summaryrefslogtreecommitdiff
path: root/main/openvpn/sample/sample-keys/gen-sample-keys.sh
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2014-11-25 23:19:29 +0100
committerArne Schwabe <arne@rfc2549.org>2014-11-25 23:19:29 +0100
commitd02a647cda48441ab0f6f1c5d00d5b3fdb74b691 (patch)
tree6ab7e280385da7b9d7bb8fc720282ceeb15f8d23 /main/openvpn/sample/sample-keys/gen-sample-keys.sh
parentbd7c4e1bfec496255522b38c490d795badcf954f (diff)
Update OpenVPN to -master
--HG-- extra : rebase_source : cc844ae1a812fce0244f7e381fcee8c2db7e8bc2
Diffstat (limited to 'main/openvpn/sample/sample-keys/gen-sample-keys.sh')
-rwxr-xr-xmain/openvpn/sample/sample-keys/gen-sample-keys.sh75
1 files changed, 75 insertions, 0 deletions
diff --git a/main/openvpn/sample/sample-keys/gen-sample-keys.sh b/main/openvpn/sample/sample-keys/gen-sample-keys.sh
new file mode 100755
index 00000000..414687eb
--- /dev/null
+++ b/main/openvpn/sample/sample-keys/gen-sample-keys.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+#
+# Run this script to set up a test CA, and test key-certificate pair for a
+# server, and various clients.
+#
+# Copyright (C) 2014 Steffan Karger <steffan@karger.me>
+set -eu
+
+command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }
+
+if [ ! -f openssl.cnf ]
+then
+ echo "Please run this script from the sample directory"
+ exit 1
+fi
+
+# Create required directories and files
+mkdir -p sample-ca
+rm -f sample-ca/index.txt
+touch sample-ca/index.txt
+echo "01" > sample-ca/serial
+
+# Generate CA key and cert
+openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
+ -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
+ -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \
+ -config openssl.cnf
+
+# Create server key and cert
+openssl req -new -nodes -config openssl.cnf -extensions server \
+ -keyout sample-ca/server.key -out sample-ca/server.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf -extensions server \
+ -out sample-ca/server.crt -in sample-ca/server.csr
+
+# Create client key and cert
+openssl req -new -nodes -config openssl.cnf \
+ -keyout sample-ca/client.key -out sample-ca/client.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf \
+ -out sample-ca/client.crt -in sample-ca/client.csr
+
+# Create password protected key file
+openssl rsa -aes256 -passout pass:password \
+ -in sample-ca/client.key -out sample-ca/client-pass.key
+
+# Create pkcs#12 client bundle
+openssl pkcs12 -export -nodes -password pass:password \
+ -out sample-ca/client.p12 -inkey sample-ca/client.key \
+ -in sample-ca/client.crt -certfile sample-ca/ca.crt
+
+
+# Create EC server and client cert (signed by 'regular' RSA CA)
+openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1
+
+openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
+ -extensions server \
+ -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf -extensions server \
+ -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr
+
+openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
+ -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \
+ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain"
+openssl ca -batch -config openssl.cnf \
+ -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr
+
+# Generate DH parameters
+openssl dhparam -out dh2048.pem 2048
+
+# Copy keys and certs to working directory
+cp sample-ca/*.key .
+cp sample-ca/*.crt .
+cp sample-ca/*.p12 .