-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathmk-ovpn
executable file
·77 lines (67 loc) · 2.12 KB
/
mk-ovpn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/bin/sh
[ "$#" = 0 ] && { echo >&2 "Usage: $0 CommonName [Options]" ; exit 1; }
#
# This script creates certificates for OpenVPN tls setups.
# Each key has a different CA certificate created for it and the setup
# is designed so that any machine only has the CA certificates for the
# machines that it is allowed to connect to.
#
# Note none of ns-cert-type, remote-cert-tls or verify-x509-name are
# required to make this secure. But it is suggested that verify-x509-name
# is used to stop OpenVPN complaining as this is what's required for
# certificates signed by a public CA.
#
# For OpenVPN the certificates can be V1 or V3, however, V1 certificates
# can be used as intermediate CA certificates or direct validation. If this
# is a problem the V3 certificates with the CA constraint should be used.
do_commonname() {
CN="$1" ; SIGN=-suca
( umask 0077 ; mkdir -p "$CERT_DIR" )
CRTFILE="$CERT_DIR"/"$CN".crt
[ -s "$CRTFILE" ] && { echo "ERROR: Name '$CN' already exists" ; return ; }
mkc() {
./mk-cert \
${CERT_DAYS:+-days="$CERT_DAYS"} \
"$SIGN" \
"$CN" \
-casubj="$CN" \
"$@" > "$CRTFILE"
}
[ -f "$CERT_DIR/${CERTTYPE:-client}-ca.pem" ] &&
SIGN="-sign=$CERT_DIR/${CERTTYPE:-client}-ca.pem"
if [ "$CERTTYPE" = '' ]
then if [ "$CERTVER" = v1 ]
then mkc -casubj="Private CA"
else mkc -casubj="Private CA" -v3critical
fi
else
if [ "$CERTVER" = v1 ]
then
mkc -casubj="OpenVPN $CERTTYPE CA" "OpenVPN $CERTTYPE"
elif [ "$CERTVER" = v3 ]
then
mkc -casubj="OpenVPN $CERTTYPE CA" "OpenVPN $CERTTYPE" -v3critical -v3ns="$CERTTYPE"
else
mkc -casubj="OpenVPN $CERTTYPE CA" "OpenVPN $CERTTYPE" -v3critical "-$CERTTYPE"
fi
fi
}
CERT_DIR="${CERT_DIR:-certs}"
CERTVER=v1 ; CERTTYPE=
for e in n y
do
for v
do case "$v" in
-s|-server ) CERTTYPE=server ;;
-c|-client ) CERTTYPE=client ;;
-v1 ) CERTVER=v1 ;;
-v3 ) CERTVER=v3 ;;
-v3ext ) CERTVER=v3x ;;
-days=[1-9]*[0-9] ) CERT_DAYS="${v#*=}" ;;
-dir=* ) CERT_DIR="${v#*=}" ;;
-* ) echo >&2 "Option $v not recognised"; exit 1;;
*) [ "$e" = y ] && do_commonname "$v"
;;
esac
done
done