diff --git a/easy-rsa/1.0/build-ca b/easy-rsa/1.0/build-ca index 5ad59cc..fc51801 100755 --- a/easy-rsa/1.0/build-ca +++ b/easy-rsa/1.0/build-ca @@ -5,9 +5,9 @@ # if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ - chmod 0600 ca.key + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ + chmod 0600 ca.key else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/build-inter b/easy-rsa/1.0/build-inter index 8b3a6b2..8dc4830 100755 --- a/easy-rsa/1.0/build-inter +++ b/easy-rsa/1.0/build-inter @@ -6,14 +6,14 @@ # if test $# -ne 1; then - echo "usage: build-inter "; - exit 1 -fi + echo "usage: build-inter "; + exit 1 +fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/build-key b/easy-rsa/1.0/build-key index 3159d2b..219f156 100755 --- a/easy-rsa/1.0/build-key +++ b/easy-rsa/1.0/build-key @@ -6,15 +6,15 @@ # if test $# -ne 1; then - echo "usage: build-key "; - exit 1 -fi + echo "usage: build-key "; + exit 1 +fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - chmod 0600 $1.key + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + chmod 0600 $1.key else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/build-key-pass b/easy-rsa/1.0/build-key-pass index 03ab304..086b9c8 100755 --- a/easy-rsa/1.0/build-key-pass +++ b/easy-rsa/1.0/build-key-pass @@ -6,15 +6,15 @@ # if test $# -ne 1; then - echo "usage: build-key-pass "; - exit 1 + echo "usage: build-key-pass "; + exit 1 fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - chmod 0600 $1.key + cd $KEY_DIR && \ + openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + chmod 0600 $1.key else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/build-key-pkcs12 b/easy-rsa/1.0/build-key-pkcs12 index f8a057b..28b48af 100755 --- a/easy-rsa/1.0/build-key-pkcs12 +++ b/easy-rsa/1.0/build-key-pkcs12 @@ -6,16 +6,16 @@ # the CA certificate as well. if test $# -ne 1; then - echo "usage: build-key-pkcs12 "; - exit 1 -fi + echo "usage: build-key-pkcs12 "; + exit 1 +fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ - chmod 0600 $1.key $1.p12 + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ + openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ + chmod 0600 $1.key $1.p12 else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/build-key-server b/easy-rsa/1.0/build-key-server index 30dc41e..b65a931 100755 --- a/easy-rsa/1.0/build-key-server +++ b/easy-rsa/1.0/build-key-server @@ -8,15 +8,15 @@ # extension in the openssl.cnf file. if test $# -ne 1; then - echo "usage: build-key-server "; - exit 1 -fi + echo "usage: build-key-server "; + exit 1 +fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ - chmod 0600 $1.key + cd $KEY_DIR && \ + openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ + chmod 0600 $1.key else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/build-req b/easy-rsa/1.0/build-req index 30f62f5..2530f4d 100755 --- a/easy-rsa/1.0/build-req +++ b/easy-rsa/1.0/build-req @@ -8,7 +8,7 @@ if test $# -ne 1; then echo "usage: build-req "; exit 1 -fi +fi if test $KEY_DIR; then cd $KEY_DIR && \ diff --git a/easy-rsa/1.0/build-req-pass b/easy-rsa/1.0/build-req-pass index 829b286..65742f9 100755 --- a/easy-rsa/1.0/build-req-pass +++ b/easy-rsa/1.0/build-req-pass @@ -8,7 +8,7 @@ if test $# -ne 1; then echo "usage: build-req-pass "; exit 1 -fi +fi if test $KEY_DIR; then cd $KEY_DIR && \ diff --git a/easy-rsa/1.0/clean-all b/easy-rsa/1.0/clean-all index d10aef5..c3cf533 100755 --- a/easy-rsa/1.0/clean-all +++ b/easy-rsa/1.0/clean-all @@ -9,11 +9,11 @@ d=$KEY_DIR if test $d; then - rm -rf $d - mkdir $d && \ - chmod go-rwx $d && \ - touch $d/index.txt && \ - echo 01 >$d/serial + rm -rf $d + mkdir $d && \ + chmod go-rwx $d && \ + touch $d/index.txt && \ + echo 01 >$d/serial else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/list-crl b/easy-rsa/1.0/list-crl index b214dbd..8570fc6 100644 --- a/easy-rsa/1.0/list-crl +++ b/easy-rsa/1.0/list-crl @@ -6,13 +6,13 @@ # if test $# -ne 1; then - echo "usage: list-crl "; - exit 1 + echo "usage: list-crl "; + exit 1 fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl crl -text -noout -in $1 + cd $KEY_DIR && \ + openssl crl -text -noout -in $1 else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/make-crl b/easy-rsa/1.0/make-crl index 62fe6c1..6f55027 100644 --- a/easy-rsa/1.0/make-crl +++ b/easy-rsa/1.0/make-crl @@ -6,13 +6,13 @@ # if test $# -ne 1; then - echo "usage: make-crl "; - exit 1 + echo "usage: make-crl "; + exit 1 fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -gencrl -out $1 -config $KEY_CONFIG + cd $KEY_DIR && \ + openssl ca -gencrl -out $1 -config $KEY_CONFIG else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/revoke-crt b/easy-rsa/1.0/revoke-crt index 35b071a..0a6fc51 100644 --- a/easy-rsa/1.0/revoke-crt +++ b/easy-rsa/1.0/revoke-crt @@ -6,13 +6,13 @@ # if test $# -ne 1; then - echo "usage: revoke-crt "; - exit 1 + echo "usage: revoke-crt "; + exit 1 fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -revoke $1 -config $KEY_CONFIG + cd $KEY_DIR && \ + openssl ca -revoke $1 -config $KEY_CONFIG else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/revoke-full b/easy-rsa/1.0/revoke-full index 66ea03f..be3774f 100755 --- a/easy-rsa/1.0/revoke-full +++ b/easy-rsa/1.0/revoke-full @@ -7,23 +7,23 @@ CRL=crl.pem RT=revoke-test.pem if test $# -ne 1; then - echo "usage: revoke-full "; - exit 1 + echo "usage: revoke-full "; + exit 1 fi if test $KEY_DIR; then - cd $KEY_DIR - rm -f $RT + cd $KEY_DIR + rm -f $RT - # revoke key and generate a new CRL - openssl ca -revoke $1.crt -config $KEY_CONFIG + # revoke key and generate a new CRL + openssl ca -revoke $1.crt -config $KEY_CONFIG - # generate a new CRL - openssl ca -gencrl -out $CRL -config $KEY_CONFIG - cat ca.crt $CRL >$RT - - # verify the revocation - openssl verify -CAfile $RT -crl_check $1.crt + # generate a new CRL + openssl ca -gencrl -out $CRL -config $KEY_CONFIG + cat ca.crt $CRL >$RT + + # verify the revocation + openssl verify -CAfile $RT -crl_check $1.crt else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/1.0/sign-req b/easy-rsa/1.0/sign-req index 59edc42..ecb35a2 100755 --- a/easy-rsa/1.0/sign-req +++ b/easy-rsa/1.0/sign-req @@ -6,13 +6,13 @@ # if test $# -ne 1; then - echo "usage: sign-req "; - exit 1 -fi + echo "usage: sign-req "; + exit 1 +fi if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG + cd $KEY_DIR && \ + openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG else - echo you must define KEY_DIR + echo you must define KEY_DIR fi diff --git a/easy-rsa/2.0/clean-all b/easy-rsa/2.0/clean-all index cc6e3b2..b1d0237 100755 --- a/easy-rsa/2.0/clean-all +++ b/easy-rsa/2.0/clean-all @@ -7,9 +7,9 @@ if [ "$KEY_DIR" ]; then rm -rf "$KEY_DIR" mkdir "$KEY_DIR" && \ - chmod go-rwx "$KEY_DIR" && \ - touch "$KEY_DIR/index.txt" && \ - echo 01 >"$KEY_DIR/serial" + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/inherit-inter b/easy-rsa/2.0/inherit-inter index aaa5168..1fe3539 100755 --- a/easy-rsa/2.0/inherit-inter +++ b/easy-rsa/2.0/inherit-inter @@ -27,9 +27,9 @@ if [ "$KEY_DIR" ]; then cp "$1/$2.key" "$KEY_DIR/ca.key" if [ -e "$1/$EXPORT_CA" ]; then - PARENT_CA="$1/$EXPORT_CA" + PARENT_CA="$1/$EXPORT_CA" else - PARENT_CA="$1/ca.crt" + PARENT_CA="$1/ca.crt" fi cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" diff --git a/easy-rsa/2.0/list-crl b/easy-rsa/2.0/list-crl index d1d8a69..32c1143 100755 --- a/easy-rsa/2.0/list-crl +++ b/easy-rsa/2.0/list-crl @@ -6,7 +6,7 @@ CRL="${1:-crl.pem}" if [ "$KEY_DIR" ]; then cd "$KEY_DIR" && \ - $OPENSSL crl -text -noout -in "$CRL" + $OPENSSL crl -text -noout -in "$CRL" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool index b9a9e44..b79e0de 100755 --- a/easy-rsa/2.0/pkitool +++ b/easy-rsa/2.0/pkitool @@ -24,8 +24,8 @@ # pkitool is a front-end for the openssl tool. -# Calling scripts can set the certificate organizational -# unit with the KEY_OU environmental variable. +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. # Calling scripts can also set the KEY_NAME environmental # variable to set the "name" X509 subject field. @@ -44,81 +44,94 @@ die() need_vars() { - echo ' Please edit the vars script to reflect your configuration,' - echo ' then source it with "source ./vars".' - echo ' Next, to start with a fresh PKI configuration and to delete any' - echo ' previous certificates and keys, run "./clean-all".' - echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." + cat < root certificate (--ca)" - echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" - echo " .crt files -> client/server certificates (--cert)" - echo " .key files -> private keys, keep secure (--key)" - echo " .csr files -> certificate signing request (not directly used by OpenVPN)" - echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" - echo "Examples:" - echo " $PROGNAME --initca -> Build root certificate" - echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" - echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" - echo " $PROGNAME client1 -> Build \"client1\" certificate/key" - echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" - echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" - echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" - echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" - echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" - echo " Also see ./inherit-inter script." - echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" - echo " -> Build \"client5\" certificate/key in PKCS#11 token" - echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." - echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" - echo " [edit vars with your site-specific info]" - echo " source ./vars" - echo " ./clean-all" - echo " ./build-dh -> takes a long time, consider backgrounding" - echo " ./$PROGNAME --initca" - echo " ./$PROGNAME --server myserver" - echo " ./$PROGNAME client1" - echo " ./$PROGNAME --pass client2" - echo "Typical usage for adding client cert to existing PKI:" - echo " source ./vars" - echo " ./$PROGNAME client-new" + cat < root certificate (--ca) + ca.key -> root key, keep secure (not directly used by OpenVPN) + .crt files -> client/server certificates (--cert) + .key files -> private keys, keep secure (--key) + .csr files -> certificate signing request (not directly used by OpenVPN) + dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) + +Examples: + $PROGNAME --initca -> Build root certificate + $PROGNAME --initca --pass -> Build root certificate with password-protected key + $PROGNAME --server server1 -> Build "server1" certificate/key + $PROGNAME client1 -> Build "client1" certificate/key + $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key + $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format + $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA + $PROGNAME --sign client4 -> Sign "client4" CSR + $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key + Also see ./inherit-inter script. + $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 + -> Build "client5" certificate/key in PKCS#11 token + +Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. +Protect client2 key with a password. Build DH parms. Generated files in ./keys : + [edit vars with your site-specific info] + source ./vars + ./clean-all + ./build-dh -> takes a long time, consider backgrounding + ./$PROGNAME --initca + ./$PROGNAME --server myserver + ./$PROGNAME client1 + ./$PROGNAME --pass client2 + +Typical usage for adding client cert to existing PKI: + source ./vars + ./$PROGNAME client-new +EOM } # Set tool defaults @@ -146,51 +159,51 @@ PKCS11_PIN="dummy" while [ $# -gt 0 ]; do case "$1" in --keysize ) KEY_SIZE=$2 - shift;; - --server ) REQ_EXT="$REQ_EXT -extensions server" - CA_EXT="$CA_EXT -extensions server" ;; - --batch ) BATCH="-batch" ;; - --interact ) BATCH="" ;; + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --initca ) DO_ROOT="1" ;; - --pass ) NODES_REQ="" ;; + --pass ) NODES_REQ="" ;; --csr ) DO_CA="0" ;; --sign ) DO_REQ="0" ;; --pkcs12 ) DO_P12="1" ;; - --pkcs11 ) DO_P11="1" - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - PKCS11_ID="$4" - PKCS11_LABEL="$5" - shift 4;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; - # standalone - --pkcs11-init) - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - PKCS11_LABEL="$4" - if [ -z "$PKCS11_LABEL" ]; then - die "Please specify library name, slot and label" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ - --label "$PKCS11_LABEL" && - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" - exit $?;; - --pkcs11-slots) - PKCS11_MODULE_PATH="$2" - if [ -z "$PKCS11_MODULE_PATH" ]; then - die "Please specify library name" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots - exit 0;; - --pkcs11-objects) - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - if [ -z "$PKCS11_SLOT" ]; then - die "Please specify library name and slot" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" - exit 0;; + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; --help|--usage) usage @@ -198,27 +211,27 @@ while [ $# -gt 0 ]; do --version) echo "$PROGNAME $VERSION" exit ;; - # errors - --* ) die "$PROGNAME: unknown option: $1" ;; - * ) break ;; + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; esac - shift + shift done if ! [ -z "$BATCH" ]; then - if $OPENSSL version | grep 0.9.6 > /dev/null; then - die "Batch mode is unsupported in openssl<0.9.7" - fi + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi fi if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then - die "PKCS#11 and PKCS#12 cannot be specified together" + die "PKCS#11 and PKCS#12 cannot be specified together" fi if [ $DO_P11 -eq 1 ]; then - if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then - die "Please edit $KEY_CONFIG and setup PKCS#11 engine" - fi + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi fi # If we are generating pkcs12, only encrypt the final step @@ -228,9 +241,9 @@ if [ $DO_P12 -eq 1 ]; then fi if [ $DO_P11 -eq 1 ]; then - if [ -z "$PKCS11_LABEL" ]; then - die "PKCS#11 arguments incomplete" - fi + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi fi # If undefined, set default key expiration intervals @@ -254,28 +267,28 @@ fi # Set KEY_CN, FN if [ $DO_ROOT -eq 1 ]; then if [ -z "$KEY_CN" ]; then - if [ "$1" ]; then - KEY_CN="$1" - elif [ "$KEY_ORG" ]; then - KEY_CN="$KEY_ORG CA" - fi + if [ "$1" ]; then + KEY_CN="$1" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then - echo "Using CA Common Name:" "$KEY_CN" + echo "Using CA Common Name:" "$KEY_CN" fi FN="$KEY_CN" elif [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using Common Name:" "$KEY_CN" FN="$KEY_CN" if [ "$1" ]; then - FN="$1" + FN="$1" fi else if [ $# -ne 1 ]; then - usage - exit 1 + usage + exit 1 else - KEY_CN="$1" + KEY_CN="$1" fi FN="$KEY_CN" fi @@ -312,64 +325,64 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then # Make sure $KEY_CONFIG points to the correct version # of openssl.cnf if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then - : + : else - echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "version of openssl.cnf: $KEY_CONFIG" - echo "The correct version should have a comment that says: easy-rsa version 2.x"; - exit 1; + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; fi # Build root CA if [ $DO_ROOT -eq 1 ]; then - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ - -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ - chmod 0600 "$CA.key" - else + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else # Make sure CA key/cert is available - if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then - if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then - echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" - echo "Try $PROGNAME --initca to build a root certificate/key." - exit 1 - fi - fi + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi - # Generate key for PKCS#11 token - PKCS11_ARGS= - if [ $DO_P11 -eq 1 ]; then - stty -echo - echo -n "User PIN: " - read -r PKCS11_PIN - stty echo - export PKCS11_PIN + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN - echo "Generating key pair on PKCS#11 token..." - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ - --login --pin "$PKCS11_PIN" \ - --key-type rsa:1024 \ - --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 - PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" - fi + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi # Build cert/key - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ - -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ - -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ - -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ - ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ - ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) - # Load certificate into PKCS#11 token - if [ $DO_P11 -eq 1 ]; then - $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ - --login --pin "$PKCS11_PIN" \ - --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" - [ -e "$FN.crt.der" ]; rm "$FN.crt.der" - fi + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" + fi fi diff --git a/easy-rsa/2.0/revoke-full b/easy-rsa/2.0/revoke-full index 4169c4c..439f6a0 100755 --- a/easy-rsa/2.0/revoke-full +++ b/easy-rsa/2.0/revoke-full @@ -27,11 +27,11 @@ if [ "$KEY_DIR" ]; then # intermediate PKIs $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" if [ -e export-ca.crt ]; then - cat export-ca.crt "$CRL" >"$RT" + cat export-ca.crt "$CRL" >"$RT" else - cat ca.crt "$CRL" >"$RT" + cat ca.crt "$CRL" >"$RT" fi - + # verify the revocation $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" else diff --git a/easy-rsa/2.0/whichopensslcnf b/easy-rsa/2.0/whichopensslcnf index ccdaf50..4c5f3c7 100755 --- a/easy-rsa/2.0/whichopensslcnf +++ b/easy-rsa/2.0/whichopensslcnf @@ -3,15 +3,15 @@ cnf="$1/openssl.cnf" if [ "$OPENSSL" ]; then - if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then - cnf="$1/openssl-0.9.6.cnf" - elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then - cnf="$1/openssl-0.9.8.cnf" - elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then - cnf="$1/openssl-1.0.0.cnf" - else - cnf="$1/openssl.cnf" - fi + if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.6.cnf" + elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.8.cnf" + elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-1.0.0.cnf" + else + cnf="$1/openssl.cnf" + fi fi echo $cnf