diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..25b910e --- /dev/null +++ b/COPYING @@ -0,0 +1,32 @@ +Easy-RSA -- A Shell-based CA Utility + +Copyright (C) 2013 by the Open-Source OpenVPN development community + +Easy-RSA 3 license: GPLv2: +------------------------- + +All the Easy-RSA code contained in this project falls under a GPLv2 license with +full text available in the Licensing/ directory. Additional components used by +this project fall under additional licenses: + +Additional licenses for external components: +------------------------------------------- + +The following components are under different licenses; while not part of the +Easy-RSA source code, these components are used by Easy-RSA or provided in +platform distributions as described below: + +### OpenSSL + + OpenSSL is not linked by Easy-RSA, nor is it currently provided in any release + package by Easy-RSA. However, Easy-RSA is tightly coupled with OpenSSL, so + effective use of this code will require your acceptance and installation of + OpenSSL. + +### Additional Windows Components + + The Windows binary package includes mksh/Win32 and unxutils binary components, + with full licensing details available in the distro/windows/Licensing/ + subdirectory of this project. mksh/Win32 is under a MirOS license (with some + additional component licenses present there) and unxutils is under a GPLv2 + license. diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..a7bedc0 --- /dev/null +++ b/ChangeLog @@ -0,0 +1,7 @@ +Easy-RSA 3 ChangeLog + +3.x: (Current development cycle; upcoming release series) + * The 3.x release is a nearly complete re-write of the 2.x codebase + * Initial 3.x series code by Josh Cepek with + ongoing maintenance by the OpenVPN community development team and + associated contributors diff --git a/Licensing/gpl-2.0.txt b/Licensing/gpl-2.0.txt new file mode 100644 index 0000000..1f963da --- /dev/null +++ b/Licensing/gpl-2.0.txt @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. + diff --git a/README b/README new file mode 100644 index 0000000..2e1abf7 --- /dev/null +++ b/README @@ -0,0 +1,23 @@ +STRUCTURE: + +The easy-rsa master branch is currently tracking development for the 3.x release +cycle. The prior 2.x and 1.x versions are available as release branches for +tracking and possible back-porting of relevant fixes. Branch layout is: + + release/1.x + release/2.x + master <- 3.x, at present + +DOWNLOADS: + +If you are looking for release downloads, please see the releases section on +GitHub. Releases are also available as source checkouts using named tags. + +DOCUMENTATION: + +For 3.x project documentation and usage, see the README.quickstart.md file or +the more detailed docs under the doc/ directory. The .md files are in Markdown +format and can be converted to html files as desired for release packages, or +read as-is in plaintext. + +LICENSING info for 3.x is in the COPYING file diff --git a/README.quickstart.md b/README.quickstart.md new file mode 100644 index 0000000..5b90447 --- /dev/null +++ b/README.quickstart.md @@ -0,0 +1,84 @@ +Easy-RSA 3 Quickstart README +============================ + +This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage +and specific commands by running easyrsa with the 'help' command. Additional +documentation can be found in the doc/ directory. + +Setup and signing the first request +----------------------------------- + +A quick run-though of what needs to happen to start a new PKI and sign your +first entity certificate. + +1. Choose a system to act as your CA and create a new PKI and CA: + + ./easyrsa init-pki + ./easyrsa build-ca + +2. On the separate system that is requesting a certificate, init its own PKI and + generate a keypair/request. Note that the init-pki is used _only_ when this + is done on a separate system (or at least a separate PKI dir.) This is the + recommended procedure. If you are not using this recommended procedure, skip + the next import-req step as well. + + ./easyrsa init-pki + ./easyrsa gen-req EntityName + +3. Transport the request (.req file) to the CA system and import it. The name + given here is arbitrary and only used to name the request file. + + ./easyrsa import-req /tmp/path/to/import.req EntityName + +4. Sign the request as the correct type. This example uses a client type: + + ./easyrsa sign-req client EntityName + +5. Transport the newly signed certificate to the requesting entity. This entity + may also need the CA cert (ca.crt) unless it had a prior copy. + +6. The entity now has its own keypair, and signed cert, and the CA. + +Signing subsequent requests +--------------------------- + +Follow steps 2-6 above to generate subsequent keypairs and have the CA returned +signed certificates. + +Revoking certs and creating CRLs +-------------------------------- + +This is a CA-specific task. + +To permanently revoke an issued certificate, provide the short name used during +import: + + ./easyrsa revoke EntityName + +To create an updated CRL that contains all revoked certs up to that point: + + ./easyrsa gen-crl + +After generation, the CRL will need to be sent to systems that reference it. + +Generating Diffie-Hellman (DH) params +------------------------------------- + +After initializing a PKI, any entity can create DH params that needs them. This +is normally only used by a TLS server. While the CA PKI can generate this, it +makes more sense to do it on the server itself to avoid the need to send the +files to another system after generation. + +DH params can be generated with: + + ./easyrsa gen-dh + +Showing details of requests or certs +------------------------------------ + +To show the details of a request or certificate by referencing the short +EntityName, use one of the following commands. It is an error to call these +without a matching file. + + ./easyrsa show-req EntityName + ./easyrsa show-cert EntityName diff --git a/distro/README b/distro/README new file mode 100644 index 0000000..a74711f --- /dev/null +++ b/distro/README @@ -0,0 +1,5 @@ +This distro/ directory contains distro/platform specific tools. + +Components that are not platform neutral end up here, sorted into further dirs +based on the platform. + diff --git a/distro/windows/EasyRSA Start.bat b/distro/windows/EasyRSA Start.bat new file mode 100644 index 0000000..5bd117c --- /dev/null +++ b/distro/windows/EasyRSA Start.bat @@ -0,0 +1,2 @@ +@echo OFF +bin\sh.exe bin\easyrsa-shell-init.sh \ No newline at end of file diff --git a/distro/windows/Licensing/mksh-Win32.txt b/distro/windows/Licensing/mksh-Win32.txt new file mode 100644 index 0000000..f646763 --- /dev/null +++ b/distro/windows/Licensing/mksh-Win32.txt @@ -0,0 +1,148 @@ +Licence +------- + +mksh/Win32 is a derived work of The MirBSD Korn Shell and +recognised by The MirOS Project but realised by an independent +developer with support and legal permit by Scalaris AG. + + +The shell itself comes under The MirOS Licence: + +Copyright (c) 2002-2013 + The MirOS Project +Copyright (c) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 + Thorsten Glaser +Copyright (c) 2010, 2011, 2012, 2013 + Michael Langguth + +Provided that these terms and disclaimer and all copyright notices +are retained or reproduced in an accompanying document, permission +is granted to deal in this work without restriction, including un- +limited rights to use, publicly perform, distribute, sell, modify, +merge, give away, or sublicence. + +This work is provided "AS IS" and WITHOUT WARRANTY of any kind, to +the utmost extent permitted by applicable law, neither express nor +implied; without malicious intent or gross negligence. In no event +may a licensor, author or contributor be held liable for indirect, +direct, other damage, loss, or other issues arising in any way out +of dealing in the work, even if advised of the possibility of such +damage or existence of a defect, except proven that it results out +of said person's immediate fault when using the work as intended. + + +The shell contains strlcpy() under the ISC licence: + +Copyright (c) 2006, 2008, 2009 + Thorsten Glaser +Copyright (c) 1998 Todd C. Miller + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +This version of the shell contains setmode() under the UCB BSD licence: + +Copyright (c) 1989, 1993, 1994 + The Regents of the University of California. All rights reserved. + +This code is derived from software contributed to Berkeley by +Dave Borman at Cray Research, Inc. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + + +The shell includes nedmalloc under the Boost Software License which, +in turn, includes dlmalloc under CC0 (eventually) in its binary. + + +The "liblan" portability library is covered by The MirOS Licence: + +Copyright (c) 1996, 1998, 2003, 2004, 2005, 2010, 2011, 2012, 2013 + Scalaris AG, Author: Michael Langguth + +Provided that these terms and disclaimer and all copyright notices +are retained or reproduced in an accompanying document, permission +is granted to deal in this work without restriction, including un- +limited rights to use, publicly perform, distribute, sell, modify, +merge, give away, or sublicence. + +This work is provided "AS IS" and WITHOUT WARRANTY of any kind, to +the utmost extent permitted by applicable law, neither express nor +implied; without malicious intent or gross negligence. In no event +may a licensor, author or contributor be held liable for indirect, +direct, other damage, loss, or other issues arising in any way out +of dealing in the work, even if advised of the possibility of such +damage or existence of a defect, except proven that it results out +of said person's immediate fault when using the work as intended. + + +It includes an implementation of POSIX directory browsing functions +and types for Win32 under a Historical Permission Notice variant: + +Copyright Kevlin Henney, 1997, 2003. All rights reserved. + +Permission to use, copy, modify, and distribute this software and its +documentation for any purpose is hereby granted without fee, provided +that this copyright and permissions notice appear in all copies and +derivatives. + +This software is supplied "as is" without express or implied warranty. + +But that said, if there are any problems please get in touch. + + +The program shortcut (mkshicon1.ico) is an unregistered trademark: + +Copyright (c) 2013 Michael Langguth +Copyright (c) 2006 Benny Siegert +Copyright (c) 2005 Thorsten Glaser + +This icon may be used to refer to The MirBSD Korn Shell and +its Win32 port. Distribution patches are acceptable as long +as they modify $KSH_VERSION according to the guidelines that +are published on the website; forks and works that are not +derivates are not allowed to use it. + +The BSD daemon is Copyright (c) 1988 by Marshall Kirk McKusick. +All Rights Reserved. Individuals may use the daemon for their +personal use within the bounds of good taste. When reasonably +possible, the text shown above is to be included. + +The Shilouette daemon is Copyright (c) 2003 by Rick Collette. +The MirOS Project may freely use the former ekkoBSD Logo, +the shilouette Daemon, for MirBSD, on anything the project +leader sees fit, so long as it pertains to MirBSD in some +way and the leader gives credit for the original daemon to +Marshall Kirk McKusick. diff --git a/distro/windows/bin/easyrsa-shell-init.sh b/distro/windows/bin/easyrsa-shell-init.sh new file mode 100644 index 0000000..1e914d5 --- /dev/null +++ b/distro/windows/bin/easyrsa-shell-init.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# This script is a frontend designed to create & launch a POSIX shell +# environment suitable for use with Easy-RSA. mksh/Win32 is used with this +# project; use with other POSIX shells for Windows may require modification to +# this wrapper script. + +setup_path="${EASYRSA:-$PWD}" +export PATH="$setup_path;$setup_path/bin;$PATH" +export HOME="$setup_path" + +# This prevents reading from a user's .mkshrc if they have one. +# A user who runs mksh for other purposes might have it +export ENV="/disable-env" + +# Verify required externals are present +extern_list="which awk cp mkdir printf rm" +for f in $extern_list; do + if ! which "${f}.exe" >/dev/null 2>&1; then + echo "" + echo "FATAL: EasyRSA Shell init is missing a required external file:" + echo " ${f}.exe" + echo " Your installation is incomplete and cannot function without the required" + echo " files." + echo "" + echo " Press enter to exit." + read x + exit 1 + fi +done + +# set_var is defined as any vars file needs it. +# This is the same as in easyrsa, but we _don't_ export +set_var() { + local var=$1 + shift + local value="$*" + eval "$var=\"\${$var-$value}\"" +} #=> set_var() + +# Check for a usable openssl bin, referencing vars if present +[ -r "vars" ] && EASYRSA_CALLER=1 . "vars" 2>/dev/null +if [ -z "$EASYRSA_OPENSSL" ] && ! which openssl.exe >/dev/null 2>&1; then + echo "WARNING: openssl isn't in your system PATH. The openssl binary must be" + echo " available in the PATH, defined in the 'vars' file, or defined in the" + echo " OPENSSL environment variable. See README-Windows.txt for more info." +fi + +[ -f "$setup_path/easyrsa" ] || { + echo "Missing easyrsa script. Expected to find it at: $setup_path/easyrsa" + exit 2 +} + +# Set prompt and welcome message +export PS1=' +EasyRSA Shell +# ' +echo "" +echo "Welcome to the EasyRSA 3 Shell for Windows." +echo "Easy-RSA 3 is available under a GNU GPLv2 license." +echo "" +echo "Invoke './easyrsa' to call the program. Without commands, help is displayed." + +# Drop to a shell and await input +bin/sh \ No newline at end of file diff --git a/distro/windows/doc/README-Windows.txt b/distro/windows/doc/README-Windows.txt new file mode 100644 index 0000000..3dbefb4 --- /dev/null +++ b/distro/windows/doc/README-Windows.txt @@ -0,0 +1,117 @@ +Easy-RSA 3 Windows README + +Easy-RSA 3 runs POSIX shell code, so use on Windows has some additional +requirements: an OpenSSL installation, and a usable shell environment. + +Contents of this file: + 1. OpenSSL + 2. shell environment + 3. Windows paths + 4. Appendix: + 4.1: reference links + 4.2: license of included components + +1. Obtaining OpenSSL for use with Easy-RSA + + There are a couple of ways to do this: + + (A) If you are using OpenVPN, the easiest solution is to install the OpenSSL + program components and add openvpn to the system PATH; this is offered as an + installation option as part of OpenVPN. + + (B) Optionally, install an OpenSSL package, such as from the openssl.org + website (see appendix.) In this case it will be required to do one of the + following: + + (1) Add the location of openssl.exe to the system PATH + + (2) Define the OPENSSL env-var to reference the full path to openssl.exe + + (3) Edit the vars file (copy vars.example as a starting point) as instructed + in the comments + + NOTE: for options 2 & 3 above, see section 3 below called "Windows Paths" + +2. Getting a POSIX shell + + The binary release of Easy-RSA 3 comes bundled with the mksh/Win32 shell + environment and a handful of shell utility programs from the unxutils + project. This is the easiest way to get a usable shell environment. + + (A) Using the mksh/Win32 shell + + With the Windows binary Easy-RSA download, all the necessary utilities + are already present. Starting a shell environment is accomplished by + running the `EasyRSA Start.bat` file. + + A basic collection of shell utilities is included, such as ls, cat, mv, + and so on. Additional programs can be manually installed from the + unxutils project (link in appendix); this is intentionally a limited set + of programs since most Windows users will use native methods to perform + filesystem manipulation. + + (B) Using a full POSIX environment (Advanced users only) + + An environment such as Cygwin can provide the necessary POSIX environment + for the Easy-RSA shell code to run. However, Cygwin paths are not usable + by native Win32 applications. This means that the OpenSSL installation + used must also understand Cygwin paths or command calls will fail. + Provided this requirement is met, Cygwin can directly run the easyrsa + script without any special interpreter or startup wrapper. + +3. Windows Paths + + The provided mksh/Win32 shell understands Windows paths. However, you MUST + either: + + * Use forward slashes instead of single backslashes, or + * Use double-backslashes. + + This means the following path formats are accepted: + + "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + "C:\\Program Files\\OpenSSL-Win32\\bin\\openssl.exe" + + This is primarily to reference a functioning OpenSSL installation (see + section 1 above) but applies to any other paths used in env-vars, the `vars` + file, or in shell commands such as ls, cd, and so on. + +4. Appendix + + 4.1: Reference Links + + * OpenSSL website: + https://www.openssl.org + + * OpenSSL binary distribution links: + https://www.openssl.org/related/binaries.html + + * OpenSSL download page, built by "Shining Light Productions" + http://slproweb.com/products/Win32OpenSSL.html + + NOTE: if using the "Shining Light Productions" version, the "Light" + download is fine. 32 or 64-bit is also OK (if you have a 64-bit OS.) + + * UnxUtils project: + http://sourceforge.net/projects/unxutils + + 4.2: License of included components + + Text-format copies of these licenses are available in the Licensing/ + directory. + + (A) Easy-RSA 3 is released under a GPLv2 license: + https://www.gnu.org/licenses/gpl-2.0.html + + (B) mksh/Win32 is under a MirOS license: + https://www.mirbsd.org/MirOS-Licence.htm + + Additional library components of mksh/Win32 are covered under additional + licenses. See Licensing/mksh-Win32.txt for details. + + (C) unxutils is released under a GPLv2 license + The full source for this win32 port can be found here: + http://sourceforge.net/projects/unxutils/ + + +vim: wrap tw=80 expandtab diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md new file mode 100644 index 0000000..29e03f0 --- /dev/null +++ b/doc/EasyRSA-Advanced.md @@ -0,0 +1,109 @@ +Easy-RSA Advanced Reference +============================= + +This is a technical reference for advanced users familiar with PKI processes. If +you need a more detailed description, see the `EasyRSA-Readme` or `Intro-To-PKI` +docs instead. + +Configuration Reference +----------------------- + +#### Configuration Sources + + There are 3 possible ways to perform external configuration of Easy-RSA, + selected in the following order where the first defined result wins: + + 1. Commmand-line option + 2. Environmental variable + 3. 'vars' file, if one is present (see `vars Autodetection` below) + 4. Built-in default + + Note that not every possible config option can be set everywhere, although any + env-var can be added to the 'vars' file even if it's not shown by default. + +#### vars Autodetection + + A 'vars' file is a file named simply `vars` (without an extension) that + Easy-RSA will source for configuration. This file is specifically designed + *not* to replace variables that have been set with a higher-priority method + such as CLI opts or env-vars. + + The following locations are checked, in this order, for a vars file. Only the + first one found is used: + + 1. File referenced by the --vars CLI option + 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` + 3. The `EASYRSA_PKI` directory + 4. The `EASYRSA` directory + 5. The location of the easyrsa program (usually will be the same as above) + + Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars + file in all cases, including defining it subsequently as a global option. + +#### OpenSSL Config + + Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the + flexibility the script provides. It is required that this file be available, + yet it is possible to use a different OpenSSL config file for a particular + PKI, or even change it for a particular invocation. + + The OpenSSL config file is searched for in the following order: + + 1. The env-var `EASYRSA_SSL_CONF` + 2. The 'vars' file (see `vars Autodetection` above) + 3. The `EASYRSA_PKI` directory with a filename of `openssl-1.0.cnf` + 4. The `EASYRSA` directory with a filename of `openssl-1.0.cnf` + +Advanced extension handling +--------------------------- + +Normally the cert extensions are selected by the cert type given on the CLI +during signing; this causes the matching file in the x509-types subdirectory to +be processed for OpenSSL extensions to add. This can be overridden in a +particular PKI by placing another x509-types dir inside the `EASYRSA_PKI` dir +which will be used instead. + +The file named `COMMON` in the x509-types dir is appended to every cert type; +this is designed for CDP usage, but can be used for any extension that should +apply to every signed cert. + +Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with +its raw text added to the OpenSSL extensions. The contents are appended as-is to +the cert extensions; invalid OpenSSL configs will usually result in failure. + +Environmental Variables Reference +--------------------------------- + +A list of env-vars, any matching global option (CLI) to set/override it, and a +possible terse description is shown below: + + * `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD + * `EASYRSA_OPENSSL` - command to invoke openssl + * `EASYRSA_SSL_CONF` - the openssl config file to use + * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files + * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to + alter the fields to include in the req DN + * `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode + * `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with + org mode + * `EASYRSA_REQ_CITY` (CLI: `--req-city`) - set the DN city/locality with org + mode + * `EASYRSA_REQ_ORG` (CLI: `--req-org`) - set the DN organization with org mode + * `EASYRSA_REQ_EMAIL` (CLI: `--req-email`) - set the DN email with org mode + * `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org + mode + * `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the keysize in bits to generate + * `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days + * `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time + in days + * `EASYRSA_CRL_DAYS` (CLI: `--days`) - set the CRL 'next publish' time in days + * `EASYRSA_NS_SUPPORT` (CLI: `--ns-cert`) - string 'yes' or 'no' fields to + include the deprecated Netscape extensions + * `EASYRSA_NS_COMMENT` (CLI: `--ns-comment`) - string comment to include when + using the deprecated Netscape extensions + * `EASYRSA_TEMP_FILE` - a temp file to use when dynamically creating req/cert + extensions + * `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH + mode + * `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash diget to use for req/cert + signing diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md new file mode 100644 index 0000000..568c3a6 --- /dev/null +++ b/doc/EasyRSA-Readme.md @@ -0,0 +1,235 @@ +Easy-RSA 3 Documentation Readme +=============================== + +This document explains how Easy-RSA 3 and each of its assorted features work. + +If you are looking for a quickstart with less background or detail, an +implementation-specific Howto or Readme may be available in this (the `doc/`) +directory. + +Easy-RSA Overview +----------------- + +Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A +PKI is based on the notion of trusting a particular authority to authenticate a +remote peer; for more background on how PKI works, see the `Intro-To-PKI` +document. + +The code is written in platform-neutral POSIX shell, allowing use on a wide +range of host systems. The official Windows release also comes bundled with the +programs necessary to use Easy-RSA. The shell code attempts to limit the number +of external programs it depends on. Crypto-related tasks use openssl as the +functional backend. + +Feature Highlights +------------------ + +Here's a non-exhaustive list of the more notable Easy-RSA features: + + * Easy-RSA is able to manage multiple PKIs, each with their own independent + configuration, storage directory, and X.509 extension handling. + * Multiple Subject Name (X.509 DN field) formatting options are supported. For + VPNs, this means a cleaner commonName only setup can be used. + * A single backend is used across all supported platforms, ensuring that no + platform is 'left out' of the rich features. Unix-alikes (BSD, Linux, etc) + and Windows are all supported. + * Easy-RSA's X.509 support includes CRL, CDP, keyUsage/eKu attributes, and + additional features. The included support can be changed or extended as an + advanced feature. + * Interactive and automated (batch) modes of operation + * Flexible configuration: features can be enabled through command-line + options, environment variables, a config file, or a combination of these. + * Built-in defaults allow Easy-RSA to be used without first editing a config + file. + +Obtaining and Using Easy-RSA +---------------------------- + +#### Download and extraction (installation) + + Easy-RSA's main program is a script, supported by a couple of config files. As + such, there is no formal "installation" required. Preparing to use Easy-RSA is + as simple as downloading the compressed package (.tar.gz for Linux/Unix or + .zip for Windows) and extract it to a location of your choosing. There is no + compiling or OS-dependent setup required. + + You should install and run Easy-RSA as a non-root (non-Administrator) account + as root access is not required. + +#### Running Easy-RSA + + Invoking Easy-RSA is done through your preferred shell. Under Windows, you + will use the `EasyRSA Start.bat` program to provide a POSIX-shell environment + suitable for using Easy-RSA. + + The basic format for running commands is: + + ./easyrsa command [ cmd-opts ] + + where `command` is the name of a command to run, and `cmd-opts` are any + options to supply to the command. Some commands have mandatory or optional + cmd-opts. Note the leading `./` component of the command: this is required in + Unix-like environments and may be a new concept to some Windows users. + + General usage and command help can be shown with: + + ./easyrsa help [ command ] + + When run without any command, general usage and a list of available commands + are shown; when a command is supplied, detailed help output for that command + is shown. + +Configuring Easy-RSA +-------------------- + +Easy-RSA 3 no longer needs any configuration file prior to operation, unlike +earlier versions. However, the `vars.example` file contains many commented +options that can be used to control non-default behavior as required. Reading +this file will provide an idea of the basic configuration available. Note that +a vars file must be named just `vars` (without an extension) to actively use it. + +Additionally, some options can be defined at runtime with options on the +command-line. A full list can be shown with: + + ./easyrsa help options + +Any of these options can appear before the command as required as shown below: + + ./easyrsa [options] command [ cmd-opts ] + +For experts, additional configuration flexibility is available by way of +env-vars and custom X.509 extensions. Consult the `EasyRSA-Advanced` +documentation for details + +Getting Started: The Basics +--------------------------- + +Some of the terms used here will be common to those familiar with how PKI works. +Instead of describing PKI basics, please consult the document `Intro-To-PKI` if +you need a more basic description of how a PKI works. + +#### Creating an Easy-RSA PKI + + In order to do something useful, Easy-RSA needs to first initialize a + directory for the PKI. Multiple PKIs can be managed with a single installation + of Easy-RSA, but the default directory is called simply "pki" unless otherwise + specified. + + To create or clear out (re-initialize) a new PKI, use the command: + + ./easyrsa init-pki + + which will create a new, blank PKI structure ready to be used. Once created, + this PKI can be used to make a new CA or generate keypairs. + +#### The PKI Directory Structure + + An Easy-RSA PKI contains the following directory structure: + + * private/ - dir with private keys generated on this host + * reqs/ - dir with locally generated certificate requests (for a CA imported + requests are stored here) + + In a clean PKI no files will exist until, just the bare directories. Commands + called later will create the necessary files depending on the operation. + + When building a CA, a number of new files are created by a combination of + Easy-RSA and (indirectly) openssl. The important CA files are: + + * `ca.crt` - This is the CA certificate + * `index.txt` - This is the "master database" of all issued certs + * `serial` - Stores the next serial number (serial numbers increment) + * `private/ca.key` - This is the CA private key (security-critical) + * `certs_by_serial/` - dir with all CA-signed certs by serial number + * `issued/` - dir with issued certs by commonName + +#### After Creating a PKI + + Once you have created a PKI, the next useful step will be to either create a + CA, or generate keypairs for a system that needs them. Continue with the + relevant section below. + +Using Easy-RSA as a CA +---------------------- + +#### Building the CA + + In order to sign requests to produce certificates, you need a CA. To create a + new CA in a PKI you have created, run: + + ./easyrsa build-ca + + Be sure to use a strong passphrase to protect the CA private key. Note that + you must supply this passphrase in the future when performing signing + operations with your CA, so be sure to remember it. + + During the creation process, you will also select a name for the CA called the + Common Name (CN.) This name is purely for display purposes and can be set as + you like. + +#### Importing requests to the CA + + Once a CA is built, the PKI is intended to be used to import requests from + external systems that are requesting a signed certificate from this CA. In + order to sign the request, it must first be imported so Easy-RSA knows about + it. This request file must be a standard CSR in PKCS#10 format. + + Regardless of the file name to import, Easy-RSA uses a "short name" defined + during import to refer to this request. Importing works like this: + + ./easyrsa import-req /path/to/request.req nameOfRequest + + The nameOfRequest should normally refer to the system or person making the + request. + +#### Signing a request + + Once Easy-RSA has imported a request, it can be reviewed and signed. Every + certificate needs a "type" which controls what extensions the certificate gets + Easy-RSA ships with 3 possible types: `client`, `server`, and `ca`, described + below: + + * client - A TLS client, suitable for a VPN user or web browser (web client) + * server - A TLS server, suitable for a VPN or web server + * ca - A subordinate CA, used when chaining multiple CAs together + + Additional types of certs may be defined by local sites as needed; see the + advanced documentation for details. + +#### Revoking and publishing CRLs + + If an issue certificate needs to be revoked, this can be done as follows: + + ./easyrsa revoke nameOfRequest + + To generate a CRL suitable for publishing to systems that use it, run: + + ./easyrsa gen-crl + + Note that this will need to be published or sent to systems that rely on an + up-to-date CRL as the certificate is still otherwise valid. + +Using Easy-RSA to generate keypairs & requests +---------------------------------------------- + +Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This +request is what a CA needs in order to generate and return a signed certificate. + +Ideally you should never generate entity keypairs for a client or server in a +PKI you are using for your CA. It is best to separate this process and generate +keypairs only on the systems you plan to use them. + +Easy-RSA can generate a keypair and request with the following command: + + ./easyrsa gen-req nameOfRequest + +You will then be given a chance to modify the Subject details of your request. +By default Easy-RSA uses the short name supplied on the command-line, though you +are free to change it if necessary. After providing a passphrase and Subject +details, the keypair and request files will be shown. + +In order to obtain a signed certificate, the request file must be sent to the +CA for signing; this step is obviously not required if a single PKI is used as +both the CA and keypair/request generation as the generated request is already +"imported." + diff --git a/doc/Intro-To-PKI.md b/doc/Intro-To-PKI.md new file mode 100644 index 0000000..cd8217b --- /dev/null +++ b/doc/Intro-To-PKI.md @@ -0,0 +1,97 @@ +Introduction to PKI +=================== + +This document is designed to give you a brief introduction into how a PKI, or +Public Key Infrastructure, works. + +Terminology Used +---------------- + +To avoid confusion, the following terms will be used throughout the Easy-RSA +documentation. Short forms may be substituted for longer forms as convenient. + + * **PKI**: Public Key Infrastructure. This describes the collection of files + and associations between the CA, keypairs, requests, and certificates. + * **CA**: Certificate Authority. This is the "master cert" at the root of a + PKI. + * **cert**: Certificate. A certificate is a request that has been signed by a + CA. The certificate contains the public key, some details describing the + cert itself, and a digital signature from the CA. + * **request**: Certificate Request (optionally 'req'.) This is a request for a + certificate that is then send to a CA for signing. A request contains the + desired cert information along with a digital signature from the private + key. + * **keypair**: A keypair is an asymmetric cryptographic pair of keys. These + keys are split into two parts: the public and private keys. The public key + is included in a request and certificate. + +The CA +------ + +The heart of a PKI is the CA, or Certificate Authority, and this is also the +most security-sensitive. The CA private key is used to sign all issued +certificates, so its security is critical in keeping the entire PKI safe. For +this reason, it is highly recommended that the CA PKI structure be kept on a +system dedicated for such secure usage; it is not a great idea to keep the CA +PKI mixed in with one used to generate end-entity certificates, such as clients +or servers (VPN or web servers.) + +To start a new PKI, the CA is first created on the secure environment. +Depending on security needs, this could managed under a locked down account, +dedicated system, or even a completely offline system or using removable media +to improve security (after all, you can't suffer an online break-in if your +system or PKI is not online.) The exact steps to create a CA are described in a +separate section. When creating a new CA, the CA keypair (private and public +keys) are created, as well as the file structure necessary to support signing +issued certificates. + +Once a CA has been created, it can receive certificate requests from +end-entities. These entity certificates are issued to consumers of X509 +certificates, such as a client or server of a VPN, web, or email system. The +certificate requests and certificates are not security-sensitive, and can be +transferred in whatever means convenient, such as email, flash drive, etc. For +better security, it is a good idea to verify the received request matches the +sender's copy, such as by verifying the expected checksum against the sender's +original. + +Keypairs and requests +--------------------- + +Individual end-entities do not need a full CA set up and will only need to +create a keypair and associated certificate request. The private key is not used +anywhere except on this entity, and should never leave that system. It is wise +to secure this private key with a strong passphrase, because if lost or stolen +the holder of the private key can make connections appearing as the certificate +holder. + +Once a keypair is generated, the certificate request is created and digitally +signed using the private key. This request will be sent to a CA for signing, and +a signed certificate will be returned. + +How requests become certificates +-------------------------------- + +After a CA signs the certificate request, a signed certificate is produced. In +this step, the CA's private key is used to digitally sign the entity's public +key so that any system trusting the CA certificate can implicitly trust the +newly issued certificate. This signed certificate is then sent back to the +requesting entity. The issued certificate is not security-sensitive and can be +sent over plaintext transmission methods. + +Verifying an issued certificate +------------------------------- + +After 2 entities have created keypairs, sent their requests to the CA, and +received a copy of their signed certificates and the CA's own certificate, they +can mutually authenticate with one-another. This process does not require the 2 +entities to have previously exchanged any kind of security information directly. + +During a TLS handshake each side of the connection presents their own cert chain +to the remote end. Each side checks the validity of the cert received against +their own copy of the CA cert. By trusting the CA root cert, the peer they are +talking to can be authenticated. + +The remote end proves it "really is" the entity identified by the cert by +signing a bit of data using its own private key. Only the holder of the private +key is able to do this, allowing the remote end to verify the authenticity of +the system being connected to. diff --git a/doc/TODO b/doc/TODO new file mode 100644 index 0000000..f3c3b6d --- /dev/null +++ b/doc/TODO @@ -0,0 +1,18 @@ +Easy-RSA 3 TODO / wishlist + +Feature support: + * makefile + * It may be useful to port the Makefile from the 2.x series + * This may be desirable for building and downstream packaging + * add pkcs11 support + * Much of this may be distro-dependent + * Keep platform-specific tools separate from platform-neutral code + * add detection for duplicate CN prior to OpenSSL failure + * This gets tricky if `updatedb` requires a CA passphrase + * It would help to warn users before OpenSSL throws errors + +Longer term wishlist: + * Support openssl's -password source mechanism: + * allow for batching currently "unbatchable" operations, like pkcs12 + * support one password input that can apply to multiple operations + * support a variety of password sources (interactive, pipe, file, etc) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa new file mode 100755 index 0000000..0ea1b11 --- /dev/null +++ b/easyrsa3/easyrsa @@ -0,0 +1,1071 @@ +#!/bin/sh + +# Easy-RSA 3 -- A Shell-based CA Utility +# +# Copyright (C) 2013 by the Open-Source OpenVPN development community +# +# This code released under version 2 of the GNU GPL; see COPYING and the +# Licensing/ directory of this project for full licensing details. + +# Help/usage output to stdout +usage() { + # command help: + print " +Easy-RSA 3 usage and overview + +USAGE: easyrsa [options] COMMAND [command-options] + +A list of commands is shown below. To get detailed usage and help for a +command, run: + ./easyrsa help COMMAND + +For a listing of options that can be supplied before the command, use: + ./easyrsa help options + +Here is the list of commands available with a short syntax reminder. Use the +'help' command above to get full usage details. + + init-pki [ cmd-opts ] + build-ca [ cmd-opts ] + gen-dh + gen-req [ cmd-opts ] + sign-req + build-client-full [ cmd-opts ] + build-server-full [ cmd-opts ] + revoke + gen-crl + update-db + show-req [ cmd-opts ] + show-cert [ cmd-opts ] + import-req + export-p12 [ cmd-opts ] +" + + # collect/show dir status: + local err_source="Not defined: vars autodetect failed and no value provided" + local work_dir="${EASYRSA:-$err_source}" + local pki_dir="${EASYRSA_PKI:-$err_source}" + print "\ +DIRECTORY STATUS (commands would take effect on these locations) + EASYRSA: $work_dir + PKI: $pki_dir +" +} # => usage() + +# Detailed command help +# When called with no args, calls usage(), otherwise shows help for a command +cmd_help() { + local text opts + case "$1" in + init-pki|clean-all) text=" + init-pki [ cmd-opts ] + Removes & re-initializes the PKI dir for a clean PKI" + opts=" + force - do not prompt when removing existing files" ;; + build-ca) text=" + build-ca [ cmd-opts ] + Creates a new CA" + opts=" + nopass - do not encrypt the CA key (default is encrypted) + subca - create a sub-CA keypair and request (default is a root CA)" ;; + gen-dh) text=" + gen-dh + Generates DH (Diffie-Helllman) parameters" ;; + gen-req) text=" + gen-req [ cmd-opts ] + Generate a standalone keypair and request (CSR) + + This request is suitable for sending to a remote CA for signing." + opts=" + nopass - do not encrypt the private key (default is encrypted)" ;; + sign|sign-req) text=" + sign-req + Sign a certificate request of the defined type. must be a known + type such as 'client', 'server', or 'ca' (or a user-added type.) + + This request file must exist in the reqs/ dir and have a .req file + extension. See import-req below for importing reqs from other sources." ;; + build|build-client-full|build-server-full) text=" + build-client-full [ cmd-opts ] + build-server-full [ cmd-opts ] + Generate a keypair and sign locally for a client or server + + This mode uses the as the X509 CN." + opts=" + nopass - do not encrypt the private key (default is encrypted)" ;; + revoke) text=" + revoke + Revoke a certificate specified by the filename_base" ;; + gen-crl) text=" + gen-crl + Generate a CRL" ;; + update-db) text=" + update-db + Update the index.txt database + + This command will use the system time to update the status of issued + certificates." ;; + show-req|show-cert) text=" + show-req [ cmd-opts ] + show-cert [ cmd-opts ] + Shows details of the req or cert referenced by filename_base + + Human-readable output is shown, including any requested cert options when + showing a request." + opts=" + full - show full req/cert info, including pubkey/sig data" ;; + import-req) text=" + import-req + Import a certificate request from a file + + This will copy the specified file into the reqs/ dir in + preparation for signing. + The is the filename base to create. + + Example usage: + import-req /some/where/bob_request.req bob" ;; + export-p12) text=" + export-p12 [ cmd-opts ] + Export a PKCS#12 file with the keypair specified by " + opts=" + noca - do not include the ca.crt file in the PKCS12 output" ;; + altname|subjectaltname|san) text=" + --subject-alt-name=SAN_FORMAT_STRING + This global option adds a subjectAltName to the request or issued + certificate. It MUST be in a valid format accepted by openssl or + req/cert generation will fail. Note that including multiple such names + requires them to be comma-separated; further invocations of this + option will REPLACE the value. + + Examples of the SAN_FORMAT_STRING shown below: + DNS:alternate.example.net + DNS:primary.example.net,DNS:alternate.example.net + IP:203.0.113.29 + email:alternate@example.net" ;; + options) + opt_usage ;; + "") + usage ;; + *) text=" + Unknown command: '$1' (try without commands for a list of commands)" ;; + esac + + # display the help text + print "$text" + [ -n "$opts" ] && print " + cmd-opts is an optional set of command options from this list: +$opts" +} # => cmd_help() + +# Options usage +opt_usage() { + print " +Easy-RSA Global Option Flags + +The following options may be provided before the command. Options specified +at runtime override env-vars and any 'vars' file in use. Unless noted, +non-empty values to options are mandatory. + +General options: + +--batch=# : set automatic (no-prompts when possible) mode; must be 0 or 1 +--pki-dir=DIR : declares the PKI directory +--vars=FILE : define a specific 'vars' file to use for Easy-RSA config + +Certificate & Request options: (these impact cert/req field values) + +--days=# : sets the signing validity to the specified number of days +--digest=ALG : digest to use in the requests & certificates +--dn-mode=MODE : DN mode to use (cn_only or org) +--keysize=# : size in bits of keypair to generate +--req-cn=NAME : default CN to use +--subca-len=# : path length of signed sub-CA certs; must be >= 0 if used +--subject-alt-name : Add a subjectAltName. For more info and syntax, see: + ./easyrsa help altname + +Organizational DN options: (only used with the 'org' DN mode) + (values may be blank for org DN options) + +--req-c=CC : country code (2-letters) +--req-st=NAME : State/Province +--req-city=NAME : City/Locality +--req-org=NAME : Organization +--req-email=NAME : Email addresses +--req-ou=NAME : Organizational Unit + +Deprecated features: + +--ns-cert=YESNO : yes or no to including deprecated NS extensions +--ns-comment=COMMENT : NS comment to include (value may be blank) +" +} # => opt_usage() + +# Wrapper around printf - clobber print since it's not POSIX anyway +print() { printf "%s\n" "$*"; } + +# Exit fatally with a message to stderr +# present even with EASYRSA_BATCH=1 as these are fatal problems +die() { + print " +Easy-RSA error: + +$1" 1>&2 + exit ${2:-1} +} # => die() + +# non-fatal warning output +warn() { + [ -z "$EASYRSA_BATCH" ] || [ $EASYRSA_BATCH -eq 0 ] && \ + print " +$1" 1>&2 +} # => warn() + +# informational notices to stdout +notice() { + [ -z "$EASYRSA_BATCH" ] || [ $EASYRSA_BATCH -eq 0 ] && \ + print " +$1" +} # => notice() + +# yes/no case-insensitive match (operates on stdin pipe) +# Returns 0 when input contains yes, 1 for no, 2 for no match +# If both strings are present, returns 1; first matching line returns. +awk_yesno() { + local awkscript=' +BEGIN {IGNORECASE=1; r=2} +{ if(match($0,"no")) {r=1; exit} + if(match($0,"yes")) {r=0; exit} +} END {exit r}' + awk "$awkscript" +} # => awk_yesno() + +# intent confirmation helper func +# returns without prompting in EASYRSA_BATCH +confirm() { + [ $EASYRSA_BATCH -eq 1 ] && return + local prompt="$1" value="$2" msg="$3" input + print " +$msg + +Type the word '$value' to continue, or any other input to abort." + printf %s " $prompt" + read input + [ "$input" = "$value" ] && return + notice "Aborting without confirmation." + exit 9 +} # => confirm() + +vars_source_check() { + # Check for defined EASYRSA_PKI + [ -n "$EASYRSA_PKI" ] || die "\ +EASYRSA_PKI env-var undefined" + + # Verify EASYRSA_OPENSSL command gives expected output + if [ -z "$EASYRSA_SSL_OK" ]; then + local val="$("$EASYRSA_OPENSSL" version)" + [ "${val%% *}" = "OpenSSL" ] || die "\ +Missing or invalid OpenSSL +Expected to find openssl command at: $EASYRSA_OPENSSL" + fi + EASYRSA_SSL_OK=1 + + # Verify EASYRSA_SSL_CONF file exists + [ -f "$EASYRSA_SSL_CONF" ] || die "\ +The OpenSSL config file cannot be found. +Expected location: $EASYRSA_SSL_CONF" +} # => vars_source_check() + +# Basic sanity-check of PKI init and complain if missing +verify_pki_init() { + local help_note="Run easyrsa without commands for usage and command help." + + # check that the pki dir exists + vars_source_check + [ -d "$EASYRSA_PKI" ] || die "\ +EASYRSA_PKI does not exist (perhaps you need to run init-pki)? +Expected to find the EASYRSA_PKI at: $EASYRSA_PKI +$help_note" + + # verify expected dirs present: + for i in private reqs; do + [ -d "$EASYRSA_PKI/$i" ] || die "\ +Missing expected directory: $i (perhaps you need to run init-pki?) +$help_note" + done +} # => verify_pki_init() + +# Verify core CA files present +verify_ca_init() { + local help_note="Run without commands for usage and command help." + + # First check the PKI has been initialized + verify_pki_init + + # verify expected files present: + for i in serial index.txt ca.crt private/ca.key; do + if [ ! -f "$EASYRSA_PKI/$i" ]; then + [ "$1" = "test" ] && return 1 + die "\ +Missing expected CA file: $i (perhaps you need to run build-ca?) +$help_note" + fi + done + + # When operating in 'test' mode, return success. + # test callers don't care about CA-specific dir structure + [ "$1" = "test" ] && return 0 + + # verify expected CA-specific dirs: + for i in issued certs_by_serial; do + [ -d "$EASYRSA_PKI/$i" ] || die "\ +Missing expected CA dir: $i (perhaps you need to run build-ca?) +$help_note" + done + + # explicitly return success for callers + return 0 + +} # => verify_ca_init() + +# init-pki backend: +init_pki() { + local opt_force=0 + [ $EASYRSA_BATCH -eq 1 ] && opt_force=1 + while [ -n "$1" ]; do + case "$1" in + force) opt_force=1 ;; + *) warn "Ignoring unknown command option: '$1'" ;; + esac + shift + done + + vars_source_check + + # If EASYRSA_PKI exists, confirm before we rm -rf (skipped when forced) + if [ -e "$EASYRSA_PKI" ]; then + [ $opt_force -eq 0 ] && confirm "Confirm removal: " "yes" " +WARNING!!! + +You are about to remove the EASYRSA_PKI at: $EASYRSA_PKI +and initialize a fresh PKI here." + # now remove it: + rm -rf "$EASYRSA_PKI" || die "Removal of PKI dir failed. Check/correct errors above" + fi + + # new dirs: + for i in private reqs; do + mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file structure (permissions?)" + done + + notice "\ +init-pki complete; you may now create a CA or requests. +Your newly created PKI dir is: $EASYRSA_PKI +" + return 0 +} # => init_pki() + +# build-ca backend: +build_ca() { + local opts= sub_ca=0 + while [ -n "$1" ]; do + case "$1" in + nopass) opts="$opts -nodes" ;; + subca) sub_ca=1 ;; + *) warn "Ignoring unknown command option: '$1'" ;; + esac + shift + done + + verify_pki_init + + # setup for the simpler sub-CA situation and overwrite with root-CA if needed: + local out_file="$EASYRSA_PKI/reqs/ca.req" + local out_key="$EASYRSA_PKI/private/ca.key" + if [ $sub_ca -eq 0 ]; then + out_file="$EASYRSA_PKI/ca.crt" + opts="$opts -x509 -days $EASYRSA_CA_EXPIRE" + fi + + # Test for existing CA, and complain if already present + if verify_ca_init test; then + die "\ +Unable to create a CA as you already seem to have one set up. +If you intended to start a new CA, run init-pki first." + fi + # If a private key exists here, a sub-ca was created but not signed. + # Notify the user and require a signed ca.crt or a init-pki: + [ -f "$out_key" ] && \ + die "\ +A CA private key exists but no ca.crt is found in your PKI dir of: +$EASYRSA_PKI +Refusing to create a new CA keypair as this operation would overwrite your +current CA keypair. If you intended to start a new CA, run init-pki first." + + # create necessary files and dirs: + local err_file="Unable to create necessary PKI files (permissions?)" + for i in issued certs_by_serial; do + mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" + done + printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file" + print "01" > "$EASYRSA_PKI/serial" || die "$err_file" + + # Default CN only when not in global EASYRSA_BATCH mode: + [ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" + # create the CA keypair: + "$EASYRSA_OPENSSL" req -new -newkey rsa:$EASYRSA_KEY_SIZE -config "$EASYRSA_SSL_CONF" \ + -keyout "$out_key" -out "$out_file" $opts || \ + die "Failed to build the CA" + + # Success messages + if [ $sub_ca -eq 1 ]; then + notice "\ +NOTE: Your sub-CA request is at $out_file +and now must be sent to you parent CA for signing. Place your resulting cert +at $EASYRSA_PKI/ca.crt prior to signing operations. +" + else notice "\ +CA creation complete and you may now import and sign cert requests. +Your new CA certificate file for publishing is at: +$out_file +" + fi + return 0 +} # => build_ca() + +# gen-dh backend: +gen_dh() { + verify_pki_init + + local out_file="$EASYRSA_PKI/dh.pem" + "$EASYRSA_OPENSSL" dhparam -out "$out_file" $EASYRSA_KEY_SIZE || \ + die "Failed to build DH params" + notice "\ +DH parameters of size $EASYRSA_KEY_SIZE created at $out_file +" + return 0 +} # => gen_dh() + +# gen-req backend: +gen_req() { + # pull filename base and use as default interactive CommonName: + [ -n "$1" ] || die "\ +Error: gen-req must have a file base as the first argument. +Run easyrsa without commands for usage and commands." + local key_out="$EASYRSA_PKI/private/$1.key" + local req_out="$EASYRSA_PKI/reqs/$1.req" + [ $EASYRSA_BATCH -eq 0 ] && EASYRSA_REQ_CN="$1" + shift + + # function opts support + local opts= + while [ -n "$1" ]; do + case "$1" in + nopass) opts="$opts -nodes" ;; + # batch flag supports internal callers needing silent operation + batch) local EASYRSA_BATCH=1 ;; + *) warn "Ignoring unknown command option: '$1'" ;; + esac + shift + done + + verify_pki_init + + # don't wipe out an existing private key without confirmation + [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ + +WARNING!!! + +An existing private key was found at $key_out +Continuing with key generation will replace this key." + + # When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section: + if [ -n "$EASYRSA_EXTRA_EXTS" ]; then + local awkscript=' +{if ( match($0, "^#%EXTRA_EXTS%") ) + { while ( getline<"/dev/stdin" ) {print} next } + {print} +}' + # This awk inserts the extra ext data keyed by a magic line + print "$EASYRSA_EXTRA_EXTS" | \ + awk "$awkscript" "$EASYRSA_SSL_CONF" \ + > "$EASYRSA_TEMP_FILE" \ + || die "Copying SSL config to temp file failed" + # Use this new SSL config for the rest of this function + local EASYRSA_SSL_CONF="$EASYRSA_TEMP_FILE" + fi + + # generate request + [ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch" + "$EASYRSA_OPENSSL" req -new -newkey rsa:$EASYRSA_KEY_SIZE -config "$EASYRSA_SSL_CONF" \ + -keyout "$key_out" -out "$req_out" $opts + local ret=$? + [ -n "$EASYRSA_EXTRA_EXTS" ] && rm "$EASYRSA_TEMP_FILE" + [ $ret -eq 0 ] || die "Failed to generate request" + notice "\ +Keypair and certificate request completed. Your files are: +req: $req_out +key: $key_out +" + return 0 +} # => gen_req() + +# common signing backend +sign_req() { + local crt_type="$1" opts= + local req_in="$EASYRSA_PKI/reqs/$2.req" + local crt_out="$EASYRSA_PKI/issued/$2.crt" + + # Support batch by internal caller: + [ "$3" = "batch" ] && local EASYRSA_BATCH=1 + + verify_ca_init + + # Check argument sanity: + [ -n "$2" ] || die "\ +Incorrect number of arguments provided to sign-req: +expected 2, got $# (see command help for usage)" + + # Cert type must exist under the EASYRSA_EXT_DIR + [ -r "$EASYRSA_EXT_DIR/$crt_type" ] || die "\ +Unknown cert type '$crt_type'" + + # Request file must exist + [ -f "$req_in" ] || die "\ +No request found for the input: '$2' +Expected to find the request at: $req_in" + + # Confirm input is a cert req + verify_file req "$req_in" || die "\ +The certificate request file is not in a valid X509 request format. +Offending file: $req_in" + + # Display the request subject in an easy-to-read format + # Confirm the user wishes to sign this request + confirm "Confirm request details: " "yes" " +You are about to sign the following certificate. +Please check over the details shown below for accuracy. Note that this request +has not been cryptographically verified. Please be sure it came from a trusted +source or that you have verified the request checksum with the sender. + +Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days: + +$(display_dn req "$req_in") +" # => confirm end + + # Generate the extensions file for this cert: + { + # Append first any COMMON file (if present) then the cert-type extensions + cat "$EASYRSA_EXT_DIR/COMMON" + cat "$EASYRSA_EXT_DIR/$crt_type" + + # Support a dynamic CA path length when present: + [ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \ + print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN" + + # Deprecated Netscape extension support, if enabled + if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then + [ -n "$EASYRSA_NS_COMMENT" ] && \ + print "nsComment = \"$EASYRSA_NS_COMMENT\"" + case "$crt_type" in + server) print "nsCertType = server" ;; + client) print "nsCertType = client" ;; + ca) print "nsCertType = sslCA" ;; + esac + fi + + # Add any advanced extensions supplied by env-var: + [ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS" + + : # needed to keep die from inherting the above test + } > "$EASYRSA_TEMP_FILE" || die "\ +Failed to create temp extension file (bad permissions?) at: +$EASYRSA_TEMP_FILE" + + # sign request + #[ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch" + "$EASYRSA_OPENSSL" ca -in "$req_in" -out "$crt_out" -config "$EASYRSA_SSL_CONF" \ + -extfile "$EASYRSA_TEMP_FILE" -days $EASYRSA_CERT_EXPIRE -batch $opts + local ret=$? + rm "$EASYRSA_TEMP_FILE" + [ $ret -eq 0 ] || die "signing failed (openssl output above may have more detail)" + notice "\ +Certificate created at: $crt_out +" + return 0 +} # => sign_req() + +# common build backend +# used to generate+sign in 1 step +build_full() { + verify_ca_init + + # pull filename base: + [ -n "$2" ] || die "\ +Error: didn't find a file base name as the first argument. +Run easyrsa without commands for usage and commands." + local crt_type="$1" name="$2" + local req_out="$EASYRSA_PKI/reqs/$2.req" + local key_out="$EASYRSA_PKI/private/$2.key" + local crt_out="$EASYRSA_PKI/issued/$2.crt" + shift 2 + + # function opts support + local req_opts= + while [ -n "$1" ]; do + case "$1" in + nopass) req_opts="$req_opts nopass" ;; + *) warn "Ignoring unknown command option: '$1'" ;; + esac + shift + done + + # abort on existing req/key/crt files + local err_exists="\ +file already exists. Aborting build to avoid overwriting this file. +If you wish to continue, please use a different name or remove the file. +Matching file found at: " + [ -f "$req_out" ] && die "Request $err_exists $req_out" + [ -f "$key_out" ] && die "Key $err_exists $key_out" + [ -f "$crt_out" ] && die "Certificate $err_exists $crt_out" + + # create request + EASYRSA_REQ_CN="$name" + gen_req "$name" batch $req_opts + + # Sign it + sign_req "$crt_type" "$name" batch + +} # => build_full() + +# revoke backend +revoke() { + verify_ca_init + + # pull filename base: + [ -n "$1" ] || die "\ +Error: didn't find a file base name as the first argument. +Run easyrsa without commands for usage and command help." + local crt_in="$EASYRSA_PKI/issued/$1.crt" + + verify_file x509 "$crt_in" || die "\ +Unable to revoke as the input file is not a valid certificate. Unexpected +input in file: $crt_in" + + # confirm operation by displaying DN: + confirm "Continue with revocation: " "yes" " +Please confirm you wish to revoke the certificate with the following subject: + +$(display_dn x509 "$crt_in") +" # => confirm end + + # referenced cert must exist: + [ -f "$crt_in" ] || die "\ +Unable to revoke as no certificate was found. Certificate was expected +at: $crt_in" + + "$EASYRSA_OPENSSL" ca -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\ +Failed to revoke certificate: revocation command failed." + + notice "\ +IMPORTANT!!! + +Revocation was successful. You must run gen-crl and upload a CRL to your +infrastructure in order to prevent the revoked cert from being accepted. +" # => notice end + return 0 +} #= revoke() + +# gen-crl backend +gen_crl() { + verify_ca_init + + local out_file="$EASYRSA_PKI/crl.pem" + "$EASYRSA_OPENSSL" ca -gencrl -out "$out_file" -config "$EASYRSA_SSL_CONF" || die "\ +CRL Generation failed. +" + + notice "\ +An updated CRL has been created. +CRL file: $out_file +" + return 0 +} # => gen_crl() + +# import-req backend +import_req() { + verify_pki_init + + # pull passed paths + local in_req="$1" short_name="$2" + local out_req="$EASYRSA_PKI/reqs/$2.req" + + [ -n "$short_name" ] || die "\ +Unable to import: incorrect command syntax. +Run easyrsa without commands for usage and command help." + + verify_file req "$in_req" || die "\ +The input file does not appear to be a certificate request. Aborting import. +Offending file: $in_req" + + # destination must not exist + [ -f "$out_req" ] && die "\ +Unable to import the request as the destination file already exists. +Please choose a different name for your imported request file. +Existing file at: $out_req" + + # now import it + cp "$in_req" "$out_req" + + notice "\ +The request has been successfully imported with a short name of: $short_name +You may now use this name to perform signing operations on this request. +" + return 0 +} # => import_req() + +# export-p12 backend +export_p12() { + [ -n "$1" ] || die "\ +Unable to export p12: incorrect command syntax. +Run easyrsa without commands for usage and command help." + + local short_name="$1" + local crt_in="$EASYRSA_PKI/issued/$1.crt" + local key_in="$EASYRSA_PKI/private/$1.key" + local p12_out="$EASYRSA_PKI/private/$1.p12" + local crt_ca="$EASYRSA_PKI/ca.crt" + shift + + verify_pki_init + + # opts support + local want_ca=1 + while [ -n "$1" ]; do + case "$1" in + noca) want_ca=0 ;; + *) warn "Ignoring unknown command option: '$1'" ;; + esac + shift + done + + local p12_opts= + if [ $want_ca -eq 1 ]; then + verify_file x509 "$crt_ca" || die "\ +Unable to include CA cert in the p12 output (missing file, or use noca option.) +Missing file expected at: $crt_ca" + p12_opts="$p12_opts -certfile $crt_ca" + fi + + # input files must exist + verify_file x509 "$crt_in" || die "\ +Unable to export p12 for short name '$short_name' without the certificate. +Missing cert expected at: $crt_in" + + [ -f "$key_in" ] || die "\ +Unable to export p12 for short name '$short_name' without the key. +Missing key expected at: $key_in" + + # export the p12: + "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ + -out "$p12_out" $p12_opts || die "\ +Export of p12 failed: see above for related openssl errors." + + notice "\ +Successful export of p12 file. Your exported file is at the following +location: $p12_out +" + return 0 +} # => export_p12() + +# update-db backend +update_db() { + verify_ca_init + + "$EASYRSA_OPENSSL" ca -updatedb -config "$EASYRSA_SSL_CONF" || die "\ +Failed to perform update-db: see above for related openssl errors." + return 0 +} # => update_db() + +# display cert DN info on a req/X509, passed by full pathname +display_dn() { + local format="$1" path="$2" + print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)" +} # => display_dn() + +# verify a file seems to be a valid req/X509 +verify_file() { + local format="$1" path="$2" + "$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null || return 1 + return 0 +} # => verify_x509() + +# show-* command backend +# Prints req/cert details in a readable format +show() { + local type="$1" name="$2" in_file format + [ -n "$name" ] || die "\ +Missing expected filename_base argument. +Run easyrsa without commands for usage help." + shift 2 + + # opts support + local opts="-${type}opt no_pubkey,no_sigdump" + while [ -n "$1" ]; do + case "$1" in + full) opts= ;; + *) warn "Ignoring unknown command option: '$1'" ;; + esac + shift + done + + # Determine cert/req type + if [ "$type" = "cert" ]; then + verify_ca_init + in_file="$EASYRSA_PKI/issued/${name}.crt" + format="x509" + else + verify_pki_init + in_file="$EASYRSA_PKI/reqs/${name}.req" + format="req" + fi + + # Verify file exists and is of the correct type + [ -f "$in_file" ] || die "\ +No such $type file with a basename of '$name' is present. +Expected to find this file at: +$in_file" + verify_file $format "$in_file" || die "\ +This file is not a valid $type file: +$in_file" + + notice "\ +Showing $type details for '$name'. +This file is stored at: +$in_file +" + "$EASYRSA_OPENSSL" $format -in "$in_file" -noout -text\ + -nameopt multiline $opts || die "\ +OpenSSL failure to process the input" +} # => show() + +# vars setup +# Here sourcing of 'vars' if present occurs. If not present, defaults are used +# to support running without a sourced config format +vars_setup() { + # Try to locate a 'vars' file in order of location preference. + # If one is found, source it + local vars= + + # set up program path + local prog_vars="${0%/*}/vars" + + # command-line path: + if [ -f "$EASYRSA_VARS_FILE" ]; then + vars="$EASYRSA_VARS_FILE" + # EASYRSA_PKI, if defined: + elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then + vars="$EASYRSA_PKI/vars" + # EASYRSA, if defined: + elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then + vars="$EASYRSA/vars" + # program location: + elif [ -f "$prog_vars" ]; then + vars="$prog_vars" + fi + + # If a vars file was located, source it + # If $EASYRSA_NO_VARS is defined (not blank) this is skipped + if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then + EASYRSA_CALLER=1 . "$vars" + notice "\ +Note: using Easy-RSA configuration from: $vars" + fi + + # Set defaults, preferring existing env-vars if present + set_var EASYRSA "$PWD" + set_var EASYRSA_OPENSSL openssl + set_var EASYRSA_PKI "$EASYRSA/pki" + set_var EASYRSA_DN cn_only + set_var EASYRSA_REQ_COUNTRY "US" + set_var EASYRSA_REQ_PROVINCE "California" + set_var EASYRSA_REQ_CITY "San Francisco" + set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" + set_var EASYRSA_REQ_EMAIL me@example.net + set_var EASYRSA_REQ_OU "My Organizational Unit" + set_var EASYRSA_KEY_SIZE 2048 + set_var EASYRSA_CA_EXPIRE 3650 + set_var EASYRSA_CERT_EXPIRE 3650 + set_var EASYRSA_CRL_DAYS 180 + set_var EASYRSA_NS_SUPPORT no + set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + set_var EASYRSA_REQ_CN ChangeMe + set_var EASYRSA_DIGEST sha256 + + # Detect openssl config, preferring EASYRSA_PKI over EASYRSA + if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then + set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-1.0.cnf" + else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" + fi + + # Same as above for the x509-types extensions dir + if [ -d "$EASYRSA_PKI/x509-types" ]; then + set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" + else set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + fi + + # Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32) + export OPENSSL_CONF="$EASYRSA_SSL_CONF" +} # vars_setup() + +# variable assignment by indirection when undefined; merely exports +# the variable when it is already defined (even if currently null) +# Sets $1 as the value contained in $2 and exports (may be blank) +set_var() { + local var=$1 + shift + local value="$*" + eval "export $var=\"\${$var-$value}\"" +} #=> set_var() + +######################################## +# Invocation entry point: + +# Be secure with a restrictive umask +[ -z "$EASYRSA_NO_UMASK" ] && umask 077 + +# Parse options +while :; do + # Separate option from value: + opt="${1%%=*}" + val="${1#*=}" + empty_ok=0 # Empty values are not allowed unless excepted + + case "$opt" in + --days) + export EASYRSA_CERT_EXPIRE="$val" + export EASYRSA_CA_EXPIRE="$val" + export EASYRSA_CRL_DAYS="$val" + ;; + --pki-dir) + export EASYRSA_PKI="$val" ;; + --keysize) + export EASYRSA_KEY_SIZE="$val" ;; + --dn-mode) + export EASYRSA_DN="$val" ;; + --req-cn) + export EASYRSA_REQ_CN="$val" ;; + --digest) + export EASYRSA_DIGEST="$val" ;; + --req-c) + empty_ok=1 + export EASYRSA_REQ_COUNTRY="$val" ;; + --req-st) + empty_ok=1 + export EASYRSA_REQ_PROVINCE="$val" ;; + --req-city) + empty_ok=1 + export EASYRSA_REQ_CITY="$val" ;; + --req-org) + empty_ok=1 + export EASYRSA_REQ_ORG="$val" ;; + --req-email) + empty_ok=1 + export EASYRSA_REQ_EMAIL="$val" ;; + --req-ou) + empty_ok=1 + export EASYRSA_REQ_OU="$val" ;; + --ns-cert) + export EASYRSA_NS_SUPPORT="$val" ;; + --ns-comment) + empty_ok=1 + export EASYRSA_NS_COMMENT="$val" ;; + --batch) + export EASYRSA_BATCH="$val" ;; + --subca-len) + export EASYRSA_SUBCA_LEN="$val" ;; + --vars) + export EASYRSA_VARS_FILE="$val" ;; + --subject-alt-name) + export EASYRSA_EXTRA_EXTS="\ +$EASYRSA_EXTRA_EXTS +subjectAltName = $val" ;; + *) + break ;; + esac + + # fatal error when no value was provided + if [ "$val" = "$1" ] || { [ $empty_ok = 0 ] && [ -z "$val" ]; }; then + die "Missing value to option: $opt" + fi + + shift +done + +# Intelligent env-var detection and auto-loading: +vars_setup + +# EASYRSA_BATCH must be defined or numeric tests will fail. +[ -n "$EASYRSA_BATCH" ] || EASYRSA_BATCH=0 +# Fix & warn user if defined value is not 0 or 1. +[ "$EASYRSA_BATCH" = 1 ] || [ "$EASYRSA_BATCH" = 0 ] || { + EASYRSA_BATCH=0 + warn "Invalid 'EASYRSA_BATCH' var has been defined to 0. Bad value was: '$EASYRSA_BATCH'" +} + +# determine how we were called, then hand off to the function responsible +cmd="$1" +[ -n "$1" ] && shift # scrape off command +case "$cmd" in + init-pki|clean-all) + init_pki "$@" + ;; + build-ca) + build_ca "$@" + ;; + gen-dh) + gen_dh + ;; + gen-req) + gen_req "$@" + ;; + sign|sign-req) + sign_req "$@" + ;; + build-client-full) + build_full client "$@" + ;; + build-server-full) + build_full server "$@" + ;; + gen-crl) + gen_crl + ;; + revoke) + revoke "$@" + ;; + import-req) + import_req "$@" + ;; + export-p12) + export_p12 "$@" + ;; + update-db) + update_db + ;; + show-req) + show req "$@" + ;; + show-cert) + show cert "$@" + ;; + ""|help|-h|--help|--usage) + cmd_help "$1" + exit 0 + ;; + *) + die "Unknown command '$cmd'. Run without commands for usage help." + ;; +esac + +# vim: ft=sh nu ai sw=8 ts=8 diff --git a/easyrsa3/openssl-1.0.cnf b/easyrsa3/openssl-1.0.cnf new file mode 100644 index 0000000..5da819a --- /dev/null +++ b/easyrsa3/openssl-1.0.cnf @@ -0,0 +1,139 @@ +# For use with Easy-RSA 3.0 and OpenSSL 1.0.* + +RANDFILE = $ENV::EASYRSA_PKI/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::EASYRSA_PKI # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/certs_by_serial # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = basic_exts # The extentions to add to the cert + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL +default_md = $ENV::EASYRSA_DIGEST # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = $ENV::EASYRSA_KEY_SIZE +default_keyfile = privkey.pem +default_md = $ENV::EASYRSA_DIGEST +distinguished_name = $ENV::EASYRSA_DN +x509_extensions = easyrsa_ca # The extentions to add to the self signed cert +# A section to handle the $EXTRA_EXTS feature +req_extensions = req_extra + +[ req_extra ] +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +# Easy-RSA DN for org support: +[ org ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::EASYRSA_REQ_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::EASYRSA_REQ_ORG + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = $ENV::EASYRSA_REQ_OU + +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +emailAddress = Email Address +emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_max = 64 + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example new file mode 100644 index 0000000..67a6844 --- /dev/null +++ b/easyrsa3/vars.example @@ -0,0 +1,187 @@ +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades don't wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file 'vars' if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the 'vars' file. +# +# All of the editable settings are shown commented and start with the command +# 'set_var' -- this means any set_var command that is uncommented has been +# modified by the user. If you're happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DON'T EDIT THIS SECTION +# +# Easy-RSA 3.x doesn't source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "'How to use this file' near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable should point to the top level of the easy-rsa tree. By default, +# this is taken to be the directory you are currently in. + +#set_var EASYRSA "$PWD" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +#set_var EASYRSA_PKI "$EASYRSA/pki" + +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below aren't used. +# +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +#set_var EASYRSA_DN "cn_only" + +# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) +# These are the default values for fields which will be placed in the +# certificate. Don't leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +#set_var EASYRSA_REQ_COUNTRY "US" +#set_var EASYRSA_REQ_PROVINCE "California" +#set_var EASYRSA_REQ_CITY "San Francisco" +#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +#set_var EASYRSA_REQ_EMAIL "me@example.net" +#set_var EASYRSA_REQ_OU "My Organizational Unit" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. + +#set_var EASYRSA_KEY_SIZE 2048 + +# In how many days should the root CA key expire? + +#set_var EASYRSA_CA_EXPIRE 3650 + +# In how many days should certificates expire? + +#set_var EASYRSA_CERT_EXPIRE 3650 + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. + +#set_var EASYRSA_CRL_DAYS 180 + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +#set_var EASYRSA_TEMP_FILE "$PKI_DIR/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a 'command not found' error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you're doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named 'COMMON' is included first when present. Note that +# when undefined here, default behaviour is to look in $PKI_DIR first, then +# fallback to $EASYRSA for the 'x509-types' dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-1.0.cnf from the +# PKI_DIR or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" + +# Defualt CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +#set_var EASYRSA_REQ_CN "ChangeMe" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +#set_var EASYRSA_DIGEST "sha256" + +# Batch mode. Leave this disabled (set to 0) unless you intend to call Easy-RSA +# explicitly in batch mode without any user input, confirmation on dangerous +# operations, or most output. + +#set_var EASYRSA_BATCH 0 + diff --git a/easyrsa3/x509-types/COMMON b/easyrsa3/x509-types/COMMON new file mode 100644 index 0000000..3e9b633 --- /dev/null +++ b/easyrsa3/x509-types/COMMON @@ -0,0 +1,7 @@ +# X509 extensions added to every signed cert + +# This file is included for every cert signed, and by default does nothing. +# It could be used to add values every cert should have, such as a CDP as +# demonstrated in the following example: + +#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl diff --git a/easyrsa3/x509-types/ca b/easyrsa3/x509-types/ca new file mode 100644 index 0000000..ef525b6 --- /dev/null +++ b/easyrsa3/x509-types/ca @@ -0,0 +1,13 @@ +# X509 extensions for a ca + +# Note that basicConstraints will be overridden by Easy-RSA when defining a +# CA_PATH_LEN for CA path length limits. You could also do this here +# manually as in the following example in place of the existing line: +# +# basicConstraints = CA:TRUE, pathlen:1 + +basicConstraints = CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = cRLSign, keyCertSign + diff --git a/easyrsa3/x509-types/client b/easyrsa3/x509-types/client new file mode 100644 index 0000000..a7d81af --- /dev/null +++ b/easyrsa3/x509-types/client @@ -0,0 +1,8 @@ +# X509 extensions for a client + +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = clientAuth +keyUsage = digitalSignature + diff --git a/easyrsa3/x509-types/server b/easyrsa3/x509-types/server new file mode 100644 index 0000000..bc024be --- /dev/null +++ b/easyrsa3/x509-types/server @@ -0,0 +1,8 @@ +# X509 extensions for a server + +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = serverAuth +keyUsage = digitalSignature,keyEncipherment +