diff options
| author | Samuli Seppänen <samuli@openvpn.net> | 2011-06-29 11:24:07 +0300 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-07-01 10:31:26 +0200 |
| commit | 4ec60a5839c73b3840ad9297e9d9d15893085eff (patch) | |
| tree | 36a8e23d3abceb0e5300e6bd1f4364762dec443e | |
| parent | 6ab3848244388ca856d26aed8b0e44e4b9d589c3 (diff) | |
| download | openvpn-4ec60a5839c73b3840ad9297e9d9d15893085eff.tar.gz openvpn-4ec60a5839c73b3840ad9297e9d9d15893085eff.tar.xz openvpn-4ec60a5839c73b3840ad9297e9d9d15893085eff.zip | |
Updated "easy-rsa" for OpenSSL 1.0.0
This patch fixes remaining issues with Trac ticket #125. It does the following:
- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
required by OpenSSL 1.0.0 (at least on Windows)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | easy-rsa/2.0/README | 4 | ||||
| -rwxr-xr-x | easy-rsa/2.0/openssl-1.0.0.cnf (renamed from easy-rsa/2.0/openssl.cnf) | 30 | ||||
| -rwxr-xr-x | easy-rsa/2.0/vars | 6 | ||||
| -rw-r--r-- | easy-rsa/Windows/vars.bat.sample | 7 | ||||
| -rwxr-xr-x | win/openvpn.nsi | 2 |
5 files changed, 27 insertions, 22 deletions
diff --git a/easy-rsa/2.0/README b/easy-rsa/2.0/README index bde0d8c..6f5395c 100644 --- a/easy-rsa/2.0/README +++ b/easy-rsa/2.0/README @@ -74,8 +74,8 @@ Release Notes for easy-rsa-2.0 INSTALL easy-rsa 1. Edit vars. -2. Set KEY_CONFIG to point to the openssl.cnf file - included in this distribution. +2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf + file included in this distribution. 3. Set KEY_DIR to point to a directory which will contain all keys, certificates, etc. This directory need not exist, and if it does, diff --git a/easy-rsa/2.0/openssl.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf index 3e4d3b3..fa258a5 100755 --- a/easy-rsa/2.0/openssl.cnf +++ b/easy-rsa/2.0/openssl-1.0.0.cnf @@ -1,9 +1,4 @@ -# For use with easy-rsa version 2.0 - -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# +# For use with easy-rsa version 2.0 and OpenSSL 1.0.0* # This definition stops the following lines choking if HOME isn't # defined. @@ -15,12 +10,12 @@ openssl_conf = openssl_init # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids -engines = engine_section +engines = engine_section # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: -# extensions = +# extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -48,7 +43,7 @@ new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key +private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert @@ -59,7 +54,7 @@ x509_extensions = usr_cert # The extentions to add to the cert default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. +default_md = md5 # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -102,14 +97,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert # input_password = secret # output_password = secret -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix : PrintableString, BMPString (PKIX recommendation after 2004). +# utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request @@ -151,6 +144,7 @@ organizationalUnitName_default = $ENV::KEY_OU commonName_default = $ENV::KEY_CN name_default = $ENV::KEY_NAME + # SET-ex3 = SET extension number 3 [ req_attributes ] @@ -196,6 +190,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth keyUsage = digitalSignature + # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy @@ -214,8 +209,8 @@ keyUsage = digitalSignature # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE -nsCertType = server -nsComment = "Easy-RSA Generated Server Certificate" +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth @@ -288,4 +283,3 @@ dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = $ENV::PKCS11_MODULE_PATH PIN = $ENV::PKCS11_PIN init = 0 - diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars index cded885..2ea1ced 100755 --- a/easy-rsa/2.0/vars +++ b/easy-rsa/2.0/vars @@ -66,3 +66,9 @@ export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" +export KEY_EMAIL=mail@host.domain +export KEY_CN=changeme +export KEY_NAME=changeme +export KEY_OU=changeme +export PKCS11_MODULE_PATH=changeme +export PKCS11_PIN=1234 diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample index 3c4b607..36e6f71 100644 --- a/easy-rsa/Windows/vars.bat.sample +++ b/easy-rsa/Windows/vars.bat.sample @@ -4,7 +4,7 @@ rem the openssl.cnf file included rem with easy-rsa. set HOME=%ProgramFiles%\OpenVPN\easy-rsa -set KEY_CONFIG=openssl.cnf +set KEY_CONFIG=openssl-1.0.0.cnf rem Edit this variable to point to rem your soon-to-be-created key @@ -33,3 +33,8 @@ set KEY_PROVINCE=CA set KEY_CITY=SanFrancisco set KEY_ORG=OpenVPN set KEY_EMAIL=mail@host.domain +set KEY_CN=changeme +set KEY_NAME=changeme +set KEY_OU=changeme +set PKCS11_MODULE_PATH=changeme +set PKCS11_PIN=1234 diff --git a/win/openvpn.nsi b/win/openvpn.nsi index d667d76..29d34f1 100755 --- a/win/openvpn.nsi +++ b/win/openvpn.nsi @@ -274,7 +274,7 @@ Section "${PRODUCT_NAME} RSA Certificate Management Scripts" SecOpenVPNEasyRSA # Original nsi script looked for ${EASYRSA}\2.0\openssl.cnf.sample. A newer # openssl.cnf is needed on OpenVPN 2.2+. - File "${EASYRSA}\Windows\openssl.cnf" + File "${EASYRSA}\2.0\openssl-1.0.0.cnf" File "${EASYRSA}\Windows\vars.bat.sample" |