1 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-ca openvpn-2.2.0/easy-rsa/2.0/build-ca
2 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-ca 2011-04-06 18:05:52.000000000 +0200
3 +++ openvpn-2.2.0/easy-rsa/2.0/build-ca 2011-04-27 22:34:59.357652908 +0200
5 # Build a root certificate
8 -export EASY_RSA="${EASY_RSA:-.}"
9 -"$EASY_RSA/pkitool" --interact --initca $*
10 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
11 +/usr/sbin/pkitool --interact --initca $*
12 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-dh openvpn-2.2.0/easy-rsa/2.0/build-dh
13 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-dh 2011-04-06 18:05:52.000000000 +0200
14 +++ openvpn-2.2.0/easy-rsa/2.0/build-dh 2011-04-27 22:36:11.867656490 +0200
16 # Build Diffie-Hellman parameters for the server side
17 # of an SSL/TLS connection.
19 +if [ -z "$EASY_RSA" ]; then
20 + . /etc/easy-rsa/vars
23 if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
24 - $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
25 + openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
27 echo 'Please source the vars script first (i.e. "source ./vars")'
28 echo 'Make sure you have edited it to reflect your configuration.'
29 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-inter openvpn-2.2.0/easy-rsa/2.0/build-inter
30 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-inter 2011-04-06 18:05:52.000000000 +0200
31 +++ openvpn-2.2.0/easy-rsa/2.0/build-inter 2011-04-27 22:37:59.789289422 +0200
33 # Make an intermediate CA certificate/private key pair using a locally generated
36 -export EASY_RSA="${EASY_RSA:-.}"
37 -"$EASY_RSA/pkitool" --interact --inter $*
38 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
39 +/usr/sbin/pkitool --interact --inter $*
40 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key openvpn-2.2.0/easy-rsa/2.0/build-key
41 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key 2011-04-06 18:05:52.000000000 +0200
42 +++ openvpn-2.2.0/easy-rsa/2.0/build-key 2011-04-27 22:38:35.330924876 +0200
44 # Make a certificate/private key pair using a locally generated
47 -export EASY_RSA="${EASY_RSA:-.}"
48 -"$EASY_RSA/pkitool" --interact $*
49 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
50 +/usr/sbin/pkitool --interact $*
51 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass openvpn-2.2.0/easy-rsa/2.0/build-key-pass
52 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass 2011-04-06 18:05:52.000000000 +0200
53 +++ openvpn-2.2.0/easy-rsa/2.0/build-key-pass 2011-04-27 22:39:23.919827311 +0200
55 # Similar to build-key, but protect the private key
58 -export EASY_RSA="${EASY_RSA:-.}"
59 -"$EASY_RSA/pkitool" --interact --pass $*
60 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
61 +/usr/sbin/pkitool --interact --pass $*
62 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12
63 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 2011-04-06 18:05:52.000000000 +0200
64 +++ openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12 2011-04-27 22:40:10.288627524 +0200
66 # root certificate and convert it to a PKCS #12 file including the
67 # the CA certificate as well.
69 -export EASY_RSA="${EASY_RSA:-.}"
70 -"$EASY_RSA/pkitool" --interact --pkcs12 $*
71 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
72 +/usr/sbin/pkitool --interact --pkcs12 $*
73 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server openvpn-2.2.0/easy-rsa/2.0/build-key-server
74 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server 2011-04-06 18:05:52.000000000 +0200
75 +++ openvpn-2.2.0/easy-rsa/2.0/build-key-server 2011-04-27 22:41:24.715385295 +0200
77 # Explicitly set nsCertType to server using the "server"
78 # extension in the openssl.cnf file.
80 -export EASY_RSA="${EASY_RSA:-.}"
81 -"$EASY_RSA/pkitool" --interact --server $*
82 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
83 +/usr/sbin/pkitool --interact --server $*
84 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req openvpn-2.2.0/easy-rsa/2.0/build-req
85 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-req 2011-04-06 18:05:52.000000000 +0200
86 +++ openvpn-2.2.0/easy-rsa/2.0/build-req 2011-04-27 22:41:59.636992013 +0200
88 # Build a certificate signing request and private key. Use this
89 # when your root certificate and key is not available locally.
91 -export EASY_RSA="${EASY_RSA:-.}"
92 -"$EASY_RSA/pkitool" --interact --csr $*
93 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
94 +/usr/sbin/pkitool --interact --csr $*
95 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass openvpn-2.2.0/easy-rsa/2.0/build-req-pass
96 --- openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass 2011-04-06 18:05:52.000000000 +0200
97 +++ openvpn-2.2.0/easy-rsa/2.0/build-req-pass 2011-04-27 22:43:36.938135257 +0200
99 # Like build-req, but protect your private key
102 -export EASY_RSA="${EASY_RSA:-.}"
103 -"$EASY_RSA/pkitool" --interact --csr --pass $*
104 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
105 +/usr/sbin/pkitool --interact --csr --pass $*
106 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/clean-all openvpn-2.2.0/easy-rsa/2.0/clean-all
107 --- openvpn-2.2.0-orig/easy-rsa/2.0/clean-all 2011-04-06 18:05:52.000000000 +0200
108 +++ openvpn-2.2.0/easy-rsa/2.0/clean-all 2011-04-27 22:44:36.544210785 +0200
110 # Note that this script does a
111 # rm -rf on $KEY_DIR so be careful!
113 +if [ -z "$EASY_RSA" ]; then
114 + . /etc/easy-rsa/vars
117 if [ "$KEY_DIR" ]; then
119 mkdir "$KEY_DIR" && \
120 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter openvpn-2.2.0/easy-rsa/2.0/inherit-inter
121 --- openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter 2011-04-06 18:05:52.000000000 +0200
122 +++ openvpn-2.2.0/easy-rsa/2.0/inherit-inter 2011-04-27 22:45:20.809580498 +0200
124 # To build an intermediate CA, follow the same steps for a regular PKI but
125 # replace ./build-key or ./pkitool --initca with this script.
127 +if [ -z "$EASY_RSA" ]; then
128 + . /etc/easy-rsa/vars
131 # The EXPORT_CA file will contain the CA certificate chain and should be
132 # referenced by the OpenVPN "ca" directive in config files. The ca.crt file
133 # will only contain the local intermediate CA -- it's needed by the easy-rsa
134 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/list-crl openvpn-2.2.0/easy-rsa/2.0/list-crl
135 --- openvpn-2.2.0-orig/easy-rsa/2.0/list-crl 2011-04-06 18:05:52.000000000 +0200
136 +++ openvpn-2.2.0/easy-rsa/2.0/list-crl 2011-04-27 22:46:23.149114937 +0200
139 # list revoked certificates
141 +if [ -z "$EASY_RSA" ]; then
142 + . /etc/easy-rsa/vars
147 if [ "$KEY_DIR" ]; then
149 - $OPENSSL crl -text -noout -in "$CRL"
150 + openssl crl -text -noout -in "$CRL"
152 echo 'Please source the vars script first (i.e. "source ./vars")'
153 echo 'Make sure you have edited it to reflect your configuration.'
154 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/pkitool openvpn-2.2.0/easy-rsa/2.0/pkitool
155 --- openvpn-2.2.0-orig/easy-rsa/2.0/pkitool 2011-04-06 18:05:52.000000000 +0200
156 +++ openvpn-2.2.0/easy-rsa/2.0/pkitool 2011-04-27 22:53:35.735697923 +0200
161 +if [ -z "$EASY_RSA" ]; then
162 + . /etc/easy-rsa/vars
167 echo ' Please edit the vars script to reflect your configuration,'
168 @@ -172,16 +176,16 @@
169 if [ -z "$PKCS11_LABEL" ]; then
170 die "Please specify library name, slot and label"
172 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
173 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
174 --label "$PKCS11_LABEL" &&
175 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
176 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
179 PKCS11_MODULE_PATH="$2"
180 if [ -z "$PKCS11_MODULE_PATH" ]; then
181 die "Please specify library name"
183 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
184 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
187 PKCS11_MODULE_PATH="$2"
189 if [ -z "$PKCS11_SLOT" ]; then
190 die "Please specify library name and slot"
192 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
193 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
200 if ! [ -z "$BATCH" ]; then
201 - if $OPENSSL version | grep 0.9.6 > /dev/null; then
202 + if openssl version | grep 0.9.6 > /dev/null; then
203 die "Batch mode is unsupported in openssl<0.9.7"
208 # Make sure $KEY_CONFIG points to the correct version
210 - if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
211 + if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
214 echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
218 if [ $DO_ROOT -eq 1 ]; then
219 - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
220 + openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
221 -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
227 echo "Generating key pair on PKCS#11 token..."
228 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
229 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
230 --login --pin "$PKCS11_PIN" \
231 --key-type rsa:1024 \
232 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
233 @@ -353,19 +357,19 @@
237 - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
238 + ( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
239 -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
240 - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
241 + ( [ $DO_CA -eq 0 ] || openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
242 -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
243 - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
244 + ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$FN.key" \
245 -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
246 ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
247 ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
249 # Load certificate into PKCS#11 token
250 if [ $DO_P11 -eq 1 ]; then
251 - $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
252 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
253 + openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
254 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
255 --login --pin "$PKCS11_PIN" \
256 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
257 [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
258 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full openvpn-2.2.0/easy-rsa/2.0/revoke-full
259 --- openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full 2011-04-06 18:05:52.000000000 +0200
260 +++ openvpn-2.2.0/easy-rsa/2.0/revoke-full 2011-04-27 22:56:07.449351374 +0200
262 # revoke a certificate, regenerate CRL,
263 # and verify revocation
265 +if [ -z "$EASY_RSA" ]; then
266 + . /etc/easy-rsa/vars
275 # revoke key and generate a new CRL
276 - $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
277 + openssl ca -revoke "$1" -config "$KEY_CONFIG"
279 # generate a new CRL -- try to be compatible with
281 - $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
282 + openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
283 if [ -e export-ca.crt ]; then
284 cat export-ca.crt "$CRL" >"$RT"
289 # verify the revocation
290 - $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
291 + openssl verify -CAfile "$RT" -crl_check "$1"
293 echo 'Please source the vars script first (i.e. "source ./vars")'
294 echo 'Make sure you have edited it to reflect your configuration.'
295 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/sign-req openvpn-2.2.0/easy-rsa/2.0/sign-req
296 --- openvpn-2.2.0-orig/easy-rsa/2.0/sign-req 2011-04-06 18:05:52.000000000 +0200
297 +++ openvpn-2.2.0/easy-rsa/2.0/sign-req 2011-04-27 22:56:46.124465700 +0200
299 # Sign a certificate signing request (a .csr file)
300 # with a local root certificate and key.
302 -export EASY_RSA="${EASY_RSA:-.}"
303 -"$EASY_RSA/pkitool" --interact --sign $*
304 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
305 +/usr/sbin/pkitool --interact --sign $*
306 diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/vars openvpn-2.2.0/easy-rsa/2.0/vars
307 --- openvpn-2.2.0-orig/easy-rsa/2.0/vars 2010-10-21 11:18:17.000000000 +0200
308 +++ openvpn-2.2.0/easy-rsa/2.0/vars 2011-04-27 22:58:41.789791888 +0200
310 # This variable should point to
311 # the top level of the easy-rsa
313 -export EASY_RSA="`pwd`"
316 -# This variable should point to
317 -# the requested executables
319 -export OPENSSL="openssl"
320 -export PKCS11TOOL="pkcs11-tool"
323 +export EASY_RSA="/etc/easy-rsa"
325 # This variable should point to
326 # the openssl.cnf file included
328 -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
329 +export KEY_CONFIG="$EASY_RSA/openssl.cnf"
331 # Edit this variable to point to
332 # your soon-to-be-created key
335 export KEY_DIR="$EASY_RSA/keys"
337 -# Issue rm -rf warning
338 -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
341 export PKCS11_MODULE_PATH="dummy"
342 export PKCS11_PIN="dummy"