3 # OpenVPN -- An application to securely tunnel IP networks
4 # over a single TCP/UDP port, with support for SSL/TLS-based
5 # session authentication and key exchange,
6 # packet encryption, packet authentication, and
9 # Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License version 2
13 # as published by the Free Software Foundation.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program (see the file COPYING included with this
22 # distribution); if not, write to the Free Software Foundation, Inc.,
23 # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 # pkitool is a front-end for the openssl tool.
27 # Calling scripts can set the certificate organizational
28 # unit with the KEY_OU environmental variable.
44 echo ' Please edit the vars script to reflect your configuration,'
45 echo ' then source it with "source ./vars".'
46 echo ' Next, to start with a fresh PKI configuration and to delete any'
47 echo ' previous certificates and keys, run "./clean-all".'
48 echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
53 echo "$PROGNAME $VERSION"
54 echo "Usage: $PROGNAME [options...] [common-name]"
56 echo " --batch : batch mode (default)"
57 echo " --keysize : Set keysize"
58 echo " size : size (default=1024)"
59 echo " --interact : interactive mode"
60 echo " --server : build server cert"
61 echo " --initca : build root CA"
62 echo " --inter : build intermediate CA"
63 echo " --pass : encrypt private key with password"
64 echo " --csr : only generate a CSR, do not sign"
65 echo " --sign : sign an existing CSR"
66 echo " --pkcs12 : generate a combined PKCS#12 file"
67 echo " --pkcs11 : generate certificate on PKCS#11 token"
68 echo " lib : PKCS#11 library"
69 echo " slot : PKCS#11 slot"
70 echo " id : PKCS#11 object id (hex string)"
71 echo " label : PKCS#11 object label"
72 echo "Standalone options:"
73 echo " --pkcs11-slots : list PKCS#11 slots"
74 echo " lib : PKCS#11 library"
75 echo " --pkcs11-objects : list PKCS#11 token objects"
76 echo " lib : PKCS#11 library"
77 echo " slot : PKCS#11 slot"
78 echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
79 echo " lib : PKCS#11 library"
80 echo " slot : PKCS#11 slot"
81 echo " label : PKCS#11 token label"
84 echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
85 echo "Generated files and corresponding OpenVPN directives:"
86 echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
87 echo " ca.crt -> root certificate (--ca)"
88 echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
89 echo " .crt files -> client/server certificates (--cert)"
90 echo " .key files -> private keys, keep secure (--key)"
91 echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
92 echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
94 echo " $PROGNAME --initca -> Build root certificate"
95 echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
96 echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
97 echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
98 echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
99 echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
100 echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
101 echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
102 echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
103 echo " Also see ./inherit-inter script."
104 echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
105 echo " -> Build \"client5\" certificate/key in PKCS#11 token"
106 echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
107 echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
108 echo " [edit vars with your site-specific info]"
109 echo " source ./vars"
111 echo " ./build-dh -> takes a long time, consider backgrounding"
112 echo " ./$PROGNAME --initca"
113 echo " ./$PROGNAME --server myserver"
114 echo " ./$PROGNAME client1"
115 echo " ./$PROGNAME --pass client2"
116 echo "Typical usage for adding client cert to existing PKI:"
117 echo " source ./vars"
118 echo " ./$PROGNAME client-new"
122 [ -n "$OPENSSL" ] ||
export OPENSSL
="openssl"
123 [ -n "$PKCS11TOOL" ] ||
export PKCS11TOOL
="pkcs11-tool"
124 [ -n "$GREP" ] ||
export GREP
="grep"
138 # must be set or errors of openssl.cnf
139 PKCS11_MODULE_PATH
="dummy"
143 while [ $# -gt 0 ]; do
145 --keysize ) KEY_SIZE
=$2
147 --server ) REQ_EXT
="$REQ_EXT -extensions server"
148 CA_EXT
="$CA_EXT -extensions server" ;;
149 --batch ) BATCH
="-batch" ;;
150 --interact ) BATCH
="" ;;
151 --inter ) CA_EXT
="$CA_EXT -extensions v3_ca" ;;
152 --initca ) DO_ROOT
="1" ;;
153 --pass ) NODES_REQ
="" ;;
155 --sign ) DO_REQ
="0" ;;
156 --pkcs12 ) DO_P12
="1" ;;
157 --pkcs11 ) DO_P11
="1"
158 PKCS11_MODULE_PATH
="$2"
166 PKCS11_MODULE_PATH
="$2"
169 if [ -z "$PKCS11_LABEL" ]; then
170 die
"Please specify library name, slot and label"
172 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
173 --label "$PKCS11_LABEL" &&
174 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
177 PKCS11_MODULE_PATH
="$2"
178 if [ -z "$PKCS11_MODULE_PATH" ]; then
179 die
"Please specify library name"
181 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
184 PKCS11_MODULE_PATH
="$2"
186 if [ -z "$PKCS11_SLOT" ]; then
187 die
"Please specify library name and slot"
189 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
193 --* ) die
"$PROGNAME: unknown option: $1" ;;
199 if ! [ -z "$BATCH" ]; then
200 if $OPENSSL version |
grep 0.9.6 > /dev
/null
; then
201 die
"Batch mode is unsupported in openssl<0.9.7"
205 if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
206 die
"PKCS#11 and PKCS#12 cannot be specified together"
209 if [ $DO_P11 -eq 1 ]; then
210 if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev
/null
; then
211 die
"Please edit $KEY_CONFIG and setup PKCS#11 engine"
215 # If we are generating pkcs12, only encrypt the final step
216 if [ $DO_P12 -eq 1 ]; then
217 NODES_P12
="$NODES_REQ"
221 if [ $DO_P11 -eq 1 ]; then
222 if [ -z "$PKCS11_LABEL" ]; then
223 die
"PKCS#11 arguments incomplete"
227 # If undefined, set default key expiration intervals
228 if [ -z "$KEY_EXPIRE" ]; then
231 if [ -z "$CA_EXPIRE" ]; then
235 # Set organizational unit to empty string if undefined
236 if [ -z "$KEY_OU" ]; then
241 if [ $DO_ROOT -eq 1 ]; then
242 if [ -z "$KEY_CN" ]; then
245 elif [ "$KEY_ORG" ]; then
249 if [ $BATCH ] && [ "$KEY_CN" ]; then
250 echo "Using CA Common Name:" $KEY_CN
252 elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
253 echo "Using Common Name:" $KEY_CN
255 if [ $# -ne 1 ]; then
263 export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
265 # Show parameters (debugging)
266 if [ $DEBUG -eq 1 ]; then
268 echo REQ_EXT
$REQ_EXT
271 echo NODES_REQ
$NODES_REQ
272 echo NODES_P12
$NODES_P12
276 echo DO_ROOT
$DO_ROOT
277 echo KEY_EXPIRE
$KEY_EXPIRE
278 echo CA_EXPIRE
$CA_EXPIRE
281 echo PKCS11_MODULE_PATH
$PKCS11_MODULE_PATH
282 echo PKCS11_SLOT
$PKCS11_SLOT
283 echo PKCS11_ID
$PKCS11_ID
284 echo PKCS11_LABEL
$PKCS11_LABEL
287 # Make sure ./vars was sourced beforehand
288 if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
291 # Make sure $KEY_CONFIG points to the correct version
293 if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev
/null
; then
296 echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
297 echo "version of openssl.cnf: $KEY_CONFIG"
298 echo "The correct version should have a comment that says: easy-rsa version 2.x";
303 if [ $DO_ROOT -eq 1 ]; then
304 $OPENSSL req
$BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa
:$KEY_SIZE -sha1 \
305 -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
308 # Make sure CA key/cert is available
309 if [ $DO_CA -eq 1 ] ||
[ $DO_P12 -eq 1 ]; then
310 if [ ! -r "$CA.crt" ] ||
[ ! -r "$CA.key" ]; then
311 echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
312 echo "Try $PROGNAME --initca to build a root certificate/key."
317 # Generate key for PKCS#11 token
319 if [ $DO_P11 -eq 1 ]; then
326 echo "Generating key pair on PKCS#11 token..."
327 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
328 --login --pin "$PKCS11_PIN" \
329 --key-type rsa
:1024 \
330 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" ||
exit 1
331 PKCS11_ARGS
="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
335 ( [ $DO_REQ -eq 0 ] ||
$OPENSSL req
$BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa
:$KEY_SIZE \
336 -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
337 ( [ $DO_CA -eq 0 ] ||
$OPENSSL ca
$BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
338 -in "$KEY_CN.csr" $CA_EXT -md sha1
-config "$KEY_CONFIG" ) && \
339 ( [ $DO_P12 -eq 0 ] ||
$OPENSSL pkcs12
-export -inkey "$KEY_CN.key" \
340 -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
341 ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] ||
chmod 0600 "$KEY_CN.key" ) && \
342 ( [ $DO_P12 -eq 0 ] ||
chmod 0600 "$KEY_CN.p12" )
344 # Load certificate into PKCS#11 token
345 if [ $DO_P11 -eq 1 ]; then
346 $OPENSSL x509
-in "$KEY_CN.crt" -inform PEM
-out "$KEY_CN.crt.der" -outform DER
&& \
347 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
348 --login --pin "$PKCS11_PIN" \
349 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
350 [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"