From: John Runyon Date: Sat, 22 Jun 2013 16:16:59 +0000 (-0500) Subject: Adding start of SSL-certificate-stuff. easy-rsa X-Git-Url: https://jfr.im/git/z_archive/vpsm.git/commitdiff_plain/HEAD Adding start of SSL-certificate-stuff. easy-rsa --- diff --git a/devtemp/certs/COPYING b/devtemp/certs/COPYING new file mode 100644 index 0000000..fcdfffd --- /dev/null +++ b/devtemp/certs/COPYING @@ -0,0 +1,42 @@ +OpenVPN (TM) -- An Open Source VPN daemon + +Copyright (C) 2002-2010 OpenVPN Technologies, Inc. + +This distribution contains multiple components, some +of which fall under different licenses. By using OpenVPN +or any of the bundled components enumerated below, you +agree to be bound by the conditions of the license for +each respective component. + +OpenVPN trademark +----------------- + + "OpenVPN" is a trademark of OpenVPN Technologies, Inc. + + +OpenVPN license: +---------------- + + OpenVPN is distributed under the GPL license version 2 (see Below). + + Special exception for linking OpenVPN with OpenSSL: + + In addition, as a special exception, OpenVPN Technologies, Inc. gives + permission to link the code of this program with the OpenSSL + library (or with modified versions of OpenSSL that use the same + license as OpenSSL), and distribute linked combinations including + the two. You must obey the GNU General Public License in all + respects for all of the code used other than OpenSSL. If you modify + this file, you may extend this exception to your version of the + file, but you are not obligated to do so. If you do not wish to + do so, delete this exception statement from your version. + +GNU Public License (GPL) +------------------------ + + OpenVPN, LZO, and the TAP-Win32 distributions are + licensed under the GPL version 2 (see COPYRIGHT.GPL). + + In the Windows binary distribution of OpenVPN, the + GPL is reproduced below. + diff --git a/devtemp/certs/COPYRIGHT.GPL b/devtemp/certs/COPYRIGHT.GPL new file mode 100644 index 0000000..ff8a7f0 --- /dev/null +++ b/devtemp/certs/COPYRIGHT.GPL @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 2 + as published by the Free Software Foundation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/devtemp/certs/build-ca b/devtemp/certs/build-ca new file mode 100755 index 0000000..bce29a6 --- /dev/null +++ b/devtemp/certs/build-ca @@ -0,0 +1,8 @@ +#!/bin/sh + +# +# Build a root certificate +# + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --initca $* diff --git a/devtemp/certs/build-dh b/devtemp/certs/build-dh new file mode 100755 index 0000000..4beb127 --- /dev/null +++ b/devtemp/certs/build-dh @@ -0,0 +1,11 @@ +#!/bin/sh + +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. + +if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then + $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/devtemp/certs/build-inter b/devtemp/certs/build-inter new file mode 100755 index 0000000..87bf98d --- /dev/null +++ b/devtemp/certs/build-inter @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --inter $* diff --git a/devtemp/certs/build-key b/devtemp/certs/build-key new file mode 100755 index 0000000..6c0fed8 --- /dev/null +++ b/devtemp/certs/build-key @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact $* diff --git a/devtemp/certs/build-key-pass b/devtemp/certs/build-key-pass new file mode 100755 index 0000000..8ef8307 --- /dev/null +++ b/devtemp/certs/build-key-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Similar to build-key, but protect the private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pass $* diff --git a/devtemp/certs/build-key-pkcs12 b/devtemp/certs/build-key-pkcs12 new file mode 100755 index 0000000..ba90e6a --- /dev/null +++ b/devtemp/certs/build-key-pkcs12 @@ -0,0 +1,8 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/devtemp/certs/build-key-server b/devtemp/certs/build-key-server new file mode 100755 index 0000000..fee0194 --- /dev/null +++ b/devtemp/certs/build-key-server @@ -0,0 +1,10 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --server $* diff --git a/devtemp/certs/build-req b/devtemp/certs/build-req new file mode 100755 index 0000000..559d512 --- /dev/null +++ b/devtemp/certs/build-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr $* diff --git a/devtemp/certs/build-req-pass b/devtemp/certs/build-req-pass new file mode 100755 index 0000000..b73ee1b --- /dev/null +++ b/devtemp/certs/build-req-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Like build-req, but protect your private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/devtemp/certs/clean-all b/devtemp/certs/clean-all new file mode 100755 index 0000000..cc6e3b2 --- /dev/null +++ b/devtemp/certs/clean-all @@ -0,0 +1,16 @@ +#!/bin/sh + +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! + +if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/devtemp/certs/inherit-inter b/devtemp/certs/inherit-inter new file mode 100755 index 0000000..aaa5168 --- /dev/null +++ b/devtemp/certs/inherit-inter @@ -0,0 +1,39 @@ +#!/bin/sh + +# Build a new PKI which is rooted on an intermediate certificate generated +# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +# have independent vars settings, and must use a different KEY_DIR directory +# from the parent. This tool can be used to generate arbitrary depth +# certificate chains. +# +# To build an intermediate CA, follow the same steps for a regular PKI but +# replace ./build-key or ./pkitool --initca with this script. + +# The EXPORT_CA file will contain the CA certificate chain and should be +# referenced by the OpenVPN "ca" directive in config files. The ca.crt file +# will only contain the local intermediate CA -- it's needed by the easy-rsa +# scripts but not by OpenVPN directly. +EXPORT_CA="export-ca.crt" + +if [ $# -ne 2 ]; then + echo "usage: $0 " + echo "parent-key-dir: the KEY_DIR directory of the parent PKI" + echo "common-name: the common name of the intermediate certificate in the parent PKI" + exit 1; +fi + +if [ "$KEY_DIR" ]; then + cp "$1/$2.crt" "$KEY_DIR/ca.crt" + cp "$1/$2.key" "$KEY_DIR/ca.key" + + if [ -e "$1/$EXPORT_CA" ]; then + PARENT_CA="$1/$EXPORT_CA" + else + PARENT_CA="$1/ca.crt" + fi + cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" + cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/devtemp/certs/keys/01.pem b/devtemp/certs/keys/01.pem new file mode 100644 index 0000000..aafc688 --- /dev/null +++ b/devtemp/certs/keys/01.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net + Validity + Not Before: Jun 22 16:11:16 2013 GMT + Not After : Jun 20 16:11:16 2023 GMT + Subject: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=master.vpsm/name=VPSM/emailAddress=cert@vpsm.net + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:cb:07:17:41:97:e1:c5:62:46:59:40:98:fc:fe: + 96:00:51:07:3d:d1:83:06:a0:61:c3:57:c2:19:9a: + 04:62:97:52:b2:7e:45:83:b2:f6:5f:b5:12:a5:b5: + ef:b8:ab:58:97:76:99:8d:51:54:21:83:1e:80:d5: + a6:73:91:c8:32:08:7c:b9:ab:50:89:44:ae:a0:59: + 92:90:04:24:5f:bd:74:41:61:bb:8f:e7:60:77:ac: + 1b:13:15:09:ab:73:ed:51:0d:e9:e6:f4:c9:ff:81: + 7a:25:f2:ef:38:16:1a:59:28:1f:1a:ba:9f:6e:69: + c4:c5:83:01:03:83:49:13:fb:7d:bc:23:8d:e5:dc: + 9e:79:4a:36:4c:e6:95:f2:5a:d9:90:3d:0b:63:94: + 30:c8:6c:5d:62:1c:17:dd:ab:3b:bb:5d:9a:ad:d1: + c7:d0:c7:20:aa:27:39:ff:6c:09:2c:b4:48:5d:19: + c3:e0:03:ef:6d:13:2e:26:39:0c:71:83:44:3f:65: + ec:6d:51:e8:41:ab:b8:bf:82:03:9e:38:0f:dd:fd: + ff:d1:d7:31:05:b1:3d:7d:9b:0a:7d:e0:19:77:10: + 09:f7:cd:0a:0a:3d:e5:7d:5e:25:34:41:d0:e4:c1: + 31:c9:ab:f0:87:0e:3a:39:6f:58:38:ff:09:11:6a: + 51:b5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 5A:52:B0:47:7A:9A:89:8E:78:99:EC:C1:4D:68:FD:D7:74:A2:68:38 + X509v3 Authority Key Identifier: + keyid:67:06:43:26:4A:A6:D4:48:E1:32:D4:B7:D7:0A:66:9C:22:42:6A:4A + DirName:/C=US/ST=TX/L=Austin/O=VPSM/OU=VPSM/CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net + serial:D8:29:0D:FD:78:72:5C:2D + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + Signature Algorithm: sha256WithRSAEncryption + a5:b0:29:89:26:a3:22:54:d8:38:53:dc:82:22:33:44:ed:96: + 92:95:8e:33:d9:bb:6d:1a:f3:72:82:c9:3a:1b:22:32:22:98: + 92:a0:57:48:1e:c8:63:41:71:39:94:a9:89:6e:36:36:7b:e4: + 92:95:2e:bb:4e:4e:2a:64:ae:ca:7a:7a:3c:1d:bc:95:2b:2a: + 22:bb:13:15:a3:b4:8f:47:b3:37:02:fe:8a:e4:ce:f8:67:fa: + b9:43:f1:f9:53:8d:c2:56:46:6b:6d:bd:6a:de:56:ed:94:01: + ef:df:67:a6:84:88:85:76:d0:41:95:3d:5e:55:73:6a:18:65: + 35:82:15:72:f8:80:55:07:9e:00:dd:6e:11:09:da:ce:cb:d4: + e2:f2:bc:61:88:5b:cc:9e:3d:e3:fb:8f:64:a2:2d:40:53:8b: + c7:4d:ab:2f:05:5e:80:3a:eb:40:a8:b3:cf:cc:50:e8:aa:21: + 1c:ba:92:c3:c6:db:b8:49:ad:7d:d5:7d:59:4d:66:3a:f7:c9: + e7:1f:f7:ae:40:b2:c1:47:be:05:94:ee:97:09:e6:27:aa:21: + 4e:bc:ec:d8:cf:17:b7:e0:41:ce:d0:97:6e:31:a7:fe:79:f8: + be:d9:2f:3f:f9:34:3b:53:8e:71:c6:a6:b0:11:d4:ee:5b:3d: + 02:ab:c4:5a +-----BEGIN CERTIFICATE----- +MIIE0jCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTAL +BgNVBAsTBFZQU00xEDAOBgNVBAMTB2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAa +BgkqhkiG9w0BCQEWDWNlcnRAdnBzbS5uZXQwHhcNMTMwNjIyMTYxMTE2WhcNMjMw +NjIwMTYxMTE2WjCBjDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH +EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xFDASBgNVBAMT +C21hc3Rlci52cHNtMQ0wCwYDVQQpEwRWUFNNMRwwGgYJKoZIhvcNAQkBFg1jZXJ0 +QHZwc20ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywcXQZfh +xWJGWUCY/P6WAFEHPdGDBqBhw1fCGZoEYpdSsn5Fg7L2X7USpbXvuKtYl3aZjVFU +IYMegNWmc5HIMgh8uatQiUSuoFmSkAQkX710QWG7j+dgd6wbExUJq3PtUQ3p5vTJ +/4F6JfLvOBYaWSgfGrqfbmnExYMBA4NJE/t9vCON5dyeeUo2TOaV8lrZkD0LY5Qw +yGxdYhwX3as7u12ardHH0Mcgqic5/2wJLLRIXRnD4APvbRMuJjkMcYNEP2XsbVHo +Qau4v4IDnjgP3f3/0dcxBbE9fZsKfeAZdxAJ980KCj3lfV4lNEHQ5MExyavwhw46 +OW9YOP8JEWpRtQIDAQABo4IBPzCCATswCQYDVR0TBAIwADAtBglghkgBhvhCAQ0E +IBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaUrBH +epqJjniZ7MFNaP3XdKJoODCBvQYDVR0jBIG1MIGygBRnBkMmSqbUSOEy1LfXCmac +IkJqSqGBjqSBizCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH +EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xEDAOBgNVBAMT +B2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAaBgkqhkiG9w0BCQEWDWNlcnRAdnBz +bS5uZXSCCQDYKQ39eHJcLTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC +B4AwDQYJKoZIhvcNAQELBQADggEBAKWwKYkmoyJU2DhT3IIiM0TtlpKVjjPZu20a +83KCyTobIjIimJKgV0geyGNBcTmUqYluNjZ75JKVLrtOTipkrsp6ejwdvJUrKiK7 +ExWjtI9HszcC/orkzvhn+rlD8flTjcJWRmttvWreVu2UAe/fZ6aEiIV20EGVPV5V +c2oYZTWCFXL4gFUHngDdbhEJ2s7L1OLyvGGIW8yePeP7j2SiLUBTi8dNqy8FXoA6 +60Cos8/MUOiqIRy6ksPG27hJrX3VfVlNZjr3yecf965AssFHvgWU7pcJ5ieqIU68 +7NjPF7fgQc7Ql24xp/55+L7ZLz/5NDtTjnHGprAR1O5bPQKrxFo= +-----END CERTIFICATE----- diff --git a/devtemp/certs/keys/ca.crt b/devtemp/certs/keys/ca.crt new file mode 100644 index 0000000..39b19d7 --- /dev/null +++ b/devtemp/certs/keys/ca.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEhjCCA26gAwIBAgIJANgpDf14clwtMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjENMAsGA1UEChME +VlBTTTENMAsGA1UECxMEVlBTTTEQMA4GA1UEAxMHY2EudnBzbTENMAsGA1UEKRME +VlBTTTEcMBoGCSqGSIb3DQEJARYNY2VydEB2cHNtLm5ldDAeFw0xMzA2MjIxNjA5 +MTBaFw0yMzA2MjAxNjA5MTBaMIGIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgx +DzANBgNVBAcTBkF1c3RpbjENMAsGA1UEChMEVlBTTTENMAsGA1UECxMEVlBTTTEQ +MA4GA1UEAxMHY2EudnBzbTENMAsGA1UEKRMEVlBTTTEcMBoGCSqGSIb3DQEJARYN +Y2VydEB2cHNtLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsE +LAO81hT71dVDLUv2xYqDK2gKUZccz2mavgqc23KTpBkr8Fs2zuMVKRN1EKFcnANF +OTggHyGgyeIdOXlJ0SZZQF4WFYHKBVtJp51/4tgcSU+pVUxb7gv10cOwCx4KE52z +FOMBmaGLolhUhZXFAwyotAbMn3JbGi7FYOemLDwTPVw04QdKtEPumod4NiYbCQ2L +n7co4f7JbZgtScWAz/K0pDn+YsVbQ1IXMPKs0KoF7keJMJnFzaeaRR/2w0ivMxsf +/w1rjwaRqSsLumniJsvIFQD7/ZYf6JSwmcDjKHzHpdSpqOG0TNB/uXdiQZ+PPlBR +aqeLJbhso8NH0J0L/5ECAwEAAaOB8DCB7TAdBgNVHQ4EFgQUZwZDJkqm1EjhMtS3 +1wpmnCJCakowgb0GA1UdIwSBtTCBsoAUZwZDJkqm1EjhMtS31wpmnCJCakqhgY6k +gYswgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUWDEPMA0GA1UEBxMGQXVzdGlu +MQ0wCwYDVQQKEwRWUFNNMQ0wCwYDVQQLEwRWUFNNMRAwDgYDVQQDEwdjYS52cHNt +MQ0wCwYDVQQpEwRWUFNNMRwwGgYJKoZIhvcNAQkBFg1jZXJ0QHZwc20ubmV0ggkA +2CkN/XhyXC0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAQ9dvM1j +IqLBiPttCx64GqwmY4fw+N6ALcN9oD9PRCjtQ3631Hp2HdbugwyXZWasmOC+sdBn +LhJdic/kexoR1gKC7FYykVjf/PQRjh7l8TyH9L6ddNMSOIsBLv0Q2mvLtKIUTLZQ +aOftpMuyOdbRDgUTmrxi/S94xHWaEWU23lWDgEJsudSGwGtgf6KAD7GJj2p3FjA1 +nfZBF7L/jsl0+Shxcrc6nifgqBiUvGr3Nba8AnllaXuFs371md/+xuatw7kT0IgU +ZEbHleZf5GsDQFy0XycjLoVWMSvZC8bC4HnGz40hpTDGihITai1tefk9cMjR4T40 +octVHCIzJbL7cA== +-----END CERTIFICATE----- diff --git a/devtemp/certs/keys/ca.key b/devtemp/certs/keys/ca.key new file mode 100644 index 0000000..a0d3fd6 --- /dev/null +++ b/devtemp/certs/keys/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAqwQsA7zWFPvV1UMtS/bFioMraApRlxzPaZq+CpzbcpOkGSvw +WzbO4xUpE3UQoVycA0U5OCAfIaDJ4h05eUnRJllAXhYVgcoFW0mnnX/i2BxJT6lV +TFvuC/XRw7ALHgoTnbMU4wGZoYuiWFSFlcUDDKi0BsyfclsaLsVg56YsPBM9XDTh +B0q0Q+6ah3g2JhsJDYuftyjh/sltmC1JxYDP8rSkOf5ixVtDUhcw8qzQqgXuR4kw +mcXNp5pFH/bDSK8zGx//DWuPBpGpKwu6aeImy8gVAPv9lh/olLCZwOMofMel1Kmo +4bRM0H+5d2JBn48+UFFqp4sluGyjw0fQnQv/kQIDAQABAoIBAQCdKaRZev0zI40M +BERof0xjUtBdOL5qpStn3bGwhx6VWWGBUIP/D4tp3VR2cSrrX/RwfPlsvvhdKyrd +BgZ/lHsFRxiEXr89G694iWPktlZ+TOCCuReOqR1HGI3BzNMqtA/66UzUoe/SKkTz +8Bkj3n5C7/ciGIKf0WFqgjHgMTKNsY/mCEd+YatO7sX74101JHzhGNdNiANjvbIV +jliH7QXYBBQKPvHVjKWazqxBBYBGCqN9T893plXm13SBlKVhlDjR0OAnA6zXE/A9 +XRMBnIyHRmoBCMLuJcv/MOo6yu5u/Y5q/nNgFCuXi212jbp3h5ueNs04HigOIfKw +2YyjNrABAoGBANkk+147vIPsiZuJDPpGbTcZiAnRPhnLFKaK9XbgBzcQN7f46Ezd +Pkxr+fUefWPpvx/05vpghUC8Zj6VuQcjqO9J0CgfYqEjkaWujb2hzDE//VWCqluD +rpcwRZ0+SbUXXdkBFc7K8LRTS8lXt6sQAaVMVkwwP33DA3yqOPxITjHBAoGBAMme +IynqAEyqDLetBjhRcxYf7EqAOw/VK4vR0/qWJ14jYG1bpdZvl42KGQ4g7NJ+S9UB +OxLyWIz/r1gg5Dk4JR0LVSt7RY8oE3vfUcwpSdchUAWPrugS+86+hmM84tORkVLr +XBeTGh7biNMx3Kv+uIO4onBNLyA632YHEZgsq6HRAoGBAI93Y60rAq6XBYQB1NU2 +2sng0ITL/p/EEWzHus5DzgCPcoDWr4S5WIPdg1R0RJxSv7g5crJSOzg+Qb9v5MPW +x7LxrdoUgnG8smopHfUAhYy0noh0wGGeayfw+M2fbct8GMFbejEa3FYIAraQggU/ +mhbAjPPhnNFWm2MuhGAK1b8BAoGBALCsn5m6ETsdBHnr5/hv/06S+MesKJVOMpOa +cowzChpnG7eYyPDo5sBEFIKZ/YzS2Xa1VmPa9BfScn/iirtNZNBXvvGUWzcAYlp5 +Lj+eqrMW4P2OlDGPeRMJR9AsaYQGGne0AQYzhH8n13ViS0J4uo3KvKV2LWar0Fmi +thtIgboRAoGAFZbn+KVu9cbLZNaVnq84bhn00vwoQaEJ1+Y+MFWEFWUaXQ+BYmCv +sm+PP8NzBRIUDYLujpmRgWOp+dobftWf50auUZwZjUl/w+gg0U0EMpPpieyPvqIl +qG0doFzujNOJUbQa/td7o6PaOXv/c4R2iyZcvFzDU6kf56uMRZJuzN4= +-----END RSA PRIVATE KEY----- diff --git a/devtemp/certs/keys/index.txt b/devtemp/certs/keys/index.txt new file mode 100644 index 0000000..a11cd82 --- /dev/null +++ b/devtemp/certs/keys/index.txt @@ -0,0 +1 @@ +V 230620161116Z 01 unknown /C=US/ST=TX/L=Austin/O=VPSM/OU=VPSM/CN=master.vpsm/name=VPSM/emailAddress=cert@vpsm.net diff --git a/devtemp/certs/keys/index.txt.attr b/devtemp/certs/keys/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/devtemp/certs/keys/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/devtemp/certs/keys/index.txt.old b/devtemp/certs/keys/index.txt.old new file mode 100644 index 0000000..e69de29 diff --git a/devtemp/certs/keys/master.crt b/devtemp/certs/keys/master.crt new file mode 100644 index 0000000..aafc688 --- /dev/null +++ b/devtemp/certs/keys/master.crt @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net + Validity + Not Before: Jun 22 16:11:16 2013 GMT + Not After : Jun 20 16:11:16 2023 GMT + Subject: C=US, ST=TX, L=Austin, O=VPSM, OU=VPSM, CN=master.vpsm/name=VPSM/emailAddress=cert@vpsm.net + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:cb:07:17:41:97:e1:c5:62:46:59:40:98:fc:fe: + 96:00:51:07:3d:d1:83:06:a0:61:c3:57:c2:19:9a: + 04:62:97:52:b2:7e:45:83:b2:f6:5f:b5:12:a5:b5: + ef:b8:ab:58:97:76:99:8d:51:54:21:83:1e:80:d5: + a6:73:91:c8:32:08:7c:b9:ab:50:89:44:ae:a0:59: + 92:90:04:24:5f:bd:74:41:61:bb:8f:e7:60:77:ac: + 1b:13:15:09:ab:73:ed:51:0d:e9:e6:f4:c9:ff:81: + 7a:25:f2:ef:38:16:1a:59:28:1f:1a:ba:9f:6e:69: + c4:c5:83:01:03:83:49:13:fb:7d:bc:23:8d:e5:dc: + 9e:79:4a:36:4c:e6:95:f2:5a:d9:90:3d:0b:63:94: + 30:c8:6c:5d:62:1c:17:dd:ab:3b:bb:5d:9a:ad:d1: + c7:d0:c7:20:aa:27:39:ff:6c:09:2c:b4:48:5d:19: + c3:e0:03:ef:6d:13:2e:26:39:0c:71:83:44:3f:65: + ec:6d:51:e8:41:ab:b8:bf:82:03:9e:38:0f:dd:fd: + ff:d1:d7:31:05:b1:3d:7d:9b:0a:7d:e0:19:77:10: + 09:f7:cd:0a:0a:3d:e5:7d:5e:25:34:41:d0:e4:c1: + 31:c9:ab:f0:87:0e:3a:39:6f:58:38:ff:09:11:6a: + 51:b5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 5A:52:B0:47:7A:9A:89:8E:78:99:EC:C1:4D:68:FD:D7:74:A2:68:38 + X509v3 Authority Key Identifier: + keyid:67:06:43:26:4A:A6:D4:48:E1:32:D4:B7:D7:0A:66:9C:22:42:6A:4A + DirName:/C=US/ST=TX/L=Austin/O=VPSM/OU=VPSM/CN=ca.vpsm/name=VPSM/emailAddress=cert@vpsm.net + serial:D8:29:0D:FD:78:72:5C:2D + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + Signature Algorithm: sha256WithRSAEncryption + a5:b0:29:89:26:a3:22:54:d8:38:53:dc:82:22:33:44:ed:96: + 92:95:8e:33:d9:bb:6d:1a:f3:72:82:c9:3a:1b:22:32:22:98: + 92:a0:57:48:1e:c8:63:41:71:39:94:a9:89:6e:36:36:7b:e4: + 92:95:2e:bb:4e:4e:2a:64:ae:ca:7a:7a:3c:1d:bc:95:2b:2a: + 22:bb:13:15:a3:b4:8f:47:b3:37:02:fe:8a:e4:ce:f8:67:fa: + b9:43:f1:f9:53:8d:c2:56:46:6b:6d:bd:6a:de:56:ed:94:01: + ef:df:67:a6:84:88:85:76:d0:41:95:3d:5e:55:73:6a:18:65: + 35:82:15:72:f8:80:55:07:9e:00:dd:6e:11:09:da:ce:cb:d4: + e2:f2:bc:61:88:5b:cc:9e:3d:e3:fb:8f:64:a2:2d:40:53:8b: + c7:4d:ab:2f:05:5e:80:3a:eb:40:a8:b3:cf:cc:50:e8:aa:21: + 1c:ba:92:c3:c6:db:b8:49:ad:7d:d5:7d:59:4d:66:3a:f7:c9: + e7:1f:f7:ae:40:b2:c1:47:be:05:94:ee:97:09:e6:27:aa:21: + 4e:bc:ec:d8:cf:17:b7:e0:41:ce:d0:97:6e:31:a7:fe:79:f8: + be:d9:2f:3f:f9:34:3b:53:8e:71:c6:a6:b0:11:d4:ee:5b:3d: + 02:ab:c4:5a +-----BEGIN CERTIFICATE----- +MIIE0jCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTAL +BgNVBAsTBFZQU00xEDAOBgNVBAMTB2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAa +BgkqhkiG9w0BCQEWDWNlcnRAdnBzbS5uZXQwHhcNMTMwNjIyMTYxMTE2WhcNMjMw +NjIwMTYxMTE2WjCBjDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH +EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xFDASBgNVBAMT +C21hc3Rlci52cHNtMQ0wCwYDVQQpEwRWUFNNMRwwGgYJKoZIhvcNAQkBFg1jZXJ0 +QHZwc20ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywcXQZfh +xWJGWUCY/P6WAFEHPdGDBqBhw1fCGZoEYpdSsn5Fg7L2X7USpbXvuKtYl3aZjVFU +IYMegNWmc5HIMgh8uatQiUSuoFmSkAQkX710QWG7j+dgd6wbExUJq3PtUQ3p5vTJ +/4F6JfLvOBYaWSgfGrqfbmnExYMBA4NJE/t9vCON5dyeeUo2TOaV8lrZkD0LY5Qw +yGxdYhwX3as7u12ardHH0Mcgqic5/2wJLLRIXRnD4APvbRMuJjkMcYNEP2XsbVHo +Qau4v4IDnjgP3f3/0dcxBbE9fZsKfeAZdxAJ980KCj3lfV4lNEHQ5MExyavwhw46 +OW9YOP8JEWpRtQIDAQABo4IBPzCCATswCQYDVR0TBAIwADAtBglghkgBhvhCAQ0E +IBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaUrBH +epqJjniZ7MFNaP3XdKJoODCBvQYDVR0jBIG1MIGygBRnBkMmSqbUSOEy1LfXCmac +IkJqSqGBjqSBizCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH +EwZBdXN0aW4xDTALBgNVBAoTBFZQU00xDTALBgNVBAsTBFZQU00xEDAOBgNVBAMT +B2NhLnZwc20xDTALBgNVBCkTBFZQU00xHDAaBgkqhkiG9w0BCQEWDWNlcnRAdnBz +bS5uZXSCCQDYKQ39eHJcLTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC +B4AwDQYJKoZIhvcNAQELBQADggEBAKWwKYkmoyJU2DhT3IIiM0TtlpKVjjPZu20a +83KCyTobIjIimJKgV0geyGNBcTmUqYluNjZ75JKVLrtOTipkrsp6ejwdvJUrKiK7 +ExWjtI9HszcC/orkzvhn+rlD8flTjcJWRmttvWreVu2UAe/fZ6aEiIV20EGVPV5V +c2oYZTWCFXL4gFUHngDdbhEJ2s7L1OLyvGGIW8yePeP7j2SiLUBTi8dNqy8FXoA6 +60Cos8/MUOiqIRy6ksPG27hJrX3VfVlNZjr3yecf965AssFHvgWU7pcJ5ieqIU68 +7NjPF7fgQc7Ql24xp/55+L7ZLz/5NDtTjnHGprAR1O5bPQKrxFo= +-----END CERTIFICATE----- diff --git a/devtemp/certs/keys/master.csr b/devtemp/certs/keys/master.csr new file mode 100644 index 0000000..d0dedf4 --- /dev/null +++ b/devtemp/certs/keys/master.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC0jCCAboCAQAwgYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUWDEPMA0GA1UE +BxMGQXVzdGluMQ0wCwYDVQQKEwRWUFNNMQ0wCwYDVQQLEwRWUFNNMRQwEgYDVQQD +EwttYXN0ZXIudnBzbTENMAsGA1UEKRMEVlBTTTEcMBoGCSqGSIb3DQEJARYNY2Vy +dEB2cHNtLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsHF0GX +4cViRllAmPz+lgBRBz3RgwagYcNXwhmaBGKXUrJ+RYOy9l+1EqW177irWJd2mY1R +VCGDHoDVpnORyDIIfLmrUIlErqBZkpAEJF+9dEFhu4/nYHesGxMVCatz7VEN6eb0 +yf+BeiXy7zgWGlkoHxq6n25pxMWDAQODSRP7fbwjjeXcnnlKNkzmlfJa2ZA9C2OU +MMhsXWIcF92rO7tdmq3Rx9DHIKonOf9sCSy0SF0Zw+AD720TLiY5DHGDRD9l7G1R +6EGruL+CA544D939/9HXMQWxPX2bCn3gGXcQCffNCgo95X1eJTRB0OTBMcmr8IcO +OjlvWDj/CRFqUbUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQApVBVX6qaop8eq +BfRkLfXndhyZafA2oKY7A2vQ93puChnmf/Krnn47u39pj+j0MkErEUrniyW6C1B0 +jW8Sao3dKcwLTVwQmHQa4u4BCaVfgtUOy/FWdeG+vC0Uj+zKBzT4jY2DWljdm3zI +MZ8gSnxFRyO5PjDqHzbz1uR9Ij9hOK0F9RjWgI0WWqQeB3vAgSacX9tuoKv4A2kJ +g7X2JPTH9xKyR5URN9sXOsYC7aTeeUXf2fUz2DBPApF92gayf7y1b+cWFKYFkfmI +n23yjvGyF7EwWmo/SwJJ3yhTsP35sPKjnHpIiK2GAQX9tb2z/I3iAdDxSkvowsOk +2x/Qxo6F +-----END CERTIFICATE REQUEST----- diff --git a/devtemp/certs/keys/master.key b/devtemp/certs/keys/master.key new file mode 100644 index 0000000..fa7b666 --- /dev/null +++ b/devtemp/certs/keys/master.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAywcXQZfhxWJGWUCY/P6WAFEHPdGDBqBhw1fCGZoEYpdSsn5F +g7L2X7USpbXvuKtYl3aZjVFUIYMegNWmc5HIMgh8uatQiUSuoFmSkAQkX710QWG7 +j+dgd6wbExUJq3PtUQ3p5vTJ/4F6JfLvOBYaWSgfGrqfbmnExYMBA4NJE/t9vCON +5dyeeUo2TOaV8lrZkD0LY5QwyGxdYhwX3as7u12ardHH0Mcgqic5/2wJLLRIXRnD +4APvbRMuJjkMcYNEP2XsbVHoQau4v4IDnjgP3f3/0dcxBbE9fZsKfeAZdxAJ980K +Cj3lfV4lNEHQ5MExyavwhw46OW9YOP8JEWpRtQIDAQABAoIBABOk0v44uNKFSLM4 +CdVouJC9RksX62qHuA3TfudFPKlhZNH6X7V3alkmRvCbot8mTQMSqZa/yLkZW6kx +gtJpx4n3wkGgrsEpURAYupKOpApTZV0yHJi21WGe2FvHTFE3fT27b+c1xhmfqHbl +g3nUwaXguOm4JtbjCvPlUgLKABcbsRMO4PH7RBhIMLm/Wfm/tmv6Z0+8FlyUgEpi +rh7h+afVARix/RvC0lO46zz2o+Pf0Eskf8TLboHQaM8pVIWXUHE63GSjzAU5TjSK +FCKLGHsKD/0w4FZtpZKWt1ESmG1gD2GC074eycesGkmXsdL303KepMWHJhMsiIZK +BVlSP30CgYEA6qh48ci7kCyCIG/NN3ODn/kybd31ZsrTZplJ8XaRWWJa9/Jkjrx+ +vW3Aa5+COMxzqAXSBI2wln6rGZmPa+MBcACxePxg7meReEbV47iMrf5nXvFmc8qG +vLQdejbufQwYaaSvTuB72HpI1EKDFZ7+Sq0bGcrG39ztbbPTMVN63iMCgYEA3X4r +jvVF8/SEOC66gXQnmV2EphNFKK1DLaei2o+hg1HBzQORfDAaHhjIjH30hLz1fKdY +v2P1yvkHHxqbBnWQUkPR5cFGNyLXDiIvBjxW142Hut29qs8hdaza3hU1dNqyo9q3 +x/aVxD4nCowrWzNI9kYGOa5F1bnIdV4HUg5K0kcCgYBIE4tiqMeD10f48p5UI/UQ +FBj7SivwcOhSIU9nDYZDsERE2H0uopNDWAy8gfgbviDgQTlrEKJm921Spao59zYf +0vawNMUJNWKnUQqtsaf0YaoarYdMla6hE6niOjEy055EBMOcNLOVoKnyGKPu5jEx +es5SM8i2RkPfaFa8VenthQKBgQClhNbqQzKeZxizn3/yo6m/+1nYfcgN6MSuBns1 +12X8a4lnOoZrBstNuHmOO8YRt9+/4pL4m6ufnc+Ll+dHwW0zfMkLaA6fv2J0hmkb +wNWoyXQn2fMWBSnc9Wqt0a2cAJ7Ewfra7NPozgWA5VS1F7MrjxKx4iD/4ZEC3Fye +Hl4dmwKBgQDDgEGMuNk/QYWBgQKHrBon9+AtNUE5v84AyMo0Xg+F5OFCGjGEbgWu +ogitwMXo4F3PemkpCX4Kx98bG3vMROIqV3ZQrnuZJLNStA9b6n8xu3wJnyRu8PpG +WaFFyIr3ctLzqxDOOvvN60+QwklLA/Sg8hr6zqCpIKVRayASjBq1Kg== +-----END RSA PRIVATE KEY----- diff --git a/devtemp/certs/keys/node1.key b/devtemp/certs/keys/node1.key new file mode 100644 index 0000000..e69de29 diff --git a/devtemp/certs/keys/serial b/devtemp/certs/keys/serial new file mode 100644 index 0000000..9e22bcb --- /dev/null +++ b/devtemp/certs/keys/serial @@ -0,0 +1 @@ +02 diff --git a/devtemp/certs/keys/serial.old b/devtemp/certs/keys/serial.old new file mode 100644 index 0000000..8a0f05e --- /dev/null +++ b/devtemp/certs/keys/serial.old @@ -0,0 +1 @@ +01 diff --git a/devtemp/certs/list-crl b/devtemp/certs/list-crl new file mode 100755 index 0000000..d1d8a69 --- /dev/null +++ b/devtemp/certs/list-crl @@ -0,0 +1,13 @@ +#!/bin/sh + +# list revoked certificates + +CRL="${1:-crl.pem}" + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ + $OPENSSL crl -text -noout -in "$CRL" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/devtemp/certs/openssl-0.9.6.cnf b/devtemp/certs/openssl-0.9.6.cnf new file mode 100644 index 0000000..7b86c9f --- /dev/null +++ b/devtemp/certs/openssl-0.9.6.cnf @@ -0,0 +1,266 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/devtemp/certs/openssl-0.9.8.cnf b/devtemp/certs/openssl-0.9.8.cnf new file mode 100644 index 0000000..6365e8e --- /dev/null +++ b/devtemp/certs/openssl-0.9.8.cnf @@ -0,0 +1,291 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +name = Name +name_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN +name_default = $ENV::KEY_NAME + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 diff --git a/devtemp/certs/openssl-1.0.0.cnf b/devtemp/certs/openssl-1.0.0.cnf new file mode 100644 index 0000000..93ac6ea --- /dev/null +++ b/devtemp/certs/openssl-1.0.0.cnf @@ -0,0 +1,286 @@ +# For use with easy-rsa version 2.0 and OpenSSL 1.0.0* + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation after 2004). +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +name = Name +name_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN +name_default = $ENV::KEY_NAME + + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 diff --git a/devtemp/certs/pkitool b/devtemp/certs/pkitool new file mode 100755 index 0000000..b9a9e44 --- /dev/null +++ b/devtemp/certs/pkitool @@ -0,0 +1,379 @@ +#!/bin/sh + +# OpenVPN -- An application to securely tunnel IP networks +# over a single TCP/UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING included with this +# distribution); if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# pkitool is a front-end for the openssl tool. + +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. + +# Calling scripts can also set the KEY_NAME environmental +# variable to set the "name" X509 subject field. + +PROGNAME=pkitool +VERSION=2.0 +DEBUG=0 + +die() +{ + local m="$1" + + echo "$m" >&2 + exit 1 +} + +need_vars() +{ + echo ' Please edit the vars script to reflect your configuration,' + echo ' then source it with "source ./vars".' + echo ' Next, to start with a fresh PKI configuration and to delete any' + echo ' previous certificates and keys, run "./clean-all".' + echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." +} + +usage() +{ + echo "$PROGNAME $VERSION" + echo "Usage: $PROGNAME [options...] [common-name]" + echo "Options:" + echo " --batch : batch mode (default)" + echo " --keysize : Set keysize" + echo " size : size (default=1024)" + echo " --interact : interactive mode" + echo " --server : build server cert" + echo " --initca : build root CA" + echo " --inter : build intermediate CA" + echo " --pass : encrypt private key with password" + echo " --csr : only generate a CSR, do not sign" + echo " --sign : sign an existing CSR" + echo " --pkcs12 : generate a combined PKCS#12 file" + echo " --pkcs11 : generate certificate on PKCS#11 token" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " id : PKCS#11 object id (hex string)" + echo " label : PKCS#11 object label" + echo "Standalone options:" + echo " --pkcs11-slots : list PKCS#11 slots" + echo " lib : PKCS#11 library" + echo " --pkcs11-objects : list PKCS#11 token objects" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " label : PKCS#11 token label" + echo "Notes:" + need_vars + echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher." + echo "Generated files and corresponding OpenVPN directives:" + echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' + echo " ca.crt -> root certificate (--ca)" + echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" + echo " .crt files -> client/server certificates (--cert)" + echo " .key files -> private keys, keep secure (--key)" + echo " .csr files -> certificate signing request (not directly used by OpenVPN)" + echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" + echo "Examples:" + echo " $PROGNAME --initca -> Build root certificate" + echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" + echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" + echo " $PROGNAME client1 -> Build \"client1\" certificate/key" + echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" + echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" + echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" + echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" + echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" + echo " Also see ./inherit-inter script." + echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" + echo " -> Build \"client5\" certificate/key in PKCS#11 token" + echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." + echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" + echo " [edit vars with your site-specific info]" + echo " source ./vars" + echo " ./clean-all" + echo " ./build-dh -> takes a long time, consider backgrounding" + echo " ./$PROGNAME --initca" + echo " ./$PROGNAME --server myserver" + echo " ./$PROGNAME client1" + echo " ./$PROGNAME --pass client2" + echo "Typical usage for adding client cert to existing PKI:" + echo " source ./vars" + echo " ./$PROGNAME client-new" +} + +# Set tool defaults +[ -n "$OPENSSL" ] || export OPENSSL="openssl" +[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" +[ -n "$GREP" ] || export GREP="grep" + +# Set defaults +DO_REQ="1" +REQ_EXT="" +DO_CA="1" +CA_EXT="" +DO_P12="0" +DO_P11="0" +DO_ROOT="0" +NODES_REQ="-nodes" +NODES_P12="" +BATCH="-batch" +CA="ca" +# must be set or errors of openssl.cnf +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +# Process options +while [ $# -gt 0 ]; do + case "$1" in + --keysize ) KEY_SIZE=$2 + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; + --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; + --initca ) DO_ROOT="1" ;; + --pass ) NODES_REQ="" ;; + --csr ) DO_CA="0" ;; + --sign ) DO_REQ="0" ;; + --pkcs12 ) DO_P12="1" ;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; + + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + --help|--usage) + usage + exit ;; + --version) + echo "$PROGNAME $VERSION" + exit ;; + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; + esac + shift +done + +if ! [ -z "$BATCH" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi +fi + +if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then + die "PKCS#11 and PKCS#12 cannot be specified together" +fi + +if [ $DO_P11 -eq 1 ]; then + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi +fi + +# If we are generating pkcs12, only encrypt the final step +if [ $DO_P12 -eq 1 ]; then + NODES_P12="$NODES_REQ" + NODES_REQ="-nodes" +fi + +if [ $DO_P11 -eq 1 ]; then + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi +fi + +# If undefined, set default key expiration intervals +if [ -z "$KEY_EXPIRE" ]; then + KEY_EXPIRE=3650 +fi +if [ -z "$CA_EXPIRE" ]; then + CA_EXPIRE=3650 +fi + +# Set organizational unit to empty string if undefined +if [ -z "$KEY_OU" ]; then + KEY_OU="" +fi + +# Set X509 Name string to empty string if undefined +if [ -z "$KEY_NAME" ]; then + KEY_NAME="" +fi + +# Set KEY_CN, FN +if [ $DO_ROOT -eq 1 ]; then + if [ -z "$KEY_CN" ]; then + if [ "$1" ]; then + KEY_CN="$1" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + fi + fi + if [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using CA Common Name:" "$KEY_CN" + fi + FN="$KEY_CN" +elif [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using Common Name:" "$KEY_CN" + FN="$KEY_CN" + if [ "$1" ]; then + FN="$1" + fi +else + if [ $# -ne 1 ]; then + usage + exit 1 + else + KEY_CN="$1" + fi + FN="$KEY_CN" +fi + +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN + +# Show parameters (debugging) +if [ $DEBUG -eq 1 ]; then + echo DO_REQ $DO_REQ + echo REQ_EXT $REQ_EXT + echo DO_CA $DO_CA + echo CA_EXT $CA_EXT + echo NODES_REQ $NODES_REQ + echo NODES_P12 $NODES_P12 + echo DO_P12 $DO_P12 + echo KEY_CN $KEY_CN + echo BATCH $BATCH + echo DO_ROOT $DO_ROOT + echo KEY_EXPIRE $KEY_EXPIRE + echo CA_EXPIRE $CA_EXPIRE + echo KEY_OU $KEY_OU + echo KEY_NAME $KEY_NAME + echo DO_P11 $DO_P11 + echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH + echo PKCS11_SLOT $PKCS11_SLOT + echo PKCS11_ID $PKCS11_ID + echo PKCS11_LABEL $PKCS11_LABEL +fi + +# Make sure ./vars was sourced beforehand +if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then + cd "$KEY_DIR" + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf + if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "version of openssl.cnf: $KEY_CONFIG" + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; + fi + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else + # Make sure CA key/cert is available + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi + + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi + + # Build cert/key + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" + fi + + fi + +# Need definitions +else + need_vars +fi diff --git a/devtemp/certs/revoke-full b/devtemp/certs/revoke-full new file mode 100755 index 0000000..4169c4c --- /dev/null +++ b/devtemp/certs/revoke-full @@ -0,0 +1,40 @@ +#!/bin/sh + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL="crl.pem" +RT="revoke-test.pem" + +if [ $# -ne 1 ]; then + echo "usage: revoke-full "; + exit 1 +fi + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" + rm -f "$RT" + + # set defaults + export KEY_CN="" + export KEY_OU="" + export KEY_NAME="" + + # revoke key and generate a new CRL + $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else + cat ca.crt "$CRL" >"$RT" + fi + + # verify the revocation + $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/devtemp/certs/sign-req b/devtemp/certs/sign-req new file mode 100755 index 0000000..6cae7b4 --- /dev/null +++ b/devtemp/certs/sign-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --sign $* diff --git a/devtemp/certs/vars b/devtemp/certs/vars new file mode 100644 index 0000000..398fd6d --- /dev/null +++ b/devtemp/certs/vars @@ -0,0 +1,80 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="$EASY_RSA/keys" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=2048 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="US" +export KEY_PROVINCE="TX" +export KEY_CITY="Austin" +export KEY_ORG="VPSM" +export KEY_EMAIL="cert@vpsm.net" +export KEY_OU="VPSM" + +# X509 Subject Field +export KEY_NAME="VPSM" + +# PKCS11 Smart Card +# export PKCS11_MODULE_PATH="/usr/lib/changeme.so" +# export PKCS11_PIN=1234 + +# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below +# You will also need to make sure your OpenVPN server config has the duplicate-cn option set +#export KEY_CN="node.vpsm" diff --git a/devtemp/certs/whichopensslcnf b/devtemp/certs/whichopensslcnf new file mode 100755 index 0000000..ccdaf50 --- /dev/null +++ b/devtemp/certs/whichopensslcnf @@ -0,0 +1,26 @@ +#!/bin/sh + +cnf="$1/openssl.cnf" + +if [ "$OPENSSL" ]; then + if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.6.cnf" + elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.8.cnf" + elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-1.0.0.cnf" + else + cnf="$1/openssl.cnf" + fi +fi + +echo $cnf + +if [ ! -r $cnf ]; then + echo "**************************************************************" >&2 + echo " No $cnf file could be found" >&2 + echo " Further invocations will fail" >&2 + echo "**************************************************************" >&2 +fi + +exit 0 diff --git a/devtemp/sslctx.php b/devtemp/sslctx.php new file mode 100644 index 0000000..a2b2d0b --- /dev/null +++ b/devtemp/sslctx.php @@ -0,0 +1,17 @@ + array( + 'verify_peer' => true, + 'cafile' => '/opt/vpsm/ca/ca.crt', + 'local_cert' => '/opt/vpsm/local.pem', +# 'CN_match' => $mastercn, # on node side +))); + + +if (($stream = stream_socket_client('ssl://node1.jfr.im', $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $sslctx) === FALSE) { + die("$errno: $errstr\n"); +} + +