230 lines
8.8 KiB
Plaintext
230 lines
8.8 KiB
Plaintext
# Easy-RSA 3 parameter settings
|
|
|
|
# NOTE: If you installed Easy-RSA from your package manager, do not edit
|
|
# this file in place -- instead, you should copy the entire easy-rsa directory
|
|
# to another location so future upgrades do not wipe out your changes.
|
|
|
|
# HOW TO USE THIS FILE
|
|
#
|
|
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
|
|
# this file "vars" if you want it to be used as a configuration file. If you
|
|
# do not, it WILL NOT be automatically read when you call easyrsa commands.
|
|
#
|
|
# It is not necessary to use this config file unless you wish to change
|
|
# operational defaults. These defaults should be fine for many uses without
|
|
# the need to copy and edit the "vars" file.
|
|
#
|
|
# All of the editable settings are shown commented and start with the command
|
|
# "set_var" -- this means any set_var command that is uncommented has been
|
|
# modified by the user. If you are happy with a default, there is no need to
|
|
# define the value to its default.
|
|
|
|
# NOTES FOR WINDOWS USERS
|
|
#
|
|
# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
|
|
# backslashes (single forward slashes are recommended.) This means your path
|
|
# to the openssl binary might look like this:
|
|
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
|
|
|
# A little housekeeping: DO NOT EDIT THIS SECTION
|
|
#
|
|
# Easy-RSA 3.x does not source into the environment directly.
|
|
# Complain if a user tries to do this:
|
|
if [ -z "$EASYRSA_CALLER" ]; then
|
|
echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
|
|
echo "no longer necessary and is disallowed. See the section called" >&2
|
|
echo "*How to use this file* near the top comments for more details." >&2
|
|
return 1
|
|
fi
|
|
|
|
# DO YOUR EDITS BELOW THIS POINT
|
|
|
|
# This variable is used as the base location of configuration files needed by
|
|
# easyrsa. More specific variables for specific files (eg: EASYRSA_SSL_CONF)
|
|
# may override this default.
|
|
#
|
|
# The default value of this variable is the location of the easyrsa script
|
|
# itself, which is also where the configuration files are located in the
|
|
# easy-rsa tree.
|
|
#
|
|
#set_var EASYRSA "${0%/*}"
|
|
|
|
# If your OpenSSL command is not in the system PATH, you will need to define
|
|
# the path here. Normally this means a full path to the executable, otherwise
|
|
# you could have left it undefined here and the shown default would be used.
|
|
#
|
|
# Windows users, remember to use paths with forward-slashes (or escaped
|
|
# back-slashes.) Windows users should declare the full path to the openssl
|
|
# binary here if it is not in their system PATH.
|
|
#
|
|
#set_var EASYRSA_OPENSSL "openssl"
|
|
#
|
|
# This sample is in Windows syntax -- edit it for your path if not using PATH:
|
|
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
|
|
|
# Edit this variable to point to your soon-to-be-created key directory.
|
|
# By default, this will be "$PWD/pki" (ie: the "pki" subdirectory of the
|
|
# directory you are currently in).
|
|
#
|
|
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
|
|
# it correctly! Interactive mode will prompt before acting.
|
|
#
|
|
#set_var EASYRSA_PKI "$PWD/pki"
|
|
|
|
# Define directory for temporary subdirectories.
|
|
#
|
|
#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
|
|
|
|
# Define X509 DN mode.
|
|
#
|
|
# This is used to adjust which elements are included in the Subject field
|
|
# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the
|
|
# Organizational fields, listed further below, are not used.
|
|
#
|
|
# Choices are:
|
|
# cn_only - Use just a commonName value.
|
|
# org - Use the "traditional" format:
|
|
# Country/Province/City/Org/Org.Unit/email/commonName
|
|
#
|
|
#set_var EASYRSA_DN "cn_only"
|
|
|
|
# Organizational fields (used with "org" mode and ignored in "cn_only" mode).
|
|
# These are the default values for fields which will be placed in the
|
|
# certificate. Do not leave any of these fields blank, although interactively
|
|
# you may omit any specific field by typing the "." symbol (not valid for
|
|
# email).
|
|
#
|
|
# NOTE: The following characters are not supported
|
|
# in these "Organizational fields" by Easy-RSA:
|
|
# back-tick (`)
|
|
#
|
|
#set_var EASYRSA_REQ_COUNTRY "US"
|
|
#set_var EASYRSA_REQ_PROVINCE "California"
|
|
#set_var EASYRSA_REQ_CITY "San Francisco"
|
|
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
|
|
#set_var EASYRSA_REQ_EMAIL "me@example.net"
|
|
#set_var EASYRSA_REQ_OU "My Organizational Unit"
|
|
|
|
# Set no password mode - This will create the entire PKI without passwords.
|
|
# This can be better managed by choosing which entity private keys should be
|
|
# encrypted with the following command line options:
|
|
# Global option '--no-pass' or command option 'nopass'.
|
|
#
|
|
#set_var EASYRSA_NO_PASS 1
|
|
|
|
# Choose a size in bits for your keypairs. The recommended value is 2048.
|
|
# Using 2048-bit keys is considered more than sufficient for many years into
|
|
# the future. Larger keysizes will slow down TLS negotiation and make key/DH
|
|
# param generation take much longer. Values up to 4096 should be accepted by
|
|
# most software. Only used when the crypto alg is rsa, see below.
|
|
#
|
|
#set_var EASYRSA_KEY_SIZE 2048
|
|
|
|
# The default crypto mode is rsa; ec can enable elliptic curve support.
|
|
# Note that not all software supports ECC, so use care when enabling it.
|
|
# Choices for crypto alg are: (each in lower-case)
|
|
# * rsa
|
|
# * ec
|
|
# * ed
|
|
#
|
|
#set_var EASYRSA_ALGO rsa
|
|
|
|
# Define the named curve, used in ec & ed modes:
|
|
#
|
|
#set_var EASYRSA_CURVE secp384r1
|
|
|
|
# In how many days should the root CA key expire?
|
|
#
|
|
#set_var EASYRSA_CA_EXPIRE 3650
|
|
|
|
# In how many days should certificates expire?
|
|
#
|
|
#set_var EASYRSA_CERT_EXPIRE 825
|
|
|
|
# How many days until the next CRL publish date? Note that the CRL can still
|
|
# be parsed after this timeframe passes. It is only used for an expected next
|
|
# publication date.
|
|
#
|
|
#set_var EASYRSA_CRL_DAYS 180
|
|
|
|
# Random serial numbers by default.
|
|
# Set to 'no' for the old incremental serial numbers.
|
|
#
|
|
#set_var EASYRSA_RAND_SN "yes"
|
|
|
|
# Cut-off window for checking expiring certificates.
|
|
#
|
|
#set_var EASYRSA_CERT_RENEW 90
|
|
|
|
# For fixed certificate start/end dates - Range 1..365
|
|
#
|
|
#set_var EASYRSA_FIX_OFFSET 1
|
|
|
|
# Support deprecated "Netscape" extensions? (choices "yes" or "no").
|
|
# The default is "no", to discourage use of deprecated extensions.
|
|
# If you require this feature to use with --ns-cert-type, set this to "yes".
|
|
# This support should be replaced with the more modern --remote-cert-tls
|
|
# feature. If you do not use --ns-cert-type in your configs, it is safe,
|
|
# and recommended, to leave this defined to "no".
|
|
# When set to "yes", server-signed certs get the nsCertType=server attribute
|
|
# and also get any NS_COMMENT defined below in the nsComment field.
|
|
#
|
|
#set_var EASYRSA_NS_SUPPORT "no"
|
|
|
|
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
|
|
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
|
|
#
|
|
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
|
|
|
|
# !!
|
|
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
|
|
# PLAY WITH THEM AT YOUR OWN RISK
|
|
# !!
|
|
|
|
# Broken shell command aliases: If you have a largely broken shell that is
|
|
# missing any of these POSIX-required commands used by Easy-RSA, you will need
|
|
# to define an alias to the proper path for the command. The symptom will be
|
|
# some form of a "command not found" error from your shell. This means your
|
|
# shell is BROKEN, but you can hack around it here if you really need. These
|
|
# shown values are not defaults: it is up to you to know what you are doing if
|
|
# you touch these.
|
|
#
|
|
#alias awk="/alt/bin/awk"
|
|
#alias cat="/alt/bin/cat"
|
|
|
|
# X509 extensions directory:
|
|
# If you want to customize the X509 extensions used, set the directory to look
|
|
# for extensions here. Each cert type you sign must have a matching filename,
|
|
# and an optional file named "COMMON" is included first when present. Note that
|
|
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
|
|
# fallback to $EASYRSA for the "x509-types" dir. You may override this
|
|
# detection with an explicit dir here.
|
|
#
|
|
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
|
|
|
|
# Non-functional
|
|
# If you want to generate KDC certificates, you need to set the realm here.
|
|
#
|
|
#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"
|
|
|
|
# OpenSSL config file:
|
|
# If you need to use a specific openssl config file, you can reference it here.
|
|
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf
|
|
# from the EASYRSA_PKI or EASYRSA dir, in that order. NOTE that this file is
|
|
# Easy-RSA specific and you cannot just use a standard config file, so this is
|
|
# an advanced feature.
|
|
#
|
|
#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
|
|
|
|
# Cryptographic digest to use.
|
|
# Do not change this default unless you understand the security implications.
|
|
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
|
|
#
|
|
#set_var EASYRSA_DIGEST "sha256"
|
|
|
|
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
|
|
# in batch mode without any user input, confirmation on dangerous operations,
|
|
# or most output. Setting this to any non-blank string enables batch mode.
|
|
#
|
|
#set_var EASYRSA_BATCH ""
|