projects / vpn-prov.git / blame
| Commit | Line | Data |
|---|---|---|
| ac397a39 JR |
1 | # vim: ft=bash |
| 2 | # easy-rsa parameter settings | |
| 3 | ||
| 4 | # NOTE: If you installed from an RPM, | |
| 5 | # don't edit this file in place in | |
| 6 | # /usr/share/openvpn/easy-rsa -- | |
| 7 | # instead, you should copy the whole | |
| 8 | # easy-rsa directory to another location | |
| 9 | # (such as /etc/openvpn) so that your | |
| 10 | # edits will not be wiped out by a future | |
| 11 | # OpenVPN package upgrade. | |
| 12 | ||
| 13 | # This variable should point to | |
| 14 | # the top level of the easy-rsa | |
| 15 | # tree. | |
| 16 | export EASY_RSA="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" | |
| 17 | ||
| 18 | # | |
| 19 | # This variable should point to | |
| 20 | # the requested executables | |
| 21 | # | |
| 22 | export OPENSSL="openssl" | |
| 23 | export PKCS11TOOL="pkcs11-tool" | |
| 24 | export GREP="grep" | |
| 25 | ||
| 26 | ||
| 27 | # This variable should point to | |
| 28 | # the openssl.cnf file included | |
| 29 | # with easy-rsa. | |
| 30 | export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` | |
| 31 | ||
| 32 | # Edit this variable to point to | |
| 33 | # your soon-to-be-created key | |
| 34 | # directory. | |
| 35 | # | |
| 36 | # WARNING: clean-all will do | |
| 37 | # a rm -rf on this directory | |
| 38 | # so make sure you define | |
| 39 | # it correctly! | |
| 40 | export KEY_DIR="$EASY_RSA/keys" | |
| 41 | ||
| 42 | # PKCS11 fixes | |
| 43 | export PKCS11_MODULE_PATH="dummy" | |
| 44 | export PKCS11_PIN="dummy" | |
| 45 | ||
| 46 | # Increase this to 2048 if you | |
| 47 | # are paranoid. This will slow | |
| 48 | # down TLS negotiation performance | |
| 49 | # as well as the one-time DH parms | |
| 50 | # generation process. | |
| 51 | export KEY_SIZE=2048 | |
| 52 | ||
| 53 | # In how many days should the root CA key expire? | |
| 54 | export CA_EXPIRE=3650 | |
| 55 | ||
| 56 | # In how many days should certificates expire? | |
| 57 | export KEY_EXPIRE=90 | |
| 58 | export KEY_EXPIRE_SERVER=3650 | |
| 59 | ||
| 60 | # These are the default values for fields | |
| 61 | # which will be placed in the certificate. | |
| 62 | # Don't leave any of these fields blank. | |
| 63 | export KEY_COUNTRY="US" | |
| 64 | export KEY_PROVINCE="" | |
| 65 | export KEY_CITY="" | |
| 66 | export KEY_ORG="" | |
| 67 | export KEY_EMAIL="" | |
| 68 | #export KEY_OU="" #XXX set by script | |
| 69 | ||
| 70 | # X509 Subject Field | |
| 71 | export KEY_NAME="VPN-Prov" | |
| 72 | ||
| 73 | # PKCS11 Smart Card | |
| 74 | # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" | |
| 75 | # export PKCS11_PIN=1234 | |
| 76 | ||
| 77 | # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below | |
| 78 | # You will also need to make sure your OpenVPN server config has the duplicate-cn option set | |
| 79 | #export KEY_CN="CommonName" # set by script, otherwise should be set by hand |