1 --- openvpn-2.1_rc4/easy-rsa/2.0/build-ca 2007-04-26 00:38:44.000000000 +0300
2 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-ca 2007-09-18 14:08:03.688714502 +0300
8 # Build a root certificate
11 -export EASY_RSA="${EASY_RSA:-.}"
12 -"$EASY_RSA/pkitool" --interact --initca $*
13 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
14 +/usr/sbin/pkitool --interact --initca $*
15 --- openvpn-2.1_rc4/easy-rsa/2.0/build-dh 2007-04-26 00:38:44.000000000 +0300
16 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-dh 2007-09-18 14:08:03.688714502 +0300
21 # Build Diffie-Hellman parameters for the server side
22 # of an SSL/TLS connection.
23 +if [ -z "$EASY_RSA" ]; then
24 + . /etc/easy-rsa/vars
27 if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
28 - $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
29 + openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
31 echo 'Please source the vars script first (i.e. "source ./vars")'
32 echo 'Make sure you have edited it to reflect your configuration.'
33 --- openvpn-2.1_rc4/easy-rsa/2.0/build-inter 2007-04-26 00:38:44.000000000 +0300
34 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-inter 2007-09-18 14:08:03.688714502 +0300
39 # Make an intermediate CA certificate/private key pair using a locally generated
42 -export EASY_RSA="${EASY_RSA:-.}"
43 -"$EASY_RSA/pkitool" --interact --inter $*
44 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
45 +/usr/sbin/pkitool --interact --inter $*
46 --- openvpn-2.1_rc4/easy-rsa/2.0/build-key 2007-04-26 00:38:44.000000000 +0300
47 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key 2007-09-18 14:08:03.688714502 +0300
52 # Make a certificate/private key pair using a locally generated
55 -export EASY_RSA="${EASY_RSA:-.}"
56 -"$EASY_RSA/pkitool" --interact $*
57 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
58 +/usr/sbin/pkitool --interact $*
59 --- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pass 2007-04-26 00:38:44.000000000 +0300
60 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pass 2007-09-18 14:08:03.688714502 +0300
65 # Similar to build-key, but protect the private key
68 -export EASY_RSA="${EASY_RSA:-.}"
69 -"$EASY_RSA/pkitool" --interact --pass $*
70 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
71 +/usr/sbin/pkitool --interact --pass $*
72 --- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pkcs12 2007-04-26 00:38:44.000000000 +0300
73 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pkcs12 2007-09-18 14:08:03.698714729 +0300
78 # Make a certificate/private key pair using a locally generated
79 # root certificate and convert it to a PKCS #12 file including the
80 # the CA certificate as well.
82 -export EASY_RSA="${EASY_RSA:-.}"
83 -"$EASY_RSA/pkitool" --interact --pkcs12 $*
84 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
85 +/usr/sbin/pkitool --interact --pkcs12 $*
86 --- openvpn-2.1_rc4/easy-rsa/2.0/build-key-server 2007-04-26 00:38:44.000000000 +0300
87 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-server 2007-09-18 14:08:03.698714729 +0300
92 # Make a certificate/private key pair using a locally generated
95 # Explicitly set nsCertType to server using the "server"
96 # extension in the openssl.cnf file.
98 -export EASY_RSA="${EASY_RSA:-.}"
99 -"$EASY_RSA/pkitool" --interact --server $*
100 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
101 +/usr/sbin/pkitool --interact --server $*
102 --- openvpn-2.1_rc4/easy-rsa/2.0/build-req 2007-04-26 00:38:44.000000000 +0300
103 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req 2007-09-18 14:08:03.698714729 +0300
108 # Build a certificate signing request and private key. Use this
109 # when your root certificate and key is not available locally.
111 -export EASY_RSA="${EASY_RSA:-.}"
112 -"$EASY_RSA/pkitool" --interact --csr $*
113 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
114 +/usr/sbin/pkitool --interact --csr $*
115 --- openvpn-2.1_rc4/easy-rsa/2.0/build-req-pass 2007-04-26 00:38:44.000000000 +0300
116 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req-pass 2007-09-18 14:08:03.698714729 +0300
121 # Like build-req, but protect your private key
124 -export EASY_RSA="${EASY_RSA:-.}"
125 -"$EASY_RSA/pkitool" --interact --csr --pass $*
126 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
127 +/usr/sbin/pkitool --interact --csr --pass $*
128 --- openvpn-2.1_rc4/easy-rsa/2.0/clean-all 2007-04-26 00:38:44.000000000 +0300
129 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/clean-all 2007-09-18 14:08:03.698714729 +0300
134 # Initialize the $KEY_DIR directory.
135 # Note that this script does a
136 # rm -rf on $KEY_DIR so be careful!
138 +if [ -z "$EASY_RSA" ]; then
139 + . /etc/easy-rsa/vars
142 if [ "$KEY_DIR" ]; then
144 mkdir "$KEY_DIR" && \
145 --- openvpn-2.1_rc4/easy-rsa/2.0/inherit-inter 2007-04-26 00:38:44.000000000 +0300
146 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/inherit-inter 2007-09-18 14:08:03.698714729 +0300
151 # Build a new PKI which is rooted on an intermediate certificate generated
152 # by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
154 # To build an intermediate CA, follow the same steps for a regular PKI but
155 # replace ./build-key or ./pkitool --initca with this script.
157 +if [ -z "$EASY_RSA" ]; then
158 + . /etc/easy-rsa/vars
161 # The EXPORT_CA file will contain the CA certificate chain and should be
162 # referenced by the OpenVPN "ca" directive in config files. The ca.crt file
163 # will only contain the local intermediate CA -- it's needed by the easy-rsa
164 --- openvpn-2.1_rc4/easy-rsa/2.0/list-crl 2007-04-26 00:38:44.000000000 +0300
165 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/list-crl 2007-09-18 14:08:03.698714729 +0300
170 # list revoked certificates
171 +if [ -z "$EASY_RSA" ]; then
172 + . /etc/easy-rsa/vars
177 if [ "$KEY_DIR" ]; then
179 - $OPENSSL crl -text -noout -in "$CRL"
180 + openssl crl -text -noout -in "$CRL"
182 echo 'Please source the vars script first (i.e. "source ./vars")'
183 echo 'Make sure you have edited it to reflect your configuration.'
184 --- openvpn-2.1_rc4/easy-rsa/2.0/pkitool 2007-04-26 00:38:44.000000000 +0300
185 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/pkitool 2007-09-18 14:08:59.219977182 +0300
190 +if [ -z "$EASY_RSA" ]; then
191 + . /etc/easy-rsa/vars
196 echo ' Please edit the vars script to reflect your configuration,'
197 @@ -164,16 +168,16 @@
198 if [ -z "$PKCS11_LABEL" ]; then
199 die "Please specify library name, slot and label"
201 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
202 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
203 --label "$PKCS11_LABEL" &&
204 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
205 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
208 PKCS11_MODULE_PATH="$2"
209 if [ -z "$PKCS11_MODULE_PATH" ]; then
210 die "Please specify library name"
212 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
213 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
216 PKCS11_MODULE_PATH="$2"
218 if [ -z "$PKCS11_SLOT" ]; then
219 die "Please specify library name and slot"
221 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
222 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
229 if ! [ -z "$BATCH" ]; then
230 - if $OPENSSL version | grep 0.9.6 > /dev/null; then
231 + if openssl version | grep 0.9.6 > /dev/null; then
232 die "Batch mode is unsupported in openssl<0.9.7"
237 # Make sure $KEY_CONFIG points to the correct version
239 - if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
240 + if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
243 echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
247 if [ $DO_ROOT -eq 1 ]; then
248 - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
249 + openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
250 -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
256 echo "Generating key pair on PKCS#11 token..."
257 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
258 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
259 --login --pin "$PKCS11_PIN" \
260 --key-type rsa:1024 \
261 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
262 @@ -327,19 +331,19 @@
266 - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
267 + ( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
268 -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
269 - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
270 + ( [ $DO_CA -eq 0 ] || openssl ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
271 -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
272 - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
273 + ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$KEY_CN.key" \
274 -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
275 ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
276 ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
278 # Load certificate into PKCS#11 token
279 if [ $DO_P11 -eq 1 ]; then
280 - $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
281 - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
282 + openssl x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
283 + pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
284 --login --pin "$PKCS11_PIN" \
285 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
286 [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
287 --- openvpn-2.1_rc4/easy-rsa/2.0/revoke-full 2007-04-26 00:38:44.000000000 +0300
288 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/revoke-full 2007-09-18 14:08:03.698714729 +0300
293 # revoke a certificate, regenerate CRL,
294 # and verify revocation
295 +if [ -z "$EASY_RSA" ]; then
296 + . /etc/easy-rsa/vars
304 # revoke key and generate a new CRL
305 - $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
306 + openssl ca -revoke "$1" -config "$KEY_CONFIG"
308 # generate a new CRL -- try to be compatible with
310 - $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
311 + openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
312 if [ -e export-ca.crt ]; then
313 cat export-ca.crt "$CRL" >"$RT"
318 # verify the revocation
319 - $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
320 + openssl verify -CAfile "$RT" -crl_check "$1"
322 echo 'Please source the vars script first (i.e. "source ./vars")'
323 echo 'Make sure you have edited it to reflect your configuration.'
324 --- openvpn-2.1_rc4/easy-rsa/2.0/sign-req 2007-04-26 00:38:44.000000000 +0300
325 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/sign-req 2007-09-18 14:08:03.698714729 +0300
330 # Sign a certificate signing request (a .csr file)
331 # with a local root certificate and key.
333 -export EASY_RSA="${EASY_RSA:-.}"
334 -"$EASY_RSA/pkitool" --interact --sign $*
335 +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
336 +/usr/sbin/pkitool --interact --sign $*
337 --- openvpn-2.1_rc4/easy-rsa/2.0/vars 2007-04-26 00:38:44.000000000 +0300
338 +++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/vars 2007-09-18 14:08:03.698714729 +0300
340 # This variable should point to
341 # the top level of the easy-rsa
343 -export EASY_RSA="`pwd`"
346 -# This variable should point to
347 -# the requested executables
349 -export OPENSSL="openssl"
350 -export PKCS11TOOL="pkcs11-tool"
353 +export EASY_RSA="/etc/easy-rsa"
355 # This variable should point to
356 # the openssl.cnf file included
358 -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
359 +export KEY_CONFIG="$EASY_RSA/openssl.cnf"
361 # Edit this variable to point to
362 # your soon-to-be-created key
365 export KEY_DIR="$EASY_RSA/keys"
367 -# Issue rm -rf warning
368 -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
371 export PKCS11_MODULE_PATH="dummy"
372 export PKCS11_PIN="dummy"