplied on the command-line, though you
are free to change it if necessary. After providing a passphrase and Subject
details, the keypair and request files will be shown.
In order to obtain a signed certificate, the request file must be sent to the
CA for signing; this step is obviously not required if a single PKI is used as
both the CA and keypair/request generation as the generated request is already
"imported."

97
doc/Intro-To-PKI.md Normal file
View File

@ -0,0 +1,97 @@
Introduction to PKI
===================
This document is designed to give you a brief introduction into how a PKI, or
Public Key Infrastructure, works.
Terminology Used
----------------
To avoid confusion, the following terms will be used throughout the Easy-RSA
documentation. Short forms may be substituted for longer forms as convenient.
* **PKI**: Public Key Infrastructure. This describes the collection of files
and associations between the CA, keypairs, requests, and certificates.
* **CA**: Certificate Authority. This is the "master cert" at the root of a
PKI.
* **cert**: Certificate. A certificate is a request that has been signed by a
CA. The certificate contains the public key, some details describing the
cert itself, and a digital signature from the CA.
* **request**: Certificate Request (optionally 'req'.) This is a request for a
certificate that is then send to a CA for signing. A request contains the
desired cert information along with a digital signature from the private
key.
* **keypair**: A keypair is an asymmetric cryptographic pair of keys. These
keys are split into two parts: the public and private keys. The public key
is included in a request and certificate.
The CA
------
The heart of a PKI is the CA, or Certificate Authority, and this is also the
most security-sensitive. The CA private key is used to sign all issued
certificates, so its security is critical in keeping the entire PKI safe. For
this reason, it is highly recommended that the CA PKI structure be kept on a
system dedicated for such secure usage; it is not a great idea to keep the CA
PKI mixed in with one used to generate end-entity certificates, such as clients
or servers (VPN or web servers.)
To start a new PKI, the CA is first created on the secure environment.
Depending on security needs, this could managed under a locked down account,
dedicated system, or even a completely offline system or using removable media
to improve security (after all, you can't suffer an online break-in if your
system or PKI is not online.) The exact steps to create a CA are described in a
separate section. When creating a new CA, the CA keypair (private and public
keys) are created, as well as the file structure necessary to support signing
issued certificates.
Once a CA has been created, it can receive certificate requests from
end-entities. These entity certificates are issued to consumers of X509
certificates, such as a client or server of a VPN, web, or email system. The
certificate requests and certificates are not security-sensitive, and can be
transferred in whatever means convenient, such as email, flash drive, etc. For
better security, it is a good idea to verify the received request matches the
sender's copy, such as by verifying the expected checksum against the sender's
original.
Keypairs and requests
---------------------
Individual end-entities do not need a full CA set up and will only need to
create a keypair and associated certificate request. The private key is not used
anywhere except on this entity, and should never leave that system. It is wise
to secure this private key with a strong passphrase, because if lost or stolen
the holder of the private key can make connections appearing as the certificate
holder.
Once a keypair is generated, the certificate request is created and digitally
signed using the private key. This request will be sent to a CA for signing, and
a signed certificate will be returned.
How requests become certificates
--------------------------------
After a CA signs the certificate request, a signed certificate is produced. In
this step, the CA's private key is used to digitally sign the entity's public
key so that any system trusting the CA certificate can implicitly trust the
newly issued certificate. This signed certificate is then sent back to the
requesting entity. The issued certificate is not security-sensitive and can be
sent over plaintext transmission methods.
Verifying an issued certificate
-------------------------------
After 2 entities have created keypairs, sent their requests to the CA, and
received a copy of their signed certificates and the CA's own certificate, they
can mutually authenticate with one-another. This process does not require the 2
entities to have previously exchanged any kind of security information directly.
During a TLS handshake each side of the connection presents their own cert chain
to the remote end. Each side checks the validity of the cert received against
their own copy of the CA cert. By trusting the CA root cert, the peer they are
talking to can be authenticated.
The remote end proves it "really is" the entity identified by the cert by
signing a bit of data using its own private key. Only the holder of the private
key is able to do this, allowing the remote end to verify the authenticity of
the system being connected to.

18
doc/TODO Normal file
View File

@ -0,0 +1,18 @@
Easy-RSA 3 TODO / wishlist
Feature support:
* makefile
* It may be useful to port the Makefile from the 2.x series
* This may be desirable for building and downstream packaging
* add pkcs11 support
* Much of this may be distro-dependent
* Keep platform-specific tools separate from platform-neutral code
* add detection for duplicate CN prior to OpenSSL failure
* This gets tricky if `updatedb` requires a CA passphrase
* It would help to warn users before OpenSSL throws errors
Longer term wishlist:
* Support openssl's -password source mechanism:
* allow for batching currently "unbatchable" operations, like pkcs12
* support one password input that can apply to multiple operations
* support a variety of password sources (interactive, pipe, file, etc)

1071
easyrsa3/easyrsa Executable file
View File

File diff suppressed because it is too large Load Diff

139
easyrsa3/openssl-1.0.cnf Normal file
View File

@ -0,0 +1,139 @@
# For use with Easy-RSA 3.0 and OpenSSL 1.0.*
RANDFILE = $ENV::EASYRSA_PKI/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extentions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extentions to add to the self signed cert
# A section to handle the $EXTRA_EXTS feature
req_extensions = req_extra
[ req_extra ]
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

187
easyrsa3/vars.example Normal file
View File

@ -0,0 +1,187 @@
# Easy-RSA 3 parameter settings
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.
# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.
# NOTES FOR WINDOWS USERS
#
# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# A little housekeeping: DON'T EDIT THIS SECTION
#
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
# DO YOUR EDITS BELOW THIS POINT
# This variable should point to the top level of the easy-rsa tree. By default,
# this is taken to be the directory you are currently in.
#set_var EASYRSA "$PWD"
# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.
#set_var EASYRSA_OPENSSL "openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# Edit this variable to point to your soon-to-be-created key directory.
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)
#set_var EASYRSA_PKI "$EASYRSA/pki"
# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
# cn_only - use just a CN value
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
#set_var EASYRSA_DN "cn_only"
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software.
#set_var EASYRSA_KEY_SIZE 2048
# In how many days should the root CA key expire?
#set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
#set_var EASYRSA_CERT_EXPIRE 3650
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.
#set_var EASYRSA_NS_SUPPORT "no"
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.
#set_var EASYRSA_TEMP_FILE "$PKI_DIR/extensions.temp"
# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!
# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command. The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"
# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $PKI_DIR first, then
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
# PKI_DIR or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# Defualt CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
#set_var EASYRSA_REQ_CN "ChangeMe"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
#set_var EASYRSA_DIGEST "sha256"
# Batch mode. Leave this disabled (set to 0) unless you intend to call Easy-RSA
# explicitly in batch mode without any user input, confirmation on dangerous
# operations, or most output.
#set_var EASYRSA_BATCH 0

7
easyrsa3/x509-types/COMMON Normal file
View File

@ -0,0 +1,7 @@
# X509 extensions added to every signed cert
# This file is included for every cert signed, and by default does nothing.
# It could be used to add values every cert should have, such as a CDP as
# demonstrated in the following example:
#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl

13
easyrsa3/x509-types/ca Normal file
View File

@ -0,0 +1,13 @@
# X509 extensions for a ca
# Note that basicConstraints will be overridden by Easy-RSA when defining a
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
#
# basicConstraints = CA:TRUE, pathlen:1
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign

8
easyrsa3/x509-types/client Normal file
View File

@ -0,0 +1,8 @@
# X509 extensions for a client
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature

8
easyrsa3/x509-types/server Normal file
View File

@ -0,0 +1,8 @@
# X509 extensions for a server
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth
keyUsage = digitalSignature,keyEncipherment