diff options
Diffstat (limited to 'app/openvpn/sample/sample-keys/gen-sample-keys.sh')
-rwxr-xr-x | app/openvpn/sample/sample-keys/gen-sample-keys.sh | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/app/openvpn/sample/sample-keys/gen-sample-keys.sh b/app/openvpn/sample/sample-keys/gen-sample-keys.sh new file mode 100755 index 00000000..414687eb --- /dev/null +++ b/app/openvpn/sample/sample-keys/gen-sample-keys.sh @@ -0,0 +1,75 @@ +#!/bin/sh +# +# Run this script to set up a test CA, and test key-certificate pair for a +# server, and various clients. +# +# Copyright (C) 2014 Steffan Karger <steffan@karger.me> +set -eu + +command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; } + +if [ ! -f openssl.cnf ] +then + echo "Please run this script from the sample directory" + exit 1 +fi + +# Create required directories and files +mkdir -p sample-ca +rm -f sample-ca/index.txt +touch sample-ca/index.txt +echo "01" > sample-ca/serial + +# Generate CA key and cert +openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ + -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \ + -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \ + -config openssl.cnf + +# Create server key and cert +openssl req -new -nodes -config openssl.cnf -extensions server \ + -keyout sample-ca/server.key -out sample-ca/server.csr \ + -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain" +openssl ca -batch -config openssl.cnf -extensions server \ + -out sample-ca/server.crt -in sample-ca/server.csr + +# Create client key and cert +openssl req -new -nodes -config openssl.cnf \ + -keyout sample-ca/client.key -out sample-ca/client.csr \ + -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain" +openssl ca -batch -config openssl.cnf \ + -out sample-ca/client.crt -in sample-ca/client.csr + +# Create password protected key file +openssl rsa -aes256 -passout pass:password \ + -in sample-ca/client.key -out sample-ca/client-pass.key + +# Create pkcs#12 client bundle +openssl pkcs12 -export -nodes -password pass:password \ + -out sample-ca/client.p12 -inkey sample-ca/client.key \ + -in sample-ca/client.crt -certfile sample-ca/ca.crt + + +# Create EC server and client cert (signed by 'regular' RSA CA) +openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1 + +openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \ + -extensions server \ + -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \ + -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain" +openssl ca -batch -config openssl.cnf -extensions server \ + -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr + +openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \ + -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \ + -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain" +openssl ca -batch -config openssl.cnf \ + -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr + +# Generate DH parameters +openssl dhparam -out dh2048.pem 2048 + +# Copy keys and certs to working directory +cp sample-ca/*.key . +cp sample-ca/*.crt . +cp sample-ca/*.p12 . |