summaryrefslogtreecommitdiff
path: root/app/openvpn/sample/sample-keys/gen-sample-keys.sh
diff options
context:
space:
mode:
Diffstat (limited to 'app/openvpn/sample/sample-keys/gen-sample-keys.sh')
-rwxr-xr-xapp/openvpn/sample/sample-keys/gen-sample-keys.sh75
1 files changed, 75 insertions, 0 deletions
diff --git a/app/openvpn/sample/sample-keys/gen-sample-keys.sh b/app/openvpn/sample/sample-keys/gen-sample-keys.sh
new file mode 100755
index 00000000..414687eb
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/gen-sample-keys.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+#
+# Run this script to set up a test CA, and test key-certificate pair for a
+# server, and various clients.
+#
+# Copyright (C) 2014 Steffan Karger <steffan@karger.me>
+set -eu
+
+command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }
+
+if [ ! -f openssl.cnf ]
+then
+ echo "Please run this script from the sample directory"
+ exit 1
+fi
+
+# Create required directories and files
+mkdir -p sample-ca
+rm -f sample-ca/index.txt
+touch sample-ca/index.txt
+echo "01" > sample-ca/serial
+
+# Generate CA key and cert
+openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
+ -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
+ -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \
+ -config openssl.cnf
+
+# Create server key and cert
+openssl req -new -nodes -config openssl.cnf -extensions server \
+ -keyout sample-ca/server.key -out sample-ca/server.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf -extensions server \
+ -out sample-ca/server.crt -in sample-ca/server.csr
+
+# Create client key and cert
+openssl req -new -nodes -config openssl.cnf \
+ -keyout sample-ca/client.key -out sample-ca/client.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf \
+ -out sample-ca/client.crt -in sample-ca/client.csr
+
+# Create password protected key file
+openssl rsa -aes256 -passout pass:password \
+ -in sample-ca/client.key -out sample-ca/client-pass.key
+
+# Create pkcs#12 client bundle
+openssl pkcs12 -export -nodes -password pass:password \
+ -out sample-ca/client.p12 -inkey sample-ca/client.key \
+ -in sample-ca/client.crt -certfile sample-ca/ca.crt
+
+
+# Create EC server and client cert (signed by 'regular' RSA CA)
+openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1
+
+openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
+ -extensions server \
+ -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf -extensions server \
+ -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr
+
+openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
+ -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf \
+ -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr
+
+# Generate DH parameters
+openssl dhparam -out dh2048.pem 2048
+
+# Copy keys and certs to working directory
+cp sample-ca/*.key .
+cp sample-ca/*.crt .
+cp sample-ca/*.p12 .