--- /dev/null
+OpenVPN (TM) -- An Open Source VPN daemon
+
+Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+
+This distribution contains multiple components, some
+of which fall under different licenses. By using OpenVPN
+or any of the bundled components enumerated below, you
+agree to be bound by the conditions of the license for
+each respective component.
+
+OpenVPN trademark
+-----------------
+
+ "OpenVPN" is a trademark of OpenVPN Technologies, Inc.
+
+
+OpenVPN license:
+----------------
+
+ OpenVPN is distributed under the GPL license version 2 (see Below).
+
+ Special exception for linking OpenVPN with OpenSSL:
+
+ In addition, as a special exception, OpenVPN Technologies, Inc. gives
+ permission to link the code of this program with the OpenSSL
+ library (or with modified versions of OpenSSL that use the same
+ license as OpenSSL), and distribute linked combinations including
+ the two. You must obey the GNU General Public License in all
+ respects for all of the code used other than OpenSSL. If you modify
+ this file, you may extend this exception to your version of the
+ file, but you are not obligated to do so. If you do not wish to
+ do so, delete this exception statement from your version.
+
+GNU Public License (GPL)
+------------------------
+
+ OpenVPN, LZO, and the TAP-Win32 distributions are
+ licensed under the GPL version 2 (see COPYRIGHT.GPL).
+
+ In the Windows binary distribution of OpenVPN, the
+ GPL is reproduced below.
+
--- /dev/null
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+\f
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+\f
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+\f
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+\f
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+\f
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2
+ as published by the Free Software Foundation.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --initca $*
--- /dev/null
+#!/bin/sh
+
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+
+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
+ $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
+fi
--- /dev/null
+#!/bin/sh
+
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --inter $*
--- /dev/null
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact $*
--- /dev/null
+#!/bin/sh
+
+# Similar to build-key, but protect the private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pass $*
--- /dev/null
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pkcs12 $*
--- /dev/null
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --server $*
--- /dev/null
+#!/bin/sh
+
+# Build a certificate signing request and private key. Use this
+# when your root certificate and key is not available locally.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr $*
--- /dev/null
+#!/bin/sh
+
+# Like build-req, but protect your private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr --pass $*
--- /dev/null
+#!/bin/sh
+
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+
+if [ "$KEY_DIR" ]; then
+ rm -rf "$KEY_DIR"
+ mkdir "$KEY_DIR" && \
+ chmod go-rwx "$KEY_DIR" && \
+ touch "$KEY_DIR/index.txt" && \
+ echo 01 >"$KEY_DIR/serial"
+else
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
+fi
--- /dev/null
+#!/bin/sh
+
+# Build a new PKI which is rooted on an intermediate certificate generated
+# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
+# have independent vars settings, and must use a different KEY_DIR directory
+# from the parent. This tool can be used to generate arbitrary depth
+# certificate chains.
+#
+# To build an intermediate CA, follow the same steps for a regular PKI but
+# replace ./build-key or ./pkitool --initca with this script.
+
+# The EXPORT_CA file will contain the CA certificate chain and should be
+# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
+# will only contain the local intermediate CA -- it's needed by the easy-rsa
+# scripts but not by OpenVPN directly.
+EXPORT_CA="export-ca.crt"
+
+if [ $# -ne 2 ]; then
+ echo "usage: $0 <parent-key-dir> <common-name>"
+ echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
+ echo "common-name: the common name of the intermediate certificate in the parent PKI"
+ exit 1;
+fi
+
+if [ "$KEY_DIR" ]; then
+ cp "$1/$2.crt" "$KEY_DIR/ca.crt"
+ cp "$1/$2.key" "$KEY_DIR/ca.key"
+
+ if [ -e "$1/$EXPORT_CA" ]; then
+ PARENT_CA="$1/$EXPORT_CA"
+ else
+ PARENT_CA="$1/ca.crt"
+ fi
+ cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
+ cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
+else
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
+fi
--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net
+ Validity
+ Not Before: Jun 22 16:11:16 2013 GMT
+ Not After : Jun 20 16:11:16 2023 GMT
+ Subject: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=master.vpsm/name=VPSM/emailAddress=cert@vpsm.net
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:cb:07:17:41:97:e1:c5:62:46:59:40:98:fc:fe:
+ 96:00:51:07:3d:d1:83:06:a0:61:c3:57:c2:19:9a:
+ 04:62:97:52:b2:7e:45:83:b2:f6:5f:b5:12:a5:b5:
+ ef:b8:ab:58:97:76:99:8d:51:54:21:83:1e:80:d5:
+ a6:73:91:c8:32:08:7c:b9:ab:50:89:44:ae:a0:59:
+ 92:90:04:24:5f:bd:74:41:61:bb:8f:e7:60:77:ac:
+ 1b:13:15:09:ab:73:ed:51:0d:e9:e6:f4:c9:ff:81:
+ 7a:25:f2:ef:38:16:1a:59:28:1f:1a:ba:9f:6e:69:
+ c4:c5:83:01:03:83:49:13:fb:7d:bc:23:8d:e5:dc:
+ 9e:79:4a:36:4c:e6:95:f2:5a:d9:90:3d:0b:63:94:
+ 30:c8:6c:5d:62:1c:17:dd:ab:3b:bb:5d:9a:ad:d1:
+ c7:d0:c7:20:aa:27:39:ff:6c:09:2c:b4:48:5d:19:
+ c3:e0:03:ef:6d:13:2e:26:39:0c:71:83:44:3f:65:
+ ec:6d:51:e8:41:ab:b8:bf:82:03:9e:38:0f:dd:fd:
+ ff:d1:d7:31:05:b1:3d:7d:9b:0a:7d:e0:19:77:10:
+ 09:f7:cd:0a:0a:3d:e5:7d:5e:25:34:41:d0:e4:c1:
+ 31:c9:ab:f0:87:0e:3a:39:6f:58:38:ff:09:11:6a:
+ 51:b5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ Easy-RSA Generated Certificate
+ X509v3 Subject Key Identifier:
+ 5A:52:B0:47:7A:9A:89:8E:78:99:EC:C1:4D:68:FD:D7:74:A2:68:38
+ X509v3 Authority Key Identifier:
+ keyid:67:06:43:26:4A:A6:D4:48:E1:32:D4:B7:D7:0A:66:9C:22:42:6A:4A
+ DirName:/C=US/ST=TX/L=Austin/O=VPSM/OU=VPSM/CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net
+ serial:D8:29:0D:FD:78:72:5C:2D
+
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication
+ X509v3 Key Usage:
+ Digital Signature
+ Signature Algorithm: sha256WithRSAEncryption
+ a5:b0:29:89:26:a3:22:54:d8:38:53:dc:82:22:33:44:ed:96:
+ 92:95:8e:33:d9:bb:6d:1a:f3:72:82:c9:3a:1b:22:32:22:98:
+ 92:a0:57:48:1e:c8:63:41:71:39:94:a9:89:6e:36:36:7b:e4:
+ 92:95:2e:bb:4e:4e:2a:64:ae:ca:7a:7a:3c:1d:bc:95:2b:2a:
+ 22:bb:13:15:a3:b4:8f:47:b3:37:02:fe:8a:e4:ce:f8:67:fa:
+ b9:43:f1:f9:53:8d:c2:56:46:6b:6d:bd:6a:de:56:ed:94:01:
+ ef:df:67:a6:84:88:85:76:d0:41:95:3d:5e:55:73:6a:18:65:
+ 35:82:15:72:f8:80:55:07:9e:00:dd:6e:11:09:da:ce:cb:d4:
+ e2:f2:bc:61:88:5b:cc:9e:3d:e3:fb:8f:64:a2:2d:40:53:8b:
+ c7:4d:ab:2f:05:5e:80:3a:eb:40:a8:b3:cf:cc:50:e8:aa:21:
+ 1c:ba:92:c3:c6:db:b8:49:ad:7d:d5:7d:59:4d:66:3a:f7:c9:
+ e7:1f:f7:ae:40:b2:c1:47:be:05:94:ee:97:09:e6:27:aa:21:
+ 4e:bc:ec:d8:cf:17:b7:e0:41:ce:d0:97:6e:31:a7:fe:79:f8:
+ be:d9:2f:3f:f9:34:3b:53:8e:71:c6:a6:b0:11:d4:ee:5b:3d:
+ 02:ab:c4:5a
+-----BEGIN CERTIFICATE-----
+MIIE0jCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTAL
+BgNVBAsTBFZQU00xEDAOBgNVBAMTB2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAa
+BgkqhkiG9w0BCQEWDWNlcnRAdnBzbS5uZXQwHhcNMTMwNjIyMTYxMTE2WhcNMjMw
+NjIwMTYxMTE2WjCBjDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH
+EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xFDASBgNVBAMT
+C21hc3Rlci52cHNtMQ0wCwYDVQQpEwRWUFNNMRwwGgYJKoZIhvcNAQkBFg1jZXJ0
+QHZwc20ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywcXQZfh
+xWJGWUCY/P6WAFEHPdGDBqBhw1fCGZoEYpdSsn5Fg7L2X7USpbXvuKtYl3aZjVFU
+IYMegNWmc5HIMgh8uatQiUSuoFmSkAQkX710QWG7j+dgd6wbExUJq3PtUQ3p5vTJ
+/4F6JfLvOBYaWSgfGrqfbmnExYMBA4NJE/t9vCON5dyeeUo2TOaV8lrZkD0LY5Qw
+yGxdYhwX3as7u12ardHH0Mcgqic5/2wJLLRIXRnD4APvbRMuJjkMcYNEP2XsbVHo
+Qau4v4IDnjgP3f3/0dcxBbE9fZsKfeAZdxAJ980KCj3lfV4lNEHQ5MExyavwhw46
+OW9YOP8JEWpRtQIDAQABo4IBPzCCATswCQYDVR0TBAIwADAtBglghkgBhvhCAQ0E
+IBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaUrBH
+epqJjniZ7MFNaP3XdKJoODCBvQYDVR0jBIG1MIGygBRnBkMmSqbUSOEy1LfXCmac
+IkJqSqGBjqSBizCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH
+EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xEDAOBgNVBAMT
+B2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAaBgkqhkiG9w0BCQEWDWNlcnRAdnBz
+bS5uZXSCCQDYKQ39eHJcLTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
+B4AwDQYJKoZIhvcNAQELBQADggEBAKWwKYkmoyJU2DhT3IIiM0TtlpKVjjPZu20a
+83KCyTobIjIimJKgV0geyGNBcTmUqYluNjZ75JKVLrtOTipkrsp6ejwdvJUrKiK7
+ExWjtI9HszcC/orkzvhn+rlD8flTjcJWRmttvWreVu2UAe/fZ6aEiIV20EGVPV5V
+c2oYZTWCFXL4gFUHngDdbhEJ2s7L1OLyvGGIW8yePeP7j2SiLUBTi8dNqy8FXoA6
+60Cos8/MUOiqIRy6ksPG27hJrX3VfVlNZjr3yecf965AssFHvgWU7pcJ5ieqIU68
+7NjPF7fgQc7Ql24xp/55+L7ZLz/5NDtTjnHGprAR1O5bPQKrxFo=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEhjCCA26gAwIBAgIJANgpDf14clwtMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjENMAsGA1UEChME
+VlBTTTENMAsGA1UECxMEVlBTTTEQMA4GA1UEAxMHY2EudnBzbTENMAsGA1UEKRME
+VlBTTTEcMBoGCSqGSIb3DQEJARYNY2VydEB2cHNtLm5ldDAeFw0xMzA2MjIxNjA5
+MTBaFw0yMzA2MjAxNjA5MTBaMIGIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgx
+DzANBgNVBAcTBkF1c3RpbjENMAsGA1UEChMEVlBTTTENMAsGA1UECxMEVlBTTTEQ
+MA4GA1UEAxMHY2EudnBzbTENMAsGA1UEKRMEVlBTTTEcMBoGCSqGSIb3DQEJARYN
+Y2VydEB2cHNtLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsE
+LAO81hT71dVDLUv2xYqDK2gKUZccz2mavgqc23KTpBkr8Fs2zuMVKRN1EKFcnANF
+OTggHyGgyeIdOXlJ0SZZQF4WFYHKBVtJp51/4tgcSU+pVUxb7gv10cOwCx4KE52z
+FOMBmaGLolhUhZXFAwyotAbMn3JbGi7FYOemLDwTPVw04QdKtEPumod4NiYbCQ2L
+n7co4f7JbZgtScWAz/K0pDn+YsVbQ1IXMPKs0KoF7keJMJnFzaeaRR/2w0ivMxsf
+/w1rjwaRqSsLumniJsvIFQD7/ZYf6JSwmcDjKHzHpdSpqOG0TNB/uXdiQZ+PPlBR
+aqeLJbhso8NH0J0L/5ECAwEAAaOB8DCB7TAdBgNVHQ4EFgQUZwZDJkqm1EjhMtS3
+1wpmnCJCakowgb0GA1UdIwSBtTCBsoAUZwZDJkqm1EjhMtS31wpmnCJCakqhgY6k
+gYswgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUWDEPMA0GA1UEBxMGQXVzdGlu
+MQ0wCwYDVQQKEwRWUFNNMQ0wCwYDVQQLEwRWUFNNMRAwDgYDVQQDEwdjYS52cHNt
+MQ0wCwYDVQQpEwRWUFNNMRwwGgYJKoZIhvcNAQkBFg1jZXJ0QHZwc20ubmV0ggkA
+2CkN/XhyXC0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAQ9dvM1j
+IqLBiPttCx64GqwmY4fw+N6ALcN9oD9PRCjtQ3631Hp2HdbugwyXZWasmOC+sdBn
+LhJdic/kexoR1gKC7FYykVjf/PQRjh7l8TyH9L6ddNMSOIsBLv0Q2mvLtKIUTLZQ
+aOftpMuyOdbRDgUTmrxi/S94xHWaEWU23lWDgEJsudSGwGtgf6KAD7GJj2p3FjA1
+nfZBF7L/jsl0+Shxcrc6nifgqBiUvGr3Nba8AnllaXuFs371md/+xuatw7kT0IgU
+ZEbHleZf5GsDQFy0XycjLoVWMSvZC8bC4HnGz40hpTDGihITai1tefk9cMjR4T40
+octVHCIzJbL7cA==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAqwQsA7zWFPvV1UMtS/bFioMraApRlxzPaZq+CpzbcpOkGSvw
+WzbO4xUpE3UQoVycA0U5OCAfIaDJ4h05eUnRJllAXhYVgcoFW0mnnX/i2BxJT6lV
+TFvuC/XRw7ALHgoTnbMU4wGZoYuiWFSFlcUDDKi0BsyfclsaLsVg56YsPBM9XDTh
+B0q0Q+6ah3g2JhsJDYuftyjh/sltmC1JxYDP8rSkOf5ixVtDUhcw8qzQqgXuR4kw
+mcXNp5pFH/bDSK8zGx//DWuPBpGpKwu6aeImy8gVAPv9lh/olLCZwOMofMel1Kmo
+4bRM0H+5d2JBn48+UFFqp4sluGyjw0fQnQv/kQIDAQABAoIBAQCdKaRZev0zI40M
+BERof0xjUtBdOL5qpStn3bGwhx6VWWGBUIP/D4tp3VR2cSrrX/RwfPlsvvhdKyrd
+BgZ/lHsFRxiEXr89G694iWPktlZ+TOCCuReOqR1HGI3BzNMqtA/66UzUoe/SKkTz
+8Bkj3n5C7/ciGIKf0WFqgjHgMTKNsY/mCEd+YatO7sX74101JHzhGNdNiANjvbIV
+jliH7QXYBBQKPvHVjKWazqxBBYBGCqN9T893plXm13SBlKVhlDjR0OAnA6zXE/A9
+XRMBnIyHRmoBCMLuJcv/MOo6yu5u/Y5q/nNgFCuXi212jbp3h5ueNs04HigOIfKw
+2YyjNrABAoGBANkk+147vIPsiZuJDPpGbTcZiAnRPhnLFKaK9XbgBzcQN7f46Ezd
+Pkxr+fUefWPpvx/05vpghUC8Zj6VuQcjqO9J0CgfYqEjkaWujb2hzDE//VWCqluD
+rpcwRZ0+SbUXXdkBFc7K8LRTS8lXt6sQAaVMVkwwP33DA3yqOPxITjHBAoGBAMme
+IynqAEyqDLetBjhRcxYf7EqAOw/VK4vR0/qWJ14jYG1bpdZvl42KGQ4g7NJ+S9UB
+OxLyWIz/r1gg5Dk4JR0LVSt7RY8oE3vfUcwpSdchUAWPrugS+86+hmM84tORkVLr
+XBeTGh7biNMx3Kv+uIO4onBNLyA632YHEZgsq6HRAoGBAI93Y60rAq6XBYQB1NU2
+2sng0ITL/p/EEWzHus5DzgCPcoDWr4S5WIPdg1R0RJxSv7g5crJSOzg+Qb9v5MPW
+x7LxrdoUgnG8smopHfUAhYy0noh0wGGeayfw+M2fbct8GMFbejEa3FYIAraQggU/
+mhbAjPPhnNFWm2MuhGAK1b8BAoGBALCsn5m6ETsdBHnr5/hv/06S+MesKJVOMpOa
+cowzChpnG7eYyPDo5sBEFIKZ/YzS2Xa1VmPa9BfScn/iirtNZNBXvvGUWzcAYlp5
+Lj+eqrMW4P2OlDGPeRMJR9AsaYQGGne0AQYzhH8n13ViS0J4uo3KvKV2LWar0Fmi
+thtIgboRAoGAFZbn+KVu9cbLZNaVnq84bhn00vwoQaEJ1+Y+MFWEFWUaXQ+BYmCv
+sm+PP8NzBRIUDYLujpmRgWOp+dobftWf50auUZwZjUl/w+gg0U0EMpPpieyPvqIl
+qG0doFzujNOJUbQa/td7o6PaOXv/c4R2iyZcvFzDU6kf56uMRZJuzN4=
+-----END RSA PRIVATE KEY-----
--- /dev/null
+V 230620161116Z 01 unknown /C=US/ST=TX/L=Austin/O=VPSM/OU=VPSM/CN=master.vpsm/name=VPSM/emailAddress=cert@vpsm.net
--- /dev/null
+unique_subject = yes
--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net
+ Validity
+ Not Before: Jun 22 16:11:16 2013 GMT
+ Not After : Jun 20 16:11:16 2023 GMT
+ Subject: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=master.vpsm/name=VPSM/emailAddress=cert@vpsm.net
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:cb:07:17:41:97:e1:c5:62:46:59:40:98:fc:fe:
+ 96:00:51:07:3d:d1:83:06:a0:61:c3:57:c2:19:9a:
+ 04:62:97:52:b2:7e:45:83:b2:f6:5f:b5:12:a5:b5:
+ ef:b8:ab:58:97:76:99:8d:51:54:21:83:1e:80:d5:
+ a6:73:91:c8:32:08:7c:b9:ab:50:89:44:ae:a0:59:
+ 92:90:04:24:5f:bd:74:41:61:bb:8f:e7:60:77:ac:
+ 1b:13:15:09:ab:73:ed:51:0d:e9:e6:f4:c9:ff:81:
+ 7a:25:f2:ef:38:16:1a:59:28:1f:1a:ba:9f:6e:69:
+ c4:c5:83:01:03:83:49:13:fb:7d:bc:23:8d:e5:dc:
+ 9e:79:4a:36:4c:e6:95:f2:5a:d9:90:3d:0b:63:94:
+ 30:c8:6c:5d:62:1c:17:dd:ab:3b:bb:5d:9a:ad:d1:
+ c7:d0:c7:20:aa:27:39:ff:6c:09:2c:b4:48:5d:19:
+ c3:e0:03:ef:6d:13:2e:26:39:0c:71:83:44:3f:65:
+ ec:6d:51:e8:41:ab:b8:bf:82:03:9e:38:0f:dd:fd:
+ ff:d1:d7:31:05:b1:3d:7d:9b:0a:7d:e0:19:77:10:
+ 09:f7:cd:0a:0a:3d:e5:7d:5e:25:34:41:d0:e4:c1:
+ 31:c9:ab:f0:87:0e:3a:39:6f:58:38:ff:09:11:6a:
+ 51:b5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ Easy-RSA Generated Certificate
+ X509v3 Subject Key Identifier:
+ 5A:52:B0:47:7A:9A:89:8E:78:99:EC:C1:4D:68:FD:D7:74:A2:68:38
+ X509v3 Authority Key Identifier:
+ keyid:67:06:43:26:4A:A6:D4:48:E1:32:D4:B7:D7:0A:66:9C:22:42:6A:4A
+ DirName:/C=US/ST=TX/L=Austin/O=VPSM/OU=VPSM/CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net
+ serial:D8:29:0D:FD:78:72:5C:2D
+
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication
+ X509v3 Key Usage:
+ Digital Signature
+ Signature Algorithm: sha256WithRSAEncryption
+ a5:b0:29:89:26:a3:22:54:d8:38:53:dc:82:22:33:44:ed:96:
+ 92:95:8e:33:d9:bb:6d:1a:f3:72:82:c9:3a:1b:22:32:22:98:
+ 92:a0:57:48:1e:c8:63:41:71:39:94:a9:89:6e:36:36:7b:e4:
+ 92:95:2e:bb:4e:4e:2a:64:ae:ca:7a:7a:3c:1d:bc:95:2b:2a:
+ 22:bb:13:15:a3:b4:8f:47:b3:37:02:fe:8a:e4:ce:f8:67:fa:
+ b9:43:f1:f9:53:8d:c2:56:46:6b:6d:bd:6a:de:56:ed:94:01:
+ ef:df:67:a6:84:88:85:76:d0:41:95:3d:5e:55:73:6a:18:65:
+ 35:82:15:72:f8:80:55:07:9e:00:dd:6e:11:09:da:ce:cb:d4:
+ e2:f2:bc:61:88:5b:cc:9e:3d:e3:fb:8f:64:a2:2d:40:53:8b:
+ c7:4d:ab:2f:05:5e:80:3a:eb:40:a8:b3:cf:cc:50:e8:aa:21:
+ 1c:ba:92:c3:c6:db:b8:49:ad:7d:d5:7d:59:4d:66:3a:f7:c9:
+ e7:1f:f7:ae:40:b2:c1:47:be:05:94:ee:97:09:e6:27:aa:21:
+ 4e:bc:ec:d8:cf:17:b7:e0:41:ce:d0:97:6e:31:a7:fe:79:f8:
+ be:d9:2f:3f:f9:34:3b:53:8e:71:c6:a6:b0:11:d4:ee:5b:3d:
+ 02:ab:c4:5a
+-----BEGIN CERTIFICATE-----
+MIIE0jCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTAL
+BgNVBAsTBFZQU00xEDAOBgNVBAMTB2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAa
+BgkqhkiG9w0BCQEWDWNlcnRAdnBzbS5uZXQwHhcNMTMwNjIyMTYxMTE2WhcNMjMw
+NjIwMTYxMTE2WjCBjDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH
+EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xFDASBgNVBAMT
+C21hc3Rlci52cHNtMQ0wCwYDVQQpEwRWUFNNMRwwGgYJKoZIhvcNAQkBFg1jZXJ0
+QHZwc20ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywcXQZfh
+xWJGWUCY/P6WAFEHPdGDBqBhw1fCGZoEYpdSsn5Fg7L2X7USpbXvuKtYl3aZjVFU
+IYMegNWmc5HIMgh8uatQiUSuoFmSkAQkX710QWG7j+dgd6wbExUJq3PtUQ3p5vTJ
+/4F6JfLvOBYaWSgfGrqfbmnExYMBA4NJE/t9vCON5dyeeUo2TOaV8lrZkD0LY5Qw
+yGxdYhwX3as7u12ardHH0Mcgqic5/2wJLLRIXRnD4APvbRMuJjkMcYNEP2XsbVHo
+Qau4v4IDnjgP3f3/0dcxBbE9fZsKfeAZdxAJ980KCj3lfV4lNEHQ5MExyavwhw46
+OW9YOP8JEWpRtQIDAQABo4IBPzCCATswCQYDVR0TBAIwADAtBglghkgBhvhCAQ0E
+IBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaUrBH
+epqJjniZ7MFNaP3XdKJoODCBvQYDVR0jBIG1MIGygBRnBkMmSqbUSOEy1LfXCmac
+IkJqSqGBjqSBizCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH
+EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xEDAOBgNVBAMT
+B2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAaBgkqhkiG9w0BCQEWDWNlcnRAdnBz
+bS5uZXSCCQDYKQ39eHJcLTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
+B4AwDQYJKoZIhvcNAQELBQADggEBAKWwKYkmoyJU2DhT3IIiM0TtlpKVjjPZu20a
+83KCyTobIjIimJKgV0geyGNBcTmUqYluNjZ75JKVLrtOTipkrsp6ejwdvJUrKiK7
+ExWjtI9HszcC/orkzvhn+rlD8flTjcJWRmttvWreVu2UAe/fZ6aEiIV20EGVPV5V
+c2oYZTWCFXL4gFUHngDdbhEJ2s7L1OLyvGGIW8yePeP7j2SiLUBTi8dNqy8FXoA6
+60Cos8/MUOiqIRy6ksPG27hJrX3VfVlNZjr3yecf965AssFHvgWU7pcJ5ieqIU68
+7NjPF7fgQc7Ql24xp/55+L7ZLz/5NDtTjnHGprAR1O5bPQKrxFo=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC0jCCAboCAQAwgYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUWDEPMA0GA1UE
+BxMGQXVzdGluMQ0wCwYDVQQKEwRWUFNNMQ0wCwYDVQQLEwRWUFNNMRQwEgYDVQQD
+EwttYXN0ZXIudnBzbTENMAsGA1UEKRMEVlBTTTEcMBoGCSqGSIb3DQEJARYNY2Vy
+dEB2cHNtLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsHF0GX
+4cViRllAmPz+lgBRBz3RgwagYcNXwhmaBGKXUrJ+RYOy9l+1EqW177irWJd2mY1R
+VCGDHoDVpnORyDIIfLmrUIlErqBZkpAEJF+9dEFhu4/nYHesGxMVCatz7VEN6eb0
+yf+BeiXy7zgWGlkoHxq6n25pxMWDAQODSRP7fbwjjeXcnnlKNkzmlfJa2ZA9C2OU
+MMhsXWIcF92rO7tdmq3Rx9DHIKonOf9sCSy0SF0Zw+AD720TLiY5DHGDRD9l7G1R
+6EGruL+CA544D939/9HXMQWxPX2bCn3gGXcQCffNCgo95X1eJTRB0OTBMcmr8IcO
+OjlvWDj/CRFqUbUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQApVBVX6qaop8eq
+BfRkLfXndhyZafA2oKY7A2vQ93puChnmf/Krnn47u39pj+j0MkErEUrniyW6C1B0
+jW8Sao3dKcwLTVwQmHQa4u4BCaVfgtUOy/FWdeG+vC0Uj+zKBzT4jY2DWljdm3zI
+MZ8gSnxFRyO5PjDqHzbz1uR9Ij9hOK0F9RjWgI0WWqQeB3vAgSacX9tuoKv4A2kJ
+g7X2JPTH9xKyR5URN9sXOsYC7aTeeUXf2fUz2DBPApF92gayf7y1b+cWFKYFkfmI
+n23yjvGyF7EwWmo/SwJJ3yhTsP35sPKjnHpIiK2GAQX9tb2z/I3iAdDxSkvowsOk
+2x/Qxo6F
+-----END CERTIFICATE REQUEST-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAywcXQZfhxWJGWUCY/P6WAFEHPdGDBqBhw1fCGZoEYpdSsn5F
+g7L2X7USpbXvuKtYl3aZjVFUIYMegNWmc5HIMgh8uatQiUSuoFmSkAQkX710QWG7
+j+dgd6wbExUJq3PtUQ3p5vTJ/4F6JfLvOBYaWSgfGrqfbmnExYMBA4NJE/t9vCON
+5dyeeUo2TOaV8lrZkD0LY5QwyGxdYhwX3as7u12ardHH0Mcgqic5/2wJLLRIXRnD
+4APvbRMuJjkMcYNEP2XsbVHoQau4v4IDnjgP3f3/0dcxBbE9fZsKfeAZdxAJ980K
+Cj3lfV4lNEHQ5MExyavwhw46OW9YOP8JEWpRtQIDAQABAoIBABOk0v44uNKFSLM4
+CdVouJC9RksX62qHuA3TfudFPKlhZNH6X7V3alkmRvCbot8mTQMSqZa/yLkZW6kx
+gtJpx4n3wkGgrsEpURAYupKOpApTZV0yHJi21WGe2FvHTFE3fT27b+c1xhmfqHbl
+g3nUwaXguOm4JtbjCvPlUgLKABcbsRMO4PH7RBhIMLm/Wfm/tmv6Z0+8FlyUgEpi
+rh7h+afVARix/RvC0lO46zz2o+Pf0Eskf8TLboHQaM8pVIWXUHE63GSjzAU5TjSK
+FCKLGHsKD/0w4FZtpZKWt1ESmG1gD2GC074eycesGkmXsdL303KepMWHJhMsiIZK
+BVlSP30CgYEA6qh48ci7kCyCIG/NN3ODn/kybd31ZsrTZplJ8XaRWWJa9/Jkjrx+
+vW3Aa5+COMxzqAXSBI2wln6rGZmPa+MBcACxePxg7meReEbV47iMrf5nXvFmc8qG
+vLQdejbufQwYaaSvTuB72HpI1EKDFZ7+Sq0bGcrG39ztbbPTMVN63iMCgYEA3X4r
+jvVF8/SEOC66gXQnmV2EphNFKK1DLaei2o+hg1HBzQORfDAaHhjIjH30hLz1fKdY
+v2P1yvkHHxqbBnWQUkPR5cFGNyLXDiIvBjxW142Hut29qs8hdaza3hU1dNqyo9q3
+x/aVxD4nCowrWzNI9kYGOa5F1bnIdV4HUg5K0kcCgYBIE4tiqMeD10f48p5UI/UQ
+FBj7SivwcOhSIU9nDYZDsERE2H0uopNDWAy8gfgbviDgQTlrEKJm921Spao59zYf
+0vawNMUJNWKnUQqtsaf0YaoarYdMla6hE6niOjEy055EBMOcNLOVoKnyGKPu5jEx
+es5SM8i2RkPfaFa8VenthQKBgQClhNbqQzKeZxizn3/yo6m/+1nYfcgN6MSuBns1
+12X8a4lnOoZrBstNuHmOO8YRt9+/4pL4m6ufnc+Ll+dHwW0zfMkLaA6fv2J0hmkb
+wNWoyXQn2fMWBSnc9Wqt0a2cAJ7Ewfra7NPozgWA5VS1F7MrjxKx4iD/4ZEC3Fye
+Hl4dmwKBgQDDgEGMuNk/QYWBgQKHrBon9+AtNUE5v84AyMo0Xg+F5OFCGjGEbgWu
+ogitwMXo4F3PemkpCX4Kx98bG3vMROIqV3ZQrnuZJLNStA9b6n8xu3wJnyRu8PpG
+WaFFyIr3ctLzqxDOOvvN60+QwklLA/Sg8hr6zqCpIKVRayASjBq1Kg==
+-----END RSA PRIVATE KEY-----
--- /dev/null
+#!/bin/sh
+
+# list revoked certificates
+
+CRL="${1:-crl.pem}"
+
+if [ "$KEY_DIR" ]; then
+ cd "$KEY_DIR" && \
+ $OPENSSL crl -text -noout -in "$CRL"
+else
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
+fi
--- /dev/null
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = $ENV::KEY_DIR # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = $ENV::KEY_SIZE
+default_keyfile = privkey.pem
+default_md = sha256
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = $ENV::KEY_COUNTRY
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = $ENV::KEY_PROVINCE
+
+localityName = Locality Name (eg, city)
+localityName_default = $ENV::KEY_CITY
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = $ENV::KEY_EMAIL
+emailAddress_max = 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType = server
+nsComment = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
--- /dev/null
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+openssl_conf = openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+engines = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = $ENV::KEY_DIR # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = $ENV::KEY_SIZE
+default_keyfile = privkey.pem
+default_md = sha256
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = $ENV::KEY_COUNTRY
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = $ENV::KEY_PROVINCE
+
+localityName = Locality Name (eg, city)
+localityName_default = $ENV::KEY_CITY
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+name = Name
+name_max = 64
+
+emailAddress = Email Address
+emailAddress_default = $ENV::KEY_EMAIL
+emailAddress_max = 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType = server
+nsComment = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0
--- /dev/null
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+openssl_conf = openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+engines = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = $ENV::KEY_DIR # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = $ENV::KEY_SIZE
+default_keyfile = privkey.pem
+default_md = sha256
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = $ENV::KEY_COUNTRY
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = $ENV::KEY_PROVINCE
+
+localityName = Locality Name (eg, city)
+localityName_default = $ENV::KEY_CITY
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+name = Name
+name_max = 64
+
+emailAddress = Email Address
+emailAddress_default = $ENV::KEY_EMAIL
+emailAddress_max = 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType = server
+nsComment = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0
--- /dev/null
+#!/bin/sh
+
+# OpenVPN -- An application to securely tunnel IP networks
+# over a single TCP/UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program (see the file COPYING included with this
+# distribution); if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+# pkitool is a front-end for the openssl tool.
+
+# Calling scripts can set the certificate organizational
+# unit with the KEY_OU environmental variable.
+
+# Calling scripts can also set the KEY_NAME environmental
+# variable to set the "name" X509 subject field.
+
+PROGNAME=pkitool
+VERSION=2.0
+DEBUG=0
+
+die()
+{
+ local m="$1"
+
+ echo "$m" >&2
+ exit 1
+}
+
+need_vars()
+{
+ echo ' Please edit the vars script to reflect your configuration,'
+ echo ' then source it with "source ./vars".'
+ echo ' Next, to start with a fresh PKI configuration and to delete any'
+ echo ' previous certificates and keys, run "./clean-all".'
+ echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
+}
+
+usage()
+{
+ echo "$PROGNAME $VERSION"
+ echo "Usage: $PROGNAME [options...] [common-name]"
+ echo "Options:"
+ echo " --batch : batch mode (default)"
+ echo " --keysize : Set keysize"
+ echo " size : size (default=1024)"
+ echo " --interact : interactive mode"
+ echo " --server : build server cert"
+ echo " --initca : build root CA"
+ echo " --inter : build intermediate CA"
+ echo " --pass : encrypt private key with password"
+ echo " --csr : only generate a CSR, do not sign"
+ echo " --sign : sign an existing CSR"
+ echo " --pkcs12 : generate a combined PKCS#12 file"
+ echo " --pkcs11 : generate certificate on PKCS#11 token"
+ echo " lib : PKCS#11 library"
+ echo " slot : PKCS#11 slot"
+ echo " id : PKCS#11 object id (hex string)"
+ echo " label : PKCS#11 object label"
+ echo "Standalone options:"
+ echo " --pkcs11-slots : list PKCS#11 slots"
+ echo " lib : PKCS#11 library"
+ echo " --pkcs11-objects : list PKCS#11 token objects"
+ echo " lib : PKCS#11 library"
+ echo " slot : PKCS#11 slot"
+ echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
+ echo " lib : PKCS#11 library"
+ echo " slot : PKCS#11 slot"
+ echo " label : PKCS#11 token label"
+ echo "Notes:"
+ need_vars
+ echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
+ echo "Generated files and corresponding OpenVPN directives:"
+ echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
+ echo " ca.crt -> root certificate (--ca)"
+ echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
+ echo " .crt files -> client/server certificates (--cert)"
+ echo " .key files -> private keys, keep secure (--key)"
+ echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
+ echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
+ echo "Examples:"
+ echo " $PROGNAME --initca -> Build root certificate"
+ echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
+ echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
+ echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
+ echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
+ echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
+ echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
+ echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
+ echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
+ echo " Also see ./inherit-inter script."
+ echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
+ echo " -> Build \"client5\" certificate/key in PKCS#11 token"
+ echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
+ echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
+ echo " [edit vars with your site-specific info]"
+ echo " source ./vars"
+ echo " ./clean-all"
+ echo " ./build-dh -> takes a long time, consider backgrounding"
+ echo " ./$PROGNAME --initca"
+ echo " ./$PROGNAME --server myserver"
+ echo " ./$PROGNAME client1"
+ echo " ./$PROGNAME --pass client2"
+ echo "Typical usage for adding client cert to existing PKI:"
+ echo " source ./vars"
+ echo " ./$PROGNAME client-new"
+}
+
+# Set tool defaults
+[ -n "$OPENSSL" ] || export OPENSSL="openssl"
+[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
+[ -n "$GREP" ] || export GREP="grep"
+
+# Set defaults
+DO_REQ="1"
+REQ_EXT=""
+DO_CA="1"
+CA_EXT=""
+DO_P12="0"
+DO_P11="0"
+DO_ROOT="0"
+NODES_REQ="-nodes"
+NODES_P12=""
+BATCH="-batch"
+CA="ca"
+# must be set or errors of openssl.cnf
+PKCS11_MODULE_PATH="dummy"
+PKCS11_PIN="dummy"
+
+# Process options
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --keysize ) KEY_SIZE=$2
+ shift;;
+ --server ) REQ_EXT="$REQ_EXT -extensions server"
+ CA_EXT="$CA_EXT -extensions server" ;;
+ --batch ) BATCH="-batch" ;;
+ --interact ) BATCH="" ;;
+ --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
+ --initca ) DO_ROOT="1" ;;
+ --pass ) NODES_REQ="" ;;
+ --csr ) DO_CA="0" ;;
+ --sign ) DO_REQ="0" ;;
+ --pkcs12 ) DO_P12="1" ;;
+ --pkcs11 ) DO_P11="1"
+ PKCS11_MODULE_PATH="$2"
+ PKCS11_SLOT="$3"
+ PKCS11_ID="$4"
+ PKCS11_LABEL="$5"
+ shift 4;;
+
+ # standalone
+ --pkcs11-init)
+ PKCS11_MODULE_PATH="$2"
+ PKCS11_SLOT="$3"
+ PKCS11_LABEL="$4"
+ if [ -z "$PKCS11_LABEL" ]; then
+ die "Please specify library name, slot and label"
+ fi
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+ --label "$PKCS11_LABEL" &&
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+ exit $?;;
+ --pkcs11-slots)
+ PKCS11_MODULE_PATH="$2"
+ if [ -z "$PKCS11_MODULE_PATH" ]; then
+ die "Please specify library name"
+ fi
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+ exit 0;;
+ --pkcs11-objects)
+ PKCS11_MODULE_PATH="$2"
+ PKCS11_SLOT="$3"
+ if [ -z "$PKCS11_SLOT" ]; then
+ die "Please specify library name and slot"
+ fi
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+ exit 0;;
+
+ --help|--usage)
+ usage
+ exit ;;
+ --version)
+ echo "$PROGNAME $VERSION"
+ exit ;;
+ # errors
+ --* ) die "$PROGNAME: unknown option: $1" ;;
+ * ) break ;;
+ esac
+ shift
+done
+
+if ! [ -z "$BATCH" ]; then
+ if $OPENSSL version | grep 0.9.6 > /dev/null; then
+ die "Batch mode is unsupported in openssl<0.9.7"
+ fi
+fi
+
+if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
+ die "PKCS#11 and PKCS#12 cannot be specified together"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+ if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
+ die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
+ fi
+fi
+
+# If we are generating pkcs12, only encrypt the final step
+if [ $DO_P12 -eq 1 ]; then
+ NODES_P12="$NODES_REQ"
+ NODES_REQ="-nodes"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+ if [ -z "$PKCS11_LABEL" ]; then
+ die "PKCS#11 arguments incomplete"
+ fi
+fi
+
+# If undefined, set default key expiration intervals
+if [ -z "$KEY_EXPIRE" ]; then
+ KEY_EXPIRE=3650
+fi
+if [ -z "$CA_EXPIRE" ]; then
+ CA_EXPIRE=3650
+fi
+
+# Set organizational unit to empty string if undefined
+if [ -z "$KEY_OU" ]; then
+ KEY_OU=""
+fi
+
+# Set X509 Name string to empty string if undefined
+if [ -z "$KEY_NAME" ]; then
+ KEY_NAME=""
+fi
+
+# Set KEY_CN, FN
+if [ $DO_ROOT -eq 1 ]; then
+ if [ -z "$KEY_CN" ]; then
+ if [ "$1" ]; then
+ KEY_CN="$1"
+ elif [ "$KEY_ORG" ]; then
+ KEY_CN="$KEY_ORG CA"
+ fi
+ fi
+ if [ $BATCH ] && [ "$KEY_CN" ]; then
+ echo "Using CA Common Name:" "$KEY_CN"
+ fi
+ FN="$KEY_CN"
+elif [ $BATCH ] && [ "$KEY_CN" ]; then
+ echo "Using Common Name:" "$KEY_CN"
+ FN="$KEY_CN"
+ if [ "$1" ]; then
+ FN="$1"
+ fi
+else
+ if [ $# -ne 1 ]; then
+ usage
+ exit 1
+ else
+ KEY_CN="$1"
+ fi
+ FN="$KEY_CN"
+fi
+
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
+
+# Show parameters (debugging)
+if [ $DEBUG -eq 1 ]; then
+ echo DO_REQ $DO_REQ
+ echo REQ_EXT $REQ_EXT
+ echo DO_CA $DO_CA
+ echo CA_EXT $CA_EXT
+ echo NODES_REQ $NODES_REQ
+ echo NODES_P12 $NODES_P12
+ echo DO_P12 $DO_P12
+ echo KEY_CN $KEY_CN
+ echo BATCH $BATCH
+ echo DO_ROOT $DO_ROOT
+ echo KEY_EXPIRE $KEY_EXPIRE
+ echo CA_EXPIRE $CA_EXPIRE
+ echo KEY_OU $KEY_OU
+ echo KEY_NAME $KEY_NAME
+ echo DO_P11 $DO_P11
+ echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
+ echo PKCS11_SLOT $PKCS11_SLOT
+ echo PKCS11_ID $PKCS11_ID
+ echo PKCS11_LABEL $PKCS11_LABEL
+fi
+
+# Make sure ./vars was sourced beforehand
+if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
+ cd "$KEY_DIR"
+
+ # Make sure $KEY_CONFIG points to the correct version
+ # of openssl.cnf
+ if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+ :
+ else
+ echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
+ echo "version of openssl.cnf: $KEY_CONFIG"
+ echo "The correct version should have a comment that says: easy-rsa version 2.x";
+ exit 1;
+ fi
+
+ # Build root CA
+ if [ $DO_ROOT -eq 1 ]; then
+ $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
+ chmod 0600 "$CA.key"
+ else
+ # Make sure CA key/cert is available
+ if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
+ if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
+ echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
+ echo "Try $PROGNAME --initca to build a root certificate/key."
+ exit 1
+ fi
+ fi
+
+ # Generate key for PKCS#11 token
+ PKCS11_ARGS=
+ if [ $DO_P11 -eq 1 ]; then
+ stty -echo
+ echo -n "User PIN: "
+ read -r PKCS11_PIN
+ stty echo
+ export PKCS11_PIN
+
+ echo "Generating key pair on PKCS#11 token..."
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+ --login --pin "$PKCS11_PIN" \
+ --key-type rsa:1024 \
+ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
+ PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
+ fi
+
+ # Build cert/key
+ ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+ -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
+ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
+ -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
+ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
+ -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
+ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
+ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
+
+ # Load certificate into PKCS#11 token
+ if [ $DO_P11 -eq 1 ]; then
+ $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
+ --login --pin "$PKCS11_PIN" \
+ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
+ [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
+ fi
+
+ fi
+
+# Need definitions
+else
+ need_vars
+fi
--- /dev/null
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL="crl.pem"
+RT="revoke-test.pem"
+
+if [ $# -ne 1 ]; then
+ echo "usage: revoke-full <cert-name-base>";
+ exit 1
+fi
+
+if [ "$KEY_DIR" ]; then
+ cd "$KEY_DIR"
+ rm -f "$RT"
+
+ # set defaults
+ export KEY_CN=""
+ export KEY_OU=""
+ export KEY_NAME=""
+
+ # revoke key and generate a new CRL
+ $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+
+ # generate a new CRL -- try to be compatible with
+ # intermediate PKIs
+ $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+ if [ -e export-ca.crt ]; then
+ cat export-ca.crt "$CRL" >"$RT"
+ else
+ cat ca.crt "$CRL" >"$RT"
+ fi
+
+ # verify the revocation
+ $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+else
+ echo 'Please source the vars script first (i.e. "source ./vars")'
+ echo 'Make sure you have edited it to reflect your configuration.'
+fi
--- /dev/null
+#!/bin/sh
+
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --sign $*
--- /dev/null
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid. This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="TX"
+export KEY_CITY="Austin"
+export KEY_ORG="VPSM"
+export KEY_EMAIL="cert@vpsm.net"
+export KEY_OU="VPSM"
+
+# X509 Subject Field
+export KEY_NAME="VPSM"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+#export KEY_CN="node.vpsm"
--- /dev/null
+#!/bin/sh
+
+cnf="$1/openssl.cnf"
+
+if [ "$OPENSSL" ]; then
+ if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
+ cnf="$1/openssl-0.9.6.cnf"
+ elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
+ cnf="$1/openssl-0.9.8.cnf"
+ elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
+ cnf="$1/openssl-1.0.0.cnf"
+ else
+ cnf="$1/openssl.cnf"
+ fi
+fi
+
+echo $cnf
+
+if [ ! -r $cnf ]; then
+ echo "**************************************************************" >&2
+ echo " No $cnf file could be found" >&2
+ echo " Further invocations will fail" >&2
+ echo "**************************************************************" >&2
+fi
+
+exit 0
--- /dev/null
+<?php
+$mastercn = 'master';
+
+
+$sslctx = stream_context_create(array('ssl' => array(
+ 'verify_peer' => true,
+ 'cafile' => '/opt/vpsm/ca/ca.crt',
+ 'local_cert' => '/opt/vpsm/local.pem',
+# 'CN_match' => $mastercn, # on node side
+)));
+
+
+if (($stream = stream_socket_client('ssl://node1.jfr.im', $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $sslctx) === FALSE) {
+ die("$errno: $errstr\n");
+}
+
+