]>
Commit | Line | Data |
---|---|---|
13b2313a SK |
1 | #!/bin/sh |
2 | # | |
3 | # Run this script to set up a test CA, and test key-certificate pair for a | |
4 | # server, and various clients. | |
5 | # | |
b25c6d7e | 6 | # Copyright (C) 2014-2024 Steffan Karger <steffan@karger.me> |
13b2313a SK |
7 | set -eu |
8 | ||
9 | command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; } | |
10 | ||
11 | if [ ! -f openssl.cnf ] | |
12 | then | |
13 | echo "Please run this script from the sample directory" | |
14 | exit 1 | |
15 | fi | |
16 | ||
513eef48 | 17 | # Generate static key for tls-auth (or static key mode) |
78e0c5f2 FL |
18 | top_builddir="${top_builddir:-$(dirname ${0})/../..}" |
19 | ${top_builddir}/src/openvpn/openvpn --genkey tls-auth ta.key | |
513eef48 | 20 | |
13b2313a SK |
21 | # Create required directories and files |
22 | mkdir -p sample-ca | |
23 | rm -f sample-ca/index.txt | |
24 | touch sample-ca/index.txt | |
25 | echo "01" > sample-ca/serial | |
26 | ||
27 | # Generate CA key and cert | |
28 | openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ | |
29 | -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \ | |
30 | -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \ | |
31 | -config openssl.cnf | |
32 | ||
33 | # Create server key and cert | |
34 | openssl req -new -nodes -config openssl.cnf -extensions server \ | |
35 | -keyout sample-ca/server.key -out sample-ca/server.csr \ | |
36 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain" | |
37 | openssl ca -batch -config openssl.cnf -extensions server \ | |
38 | -out sample-ca/server.crt -in sample-ca/server.csr | |
39 | ||
40 | # Create client key and cert | |
41 | openssl req -new -nodes -config openssl.cnf \ | |
42 | -keyout sample-ca/client.key -out sample-ca/client.csr \ | |
43 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain" | |
44 | openssl ca -batch -config openssl.cnf \ | |
45 | -out sample-ca/client.crt -in sample-ca/client.csr | |
46 | ||
47 | # Create password protected key file | |
48 | openssl rsa -aes256 -passout pass:password \ | |
49 | -in sample-ca/client.key -out sample-ca/client-pass.key | |
50 | ||
51 | # Create pkcs#12 client bundle | |
52 | openssl pkcs12 -export -nodes -password pass:password \ | |
53 | -out sample-ca/client.p12 -inkey sample-ca/client.key \ | |
54 | -in sample-ca/client.crt -certfile sample-ca/ca.crt | |
55 | ||
a64d76e2 SK |
56 | # Create a client cert, revoke it, generate CRL |
57 | openssl req -new -nodes -config openssl.cnf \ | |
58 | -keyout sample-ca/client-revoked.key -out sample-ca/client-revoked.csr \ | |
59 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain" | |
60 | openssl ca -batch -config openssl.cnf \ | |
61 | -out sample-ca/client-revoked.crt -in sample-ca/client-revoked.csr | |
62 | openssl ca -config openssl.cnf -revoke sample-ca/client-revoked.crt | |
63 | openssl ca -config openssl.cnf -gencrl -out sample-ca/ca.crl | |
13b2313a | 64 | |
3d215d4c SK |
65 | # Create DSA server and client cert (signed by 'regular' RSA CA) |
66 | openssl dsaparam -out sample-ca/dsaparams.pem 2048 | |
67 | ||
68 | openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \ | |
69 | -extensions server \ | |
70 | -keyout sample-ca/server-dsa.key -out sample-ca/server-dsa.csr \ | |
71 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-DSA/emailAddress=me@myhost.mydomain" | |
72 | openssl ca -batch -config openssl.cnf -extensions server \ | |
73 | -out sample-ca/server-dsa.crt -in sample-ca/server-dsa.csr | |
74 | ||
75 | openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \ | |
76 | -keyout sample-ca/client-dsa.key -out sample-ca/client-dsa.csr \ | |
77 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-DSA/emailAddress=me@myhost.mydomain" | |
78 | openssl ca -batch -config openssl.cnf \ | |
79 | -out sample-ca/client-dsa.crt -in sample-ca/client-dsa.csr | |
80 | ||
13b2313a SK |
81 | # Create EC server and client cert (signed by 'regular' RSA CA) |
82 | openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1 | |
83 | ||
84 | openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \ | |
85 | -extensions server \ | |
86 | -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \ | |
87 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain" | |
88 | openssl ca -batch -config openssl.cnf -extensions server \ | |
89 | -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr | |
90 | ||
91 | openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \ | |
92 | -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \ | |
93 | -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain" | |
94 | openssl ca -batch -config openssl.cnf \ | |
95 | -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr | |
96 | ||
97 | # Generate DH parameters | |
98 | openssl dhparam -out dh2048.pem 2048 | |
99 | ||
100 | # Copy keys and certs to working directory | |
101 | cp sample-ca/*.key . | |
102 | cp sample-ca/*.crt . | |
103 | cp sample-ca/*.p12 . | |
a64d76e2 | 104 | cp sample-ca/*.crl . |