serhepopovych / easy-rsa Goto Github PK
View Code? Open in Web Editor NEWEasy-RSA 2.x based on original Easy-RSA 2.0 with support for OpenVPN profiles generation
License: GNU General Public License v2.0
Easy-RSA 2.x based on original Easy-RSA 2.0 with support for OpenVPN profiles generation
License: GNU General Public License v2.0
Easy-RSA 2.x based on original Easy-RSA 2.0-rc1 found in OpenVPN 2.x branch =========================================================================== From easy-rsa/README-2.0: ------------------------- This is a small RSA key management package, based on the openssl command line tool, that can be found in the easy-rsa subdirectory of the OpenVPN distribution. While this tool is primary concerned with key management for the SSL VPN application space, it can also be used for building web certificates. This work initially based on original EASY-RSA 2.0-rc1 found in openvpn-2.2.1 package from Debian GNU/Linux 7.x (wheezy). However development is moved then to https://github.com/OpenVPN/easy-rsa/tree/release/2.x which is closed now. Main objectives for this reimplementation are following: -------------------------------------------------------- o Support CRL for intermediate CAs at any depth o Support for multiple subjectAltName (Subject Alternative Names, SAN) o Seamless certificate reissue with same subjectName and private key o OpenVPN profile (file.ovpn) for Android/iOS/MacOS/Windows clients and config directory for Linux/BSD systems (both client and server) o Lighttpd with TLS/SSL and mod_secdownload support for secure client/server certificates (not implemented, PKCS#12 could be used for this purpose as single container for everything), CA certificate, CRLs and OpenVPN profiles/configuration (primary focus) distribution to end users o Multi-user support (could be useful for study purposes) o RSA 2048 bit keys and SHA256 by default o Revised security. Passwords passed via environment, sane filesystem permissions and ownership, private keys always encrypted with random passphrase generated from /dev/urandom, helper to run CA commands in pristine environment o Helpers to list OpenSSL index.txt certificate database o Arhcive expired certificates to keep index.txt small automatically o Misc improvements and bugfixes to pkitool a core utility Installation ------------ Use standard installsh steps: $ cd /tmp $ git clone --recursive https://github.com/serhepopovych/easy-rsa $ cd easy-rsa $ sudo -i \ fqdn='easy-rsa.example.com' \ hostname='easy-rsa' \ domain='example.com' \ users='certmgr user1 user2' \ ./deploy.sh -d 'opt' \ # Since easy-rsa supports multiuser configurations, no user by default has preconfigured easy-rsa/ in it's home directory at creation time because no easy-rsa/ installed in /etc/skel, you must manually copy skeleton from <install_dir>/easy-rsa/skel/* to user home directory: Note that on SELinux enforced systems (e.g. RHEL/CentOS) you need to add following configuration: # Make sure policycoreutils installed $ sudo yum install -y policycoreutils # Allow setrlimit for lighttpd process $ sudo setsebool -P httpd_setrlimit 1 # Allow access to user home directories for mod_userdir $ sudo setsebool -P httpd_read_user_content 1 # Make sure policycoreutils-python or # policycoreutils-python-utils installed $ sudo yum install policycoreutils-python || \ sudo yum install policycoreutils-python-utils # Allow lighttpd to execute xbin/* and xbin/mod/*/* helpers $ cd ~ $ cat >comm_lighttpd_users_conf_sh.te <<'_EOF' module comm_lighttpd_users_conf_sh 1.0; require { type httpd_config_t; type httpd_t; class file { execute execute_no_trans }; } #============= httpd_t ============== allow httpd_t httpd_config_t:file { execute execute_no_trans }; _EOF $ checkmodule -M -m -o comm_lighttpd_users_conf_sh.mod \ comm_lighttpd_users_conf_sh.te $ semodule_package -o comm_lighttpd_users_conf_sh.pp -m \ comm_lighttpd_users_conf_sh.mod $ sudo semodule -r comm_lighttpd_users_conf_sh $ sudo semodule -i comm_lighttpd_users_conf_sh.pp Usage ----- $ /opt/easy-rsa/exec-ca --help usage: /opt/easy-rsa/exec-ca [NAME=VAL...] [options] [--] <ca> <command> [<args> ...] options : options for exec-ca --runas run as specified user instead of current (i.e. $USER) --help|--usage this help message --version this program version ca : the CA directory (KEY_DIR) of the PKI to run command on command : command to run with PKI environment read from vars-<ca> args : (optional) arguments to <command> Example: /opt/easy-rsa/exec-ca webCA build-ca (build webCA) /opt/easy-rsa/exec-ca webCA (execute $SHELL with environment from vars-webCA) $ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA ovpn-mkconfig-client --help Usage: mkconfig [options] <CommonName> Options: --remote : Remote OpenVPN peer hostname or IP address --port : Port to use on remote OpenVPN host (default: 1194) --proto : Protocol used to connect to peer (default: udp) --mode : Mode used to connect to peer (default: client) --instance : Instance name to use as subdirectory name (default: --mode) --newkey : Force new private key creation (default: no) --help|--usage : This help message --version : This program version <CommonName> is a X.509 "Common Name" used to distinguish peer. It can be either hostname when --mode is "server" or legal name of user when --mode is "client". Examples -------- # Build self-signed RootCA certificate $ /opt/easy-rsa/exec-ca KEY_CN='Example.Net RootCA' --runas certmgr -- \ RootCA build-ca --keysize 4096 RootCA # Build child CAs: webCA and ovpnCA $ /opt/easy-rsa/exec-ca \ KEY_CN='OpenVPN Intermediate CA' --runas certmgr -- \ RootCA build-inter --keysize 4096 ovpnCA $ /opt/easy-rsa/exec-ca \ KEY_CN='WebServices Intermediate CA' --runas certmgr -- \ RootCA build-inter --keysize 4096 webCA # Build OpenVPN server certificate, profile and configuration $ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \ ovpn-mkconfig-server 'vpn.example.net' # Build OpenVPN client certificate and profile $ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \ ovpn-mkconfig-client 'Test user' # Remove all certificates (including CA certificate itself) issued # by this and all child CAs; cleans up index.txt database $ /opt/easy-rsa/exec-ca --runas certmgr -- RootCA clean-all # Enter interactive shell with pristine environment and $PATH # pointing to /opt/easy-rsa and extensions/xbin. $ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA # list certificates issued by authority (from openssl index.txt file) easy-rsa:ovpnCA> list-index-txt # show CRL (Certificate Revocation List) easy-rsa:ovpnCA> list-crl # build OpenVPN client certificate and profile easy-rsa:ovpnCA> ovpn-mkconfig-client 'Test user2' # revoke previously build OpenVPN client certificate easy-rsa:ovpnCA> revoke-full 'Test user2'
Profile and configuration files secure download URLs are long and hard to transfer to end users.
It would be great to have config option to enable some private URL shorter to make addresses more friendly.
If user needs access to it's profile or configuration file again the only way is to download it by CA administrator user and send it to via (potentially insecure) communication channels.
While this isn't big problem for desktop deployments, preferred method for mobile devices is to
copy and paste https URL to OpenVPN application import dialog.
This helper should take certificate CN and mode (server or client) as parameter or old URL and create new one that can be sent to user.
This should include steps from README
$ sudo useradd -c 'PKI certificate management user' -m certmgr
$ sudo -u certmgr -i cp -a /opt/easy-rsa/skel/easy-rsa ~certmgr
$ sudo -u certmgr -i chown -R certmgr:certmgr ~certmgr/easy-rsa
$ sudo ln -sf ~certmgr/easy-rsa/.htconf
/etc/lighttpd/vhosts.d/easy-rsa.example.net/users.d/certmgr
#
and will help managing users with easy-rsa access.
Due to limitation of https://github.com/serhepopovych/installsh we cannot substitude template
values in directory/file names. For example @fqdn@
in /etc/lighttpd/vhosts.d will not be substitured
to FQDN during install forcing user to do this explicitly (e.g. with mv -f @fqdn@
$(hostname -f)).
This issue should be addressed first in installsh and next this project git submodule and README should be updated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.