Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Branch: master
Branche Tagy
csu3_am335x
/
EVSE
/
GPL
/
openvpn-2.4.9
/
sample
/
sample-keys
/
gen-sample-keys.sh

gen-sample-keys.sh 4.3 KB
Permanentný odkaz História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 
  1. #!/bin/sh
    2. 

  2. #
    3. 

  3. # Run this script to set up a test CA, and test key-certificate pair for a
    4. 

  4. # server, and various clients.
    5. 

  5. #
    6. 

  6. # Copyright (C) 2014 Steffan Karger <steffan@karger.me>
    7. 

  7. set -eu
    8. 

  8. 

  9. command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }
    10. 

  10. 

  11. if [ ! -f openssl.cnf ]
    12. 

  12. then
    13. 

  13.     echo "Please run this script from the sample directory"
    14. 

  14.     exit 1
    15. 

  15. fi
    16. 

  16. 

  17. # Generate static key for tls-auth (or static key mode)
    18. 

  18. $(dirname ${0})/../../src/openvpn/openvpn --genkey --secret ta.key
    19. 

  19. 

  20. # Create required directories and files
    21. 

  21. mkdir -p sample-ca
    22. 

  22. rm -f sample-ca/index.txt
    23. 

  23. touch sample-ca/index.txt
    24. 

  24. echo "01" > sample-ca/serial
    25. 

  25. 

  26. # Generate CA key and cert
    27. 

  27. openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
    28. 

  28.     -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
    29. 

  29.     -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \
    30. 

  30.     -config openssl.cnf
    31. 

  31. 

  32. # Create server key and cert
    33. 

  33. openssl req -new -nodes -config openssl.cnf -extensions server \
    34. 

  34.     -keyout sample-ca/server.key -out sample-ca/server.csr \
    35. 

  35.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain"
    36. 

  36. openssl ca -batch -config openssl.cnf -extensions server \
    37. 

  37.     -out sample-ca/server.crt -in sample-ca/server.csr
    38. 

  38. 

  39. # Create client key and cert
    40. 

  40. openssl req -new -nodes -config openssl.cnf \
    41. 

  41.     -keyout sample-ca/client.key -out sample-ca/client.csr \
    42. 

  42.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain"
    43. 

  43. openssl ca -batch -config openssl.cnf \
    44. 

  44.     -out sample-ca/client.crt -in sample-ca/client.csr
    45. 

  45. 

  46. # Create password protected key file
    47. 

  47. openssl rsa -aes256 -passout pass:password \
    48. 

  48.     -in sample-ca/client.key -out sample-ca/client-pass.key
    49. 

  49. 

  50. # Create pkcs#12 client bundle
    51. 

  51. openssl pkcs12 -export -nodes -password pass:password \
    52. 

  52.     -out sample-ca/client.p12 -inkey sample-ca/client.key \
    53. 

  53.     -in sample-ca/client.crt -certfile sample-ca/ca.crt
    54. 

  54. 

  55. # Create a client cert, revoke it, generate CRL
    56. 

  56. openssl req -new -nodes -config openssl.cnf \
    57. 

  57.     -keyout sample-ca/client-revoked.key -out sample-ca/client-revoked.csr \
    58. 

  58.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain"
    59. 

  59. openssl ca -batch -config openssl.cnf \
    60. 

  60.     -out sample-ca/client-revoked.crt -in sample-ca/client-revoked.csr
    61. 

  61. openssl ca -config openssl.cnf -revoke sample-ca/client-revoked.crt
    62. 

  62. openssl ca -config openssl.cnf -gencrl -out sample-ca/ca.crl
    63. 

  63. 

  64. # Create DSA server and client cert (signed by 'regular' RSA CA)
    65. 

  65. openssl dsaparam -out sample-ca/dsaparams.pem 2048
    66. 

  66. 

  67. openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \
    68. 

  68.     -extensions server \
    69. 

  69.     -keyout sample-ca/server-dsa.key -out sample-ca/server-dsa.csr \
    70. 

  70.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-DSA/emailAddress=me@myhost.mydomain"
    71. 

  71. openssl ca -batch -config openssl.cnf -extensions server \
    72. 

  72.     -out sample-ca/server-dsa.crt -in sample-ca/server-dsa.csr
    73. 

  73. 

  74. openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \
    75. 

  75.     -keyout sample-ca/client-dsa.key -out sample-ca/client-dsa.csr \
    76. 

  76.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-DSA/emailAddress=me@myhost.mydomain"
    77. 

  77. openssl ca -batch -config openssl.cnf \
    78. 

  78.     -out sample-ca/client-dsa.crt -in sample-ca/client-dsa.csr
    79. 

  79. 

  80. # Create EC server and client cert (signed by 'regular' RSA CA)
    81. 

  81. openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1
    82. 

  82. 

  83. openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
    84. 

  84.     -extensions server \
    85. 

  85.     -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \
    86. 

  86.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain"
    87. 

  87. openssl ca -batch -config openssl.cnf -extensions server \
    88. 

  88.     -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr
    89. 

  89. 

  90. openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
    91. 

  91.     -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \
    92. 

  92.     -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain"
    93. 

  93. openssl ca -batch -config openssl.cnf \
    94. 

  94.     -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr
    95. 

  95. 

  96. # Generate DH parameters
    97. 

  97. openssl dhparam -out dh2048.pem 2048
    98. 

  98. 

  99. # Copy keys and certs to working directory
    100. 

  100. cp sample-ca/*.key .
    101. 

  101. cp sample-ca/*.crt .
    102. 

  102. cp sample-ca/*.p12 .
    103. 

  103. cp sample-ca/*.crl .
    104.