This is the start of the BETA21 branch.

It includes the --topology feature, and
TAP-Win32 driver changes to allow
non-admin access.



git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5

30 files changed, 890 insertions, 0 deletions

diff --git a/easy-rsa/README b/easy-rsa/README
new file mode 100644
index 0000000..fd424ef
--- /dev/null
+++ b/easy-rsa/README
@@ -0,0 +1,161 @@
+This is a small RSA key management package,
+based on the openssl command line tool, that
+can be found in the easy-rsa subdirectory
+of the OpenVPN distribution.
+
+These are reference notes.  For step
+by step instructions, see the HOWTO:
+
+http://openvpn.net/howto.html
+
+INSTALL
+
+1. Edit vars.
+2. Set KEY_CONFIG to point to the openssl.cnf file
+   included in this distribution.
+3. Set KEY_DIR to point to a directory which will
+   contain all keys, certificates, etc.  This
+   directory need not exist, and if it does,
+   it will be deleted with rm -rf, so BE
+   CAREFUL how you set KEY_DIR.
+4. (Optional) Edit other fields in vars
+   per your site data.  You may want to
+   increase KEY_SIZE to 2048 if you are
+   paranoid and don't mind slower key
+   processing, but certainly 1024 is
+   fine for testing purposes.  KEY_SIZE
+   must be compatible across both peers
+   participating in a secure SSL/TLS
+   connection.
+5  . vars
+6. ./clean-all
+7. As you create certificates, keys, and
+   certificate signing requests, understand that
+   only .key files should be kept confidential.
+   .crt and .csr files can be sent over insecure
+   channels such as plaintext email.
+8. You should never need to copy a .key file
+   between computers.  Normally each computer
+   will have its own certificate/key pair.
+
+BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
+
+1. ./build-ca
+2. ca.crt and ca.key will be built in your KEY_DIR
+   directory
+
+BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
+
+1. ./build-inter inter
+2. inter.crt and inter.key will be built in your KEY_DIR
+   directory and signed with your root certificate.
+
+BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
+the server end of a SSL/TLS connection).
+
+1. ./build-dh
+
+BUILD A CERTIFICATE SIGNING REQUEST (If
+you want to sign your certificate with a root
+certificate controlled by another individual
+or organization, or residing on a different machine).
+
+1. Get ca.crt (the root certificate) from your
+   certificate authority.  Though this
+   transfer can be over an insecure channel, to prevent
+   man-in-the-middle attacks you must confirm that
+   ca.crt was not tampered with.  Large CAs solve this
+   problem by hardwiring their root certificates into
+   popular web browsers.  A simple way to verify a root
+   CA is to call the issuer on the telephone and confirm
+   that the md5sum or sha1sum signatures on the ca.crt
+   files match (such as with the command: "md5sum ca.crt").
+2. Choose a name for your certificate such as your computer
+   name.  In our example we will use "mycert".
+3. ./build-req mycert
+4. You can ignore most of the fields, but set
+   "Common Name" to something unique such as your
+   computer's host name.  Leave all password
+   fields blank, unless you want your private key
+   to be protected by password.  Using a password
+   is not required -- it will make your key more secure
+   but also more inconvenient to use, because you will
+   need to supply your password anytime the key is used.
+   NOTE: if you are using a password, use ./build-req-pass
+   instead of ./build-req
+5. Your key will be written to $KEY_DIR/mycert.key
+6. Your certificate signing request will be written to
+   to $KEY_DIR/mycert.csr
+7. Email mycert.csr to the individual or organization
+   which controls the root certificate.  This can be
+   done over an insecure channel.
+8. After the .csr file is signed by the root certificate
+   authority, you will receive a file mycert.crt
+   (your certificate).  Place mycert.crt in your
+   KEY_DIR directory.
+9. The combined files of mycert.crt, mycert.key,
+   and ca.crt can now be used to secure one end of
+   an SSL/TLS connection.
+
+SIGN A CERTIFICATE SIGNING REQUEST
+
+1. ./sign-req mycert
+2. mycert.crt will be built in your KEY_DIR
+   directory using mycert.csr and your root CA
+   file as input.
+
+BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
+USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
+script generates and signs a certificate in one step,
+but it requires that the generated certificate and private
+key files be copied to the destination host over a
+secure channel.
+
+1. ./build-key mycert (no password protection)
+2. OR ./build-key-pass mycert (with password protection)
+3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
+4. OR ./build-key-server mycert (with nsCertType=server)
+5. mycert.crt and mycert.key will be built in your
+   KEY_DIR directory, and mycert.crt will be signed
+   by your root CA. If ./build-key-pkcs12 was used a
+   mycert.p12 file will also be created including the
+   private key, certificate and the ca certificate.
+
+IMPORTANT
+
+To avoid a possible Man-in-the-Middle attack where an authorized
+client tries to connect to another client by impersonating the
+server, make sure to enforce some kind of server certificate
+verification by clients.  There are currently four different ways
+of accomplishing this, listed in the order of preference:
+
+(1) Build your server certificates with the build-key-server
+    script.  This will designate the certificate as a
+    server-only certificate by setting nsCertType=server.
+    Now add the following line to your client configuration:
+      
+    ns-cert-type server
+
+    This will block clients from connecting to any
+    server which lacks the nsCertType=server designation
+    in its certificate, even if the certificate has been
+    signed by the CA which is cited in the OpenVPN configuration
+    file (--ca directive).
+
+(2) Use the --tls-remote directive on the client to
+    accept/reject the server connection based on the common
+    name of the server certificate.
+
+(3) Use a --tls-verify script or plugin to accept/reject the
+    server connection based on a custom test of the server
+    certificate's embedded X509 subject details.
+
+(4) Sign server certificates with one CA and client certificates
+    with a different CA.  The client config "ca" directive should
+    reference the server-signing CA while the server config "ca"
+    directive should reference the client-signing CA.
+
+NOTES
+
+Show certificate fields:
+  openssl x509 -in cert.crt -text
diff --git a/easy-rsa/Windows/README.txt b/easy-rsa/Windows/README.txt
new file mode 100644
index 0000000..2ede7b1
--- /dev/null
+++ b/easy-rsa/Windows/README.txt
@@ -0,0 +1,44 @@
+Extract all zip'd files to the OpenVPN home directory,
+including the openssl.cnf file from the top-level
+"easy-rsa" directory.
+
+First run init-config.bat
+
+Next, edit vars.bat to adapt it to your environment, and
+create the directory that will hold your key files.
+
+To generate TLS keys:
+
+Create new empty index and serial files (once only)
+1. vars
+2. clean-all
+
+Build a CA key (once only)
+1. vars
+2. build-ca
+
+Build a DH file (for server side, once only)
+1. vars
+2. build-dh
+
+Build a private key/certficate for the openvpn server
+1. vars
+2. build-key-server <machine-name>
+
+Build key files in PEM format (for each client machine)
+1. vars
+2. build-key <machine-name>
+   (use <machine name> for specific name within script)
+
+or
+
+Build key files in PKCS #12 format (for each client machine)
+1. vars
+2. build-key-pkcs12 <machine-name>
+   (use <machine name> for specific name within script)
+
+To revoke a TLS certificate and generate a CRL file:
+1. vars
+2. revoke-full <machine-name>
+3. verify last line of output confirms revokation
+4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename>"
diff --git a/easy-rsa/Windows/build-ca.bat b/easy-rsa/Windows/build-ca.bat
new file mode 100644
index 0000000..a3f234b
--- /dev/null
+++ b/easy-rsa/Windows/build-ca.bat
@@ -0,0 +1,4 @@
+@echo off
+cd %HOME%
+rem build a cert authority valid for ten years, starting now
+openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
diff --git a/easy-rsa/Windows/build-dh.bat b/easy-rsa/Windows/build-dh.bat
new file mode 100644
index 0000000..74bc603
--- /dev/null
+++ b/easy-rsa/Windows/build-dh.bat
@@ -0,0 +1,4 @@
+@echo off
+cd %HOME%
+rem build a dh file for the server side
+openssl dhparam -out %KEY_DIR%/dh%KEY_SIZE%.pem %KEY_SIZE%
diff --git a/easy-rsa/Windows/build-key-pkcs12.bat b/easy-rsa/Windows/build-key-pkcs12.bat
new file mode 100644
index 0000000..1fc083e
--- /dev/null
+++ b/easy-rsa/Windows/build-key-pkcs12.bat
@@ -0,0 +1,10 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem convert the key/cert and embed the ca cert into a pkcs12 file.
+openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key-server.bat b/easy-rsa/Windows/build-key-server.bat
new file mode 100644
index 0000000..20e3605
--- /dev/null
+++ b/easy-rsa/Windows/build-key-server.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/build-key.bat b/easy-rsa/Windows/build-key.bat
new file mode 100644
index 0000000..c040904
--- /dev/null
+++ b/easy-rsa/Windows/build-key.bat
@@ -0,0 +1,8 @@
+@echo off
+cd %HOME%
+rem build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+rem delete any .old files created in this process, to avoid future file creation errors
+del /q %KEY_DIR%\*.old
diff --git a/easy-rsa/Windows/clean-all.bat b/easy-rsa/Windows/clean-all.bat
new file mode 100644
index 0000000..71cbf4d
--- /dev/null
+++ b/easy-rsa/Windows/clean-all.bat
@@ -0,0 +1,13 @@
+@echo off
+rem move to the HOME directory specified in VARS script
+cd %HOME%
+rem set a temporary KEY_DIR variable
+set d=%KEY_DIR%
+rem delete the KEY_DIR and any subdirs quietly
+rmdir /s /q %d%
+rem make a new KEY_DIR
+mkdir %d%
+rem copy in a fesh index file so we begin with an empty database
+copy index.txt.start %d%\index.txt
+rem copy in a fresh serial file so we begin generating keys at index 01
+copy serial.start %d%\serial.
diff --git a/easy-rsa/Windows/index.txt.start b/easy-rsa/Windows/index.txt.start
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/easy-rsa/Windows/index.txt.start
diff --git a/easy-rsa/Windows/init-config.bat b/easy-rsa/Windows/init-config.bat
new file mode 100755
index 0000000..048d558
--- /dev/null
+++ b/easy-rsa/Windows/init-config.bat
@@ -0,0 +1,2 @@
+copy vars.bat.sample vars.bat
+copy openssl.cnf.sample openssl.cnf
diff --git a/easy-rsa/Windows/revoke-full.bat b/easy-rsa/Windows/revoke-full.bat
new file mode 100644
index 0000000..ef2e4b5
--- /dev/null
+++ b/easy-rsa/Windows/revoke-full.bat
@@ -0,0 +1,13 @@
+@echo off
+cd %HOME%
+rem revoke cert
+openssl ca -revoke %KEY_DIR%\%1.crt -config %KEY_CONFIG%
+rem generate new crl
+openssl ca -gencrl -out %KEY_DIR%\crl.pem -config %KEY_CONFIG%
+rem test revocation
+rem first concatinate ca cert with newly generated crl
+copy %KEY_DIR%\ca.crt+%KEY_DIR%\crl.pem %KEY_DIR%\revoke_test_file.pem
+rem now verify the revocation
+openssl verify -CAfile %KEY_DIR%\revoke_test_file.pem -crl_check %KEY_DIR%\%1.crt
+rem delete temporary test file
+del /q %KEY_DIR%\revoke_test_file.pem
diff --git a/easy-rsa/Windows/serial.start b/easy-rsa/Windows/serial.start
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/easy-rsa/Windows/serial.start
@@ -0,0 +1 @@
+01
diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample
new file mode 100644
index 0000000..8ab65e1
--- /dev/null
+++ b/easy-rsa/Windows/vars.bat.sample
@@ -0,0 +1,35 @@
+@echo off
+rem Edit this variable to point to
+rem the openssl.cnf file included
+rem with easy-rsa.
+
+set HOME=%ProgramFiles%\OpenVPN\easy-rsa
+set KEY_CONFIG=openssl.cnf
+
+rem Edit this variable to point to
+rem your soon-to-be-created key
+rem directory.
+rem
+rem WARNING: clean-all will do
+rem a rm -rf on this directory
+rem so make sure you define
+rem it correctly!
+set KEY_DIR=keys
+
+rem Increase this to 2048 if you
+rem are paranoid.  This will slow
+rem down TLS negotiation performance
+rem as well as the one-time DH parms
+rem generation process.
+set KEY_SIZE=1024
+
+rem These are the default values for fields
+rem which will be placed in the certificate.
+rem Change these to reflect your site.
+rem Don't leave any of these parms blank.
+
+set KEY_COUNTRY=US
+set KEY_PROVINCE=CA
+set KEY_CITY=SanFrancisco
+set KEY_ORG=FortFunston
+set KEY_EMAIL=mail@host.domain
diff --git a/easy-rsa/build-ca b/easy-rsa/build-ca
new file mode 100755
index 0000000..5ad59cc
--- /dev/null
+++ b/easy-rsa/build-ca
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
+        chmod 0600 ca.key
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-dh b/easy-rsa/build-dh
new file mode 100755
index 0000000..6de4baf
--- /dev/null
+++ b/easy-rsa/build-dh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+#
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+#
+
+if test $KEY_DIR; then
+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+    echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-inter b/easy-rsa/build-inter
new file mode 100755
index 0000000..8b3a6b2
--- /dev/null
+++ b/easy-rsa/build-inter
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-inter <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-key b/easy-rsa/build-key
new file mode 100755
index 0000000..3159d2b
--- /dev/null
+++ b/easy-rsa/build-key
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-key <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+	chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-key-pass b/easy-rsa/build-key-pass
new file mode 100755
index 0000000..03ab304
--- /dev/null
+++ b/easy-rsa/build-key-pass
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Similar to build-key, but protect the private key
+# with a password.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-key-pass <name>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+	chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-key-pkcs12 b/easy-rsa/build-key-pkcs12
new file mode 100755
index 0000000..f8a057b
--- /dev/null
+++ b/easy-rsa/build-key-pkcs12
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+if test $# -ne 1; then
+        echo "usage: build-key-pkcs12 <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+        openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
+	chmod 0600 $1.key $1.p12
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-key-server b/easy-rsa/build-key-server
new file mode 100755
index 0000000..30dc41e
--- /dev/null
+++ b/easy-rsa/build-key-server
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+if test $# -ne 1; then
+        echo "usage: build-key-server <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
+        chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-req b/easy-rsa/build-req
new file mode 100755
index 0000000..30f62f5
--- /dev/null
+++ b/easy-rsa/build-req
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Build a certificate signing request and private key.  Use this
+# when your root certificate and key is not available locally.
+#
+
+if test $# -ne 1; then
+    echo "usage: build-req <name>";
+    exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+    cd $KEY_DIR && \
+    openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+    echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/build-req-pass b/easy-rsa/build-req-pass
new file mode 100755
index 0000000..829b286
--- /dev/null
+++ b/easy-rsa/build-req-pass
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Like build-req, but protect your private key
+# with a password.
+#
+
+if test $# -ne 1; then
+    echo "usage: build-req-pass <name>";
+    exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+    cd $KEY_DIR && \
+    openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+    echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/clean-all b/easy-rsa/clean-all
new file mode 100755
index 0000000..d10aef5
--- /dev/null
+++ b/easy-rsa/clean-all
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+#
+
+d=$KEY_DIR
+
+if test $d; then
+	rm -rf $d
+	mkdir $d && \
+	chmod go-rwx $d && \
+	touch $d/index.txt && \
+	echo 01 >$d/serial
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/list-crl b/easy-rsa/list-crl
new file mode 100644
index 0000000..b214dbd
--- /dev/null
+++ b/easy-rsa/list-crl
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# list revoked certificates
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: list-crl <crlfile.pem>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl crl -text -noout -in $1
+else
+       echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/make-crl b/easy-rsa/make-crl
new file mode 100644
index 0000000..62fe6c1
--- /dev/null
+++ b/easy-rsa/make-crl
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# generate a CRL
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: make-crl <crlfile.pem>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl ca -gencrl -out $1 -config $KEY_CONFIG
+else
+       echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/openssl.cnf b/easy-rsa/openssl.cnf
new file mode 100644
index 0000000..270b069
--- /dev/null
+++ b/easy-rsa/openssl.cnf
@@ -0,0 +1,255 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/easy-rsa/revoke-crt b/easy-rsa/revoke-crt
new file mode 100644
index 0000000..35b071a
--- /dev/null
+++ b/easy-rsa/revoke-crt
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# revoke a certificate
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: revoke-crt <file.crt>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl ca -revoke $1 -config $KEY_CONFIG
+else
+       echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/revoke-full b/easy-rsa/revoke-full
new file mode 100755
index 0000000..66ea03f
--- /dev/null
+++ b/easy-rsa/revoke-full
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL=crl.pem
+RT=revoke-test.pem
+
+if test $# -ne 1; then
+        echo "usage: revoke-full <name>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR
+       rm -f $RT
+
+       # revoke key and generate a new CRL
+       openssl ca -revoke $1.crt -config $KEY_CONFIG
+
+       # generate a new CRL
+       openssl ca -gencrl -out $CRL -config $KEY_CONFIG
+       cat ca.crt $CRL >$RT
+    
+       # verify the revocation
+       openssl verify -CAfile $RT -crl_check $1.crt
+else
+       echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/sign-req b/easy-rsa/sign-req
new file mode 100755
index 0000000..59edc42
--- /dev/null
+++ b/easy-rsa/sign-req
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+#
+
+if test $# -ne 1; then
+        echo "usage: sign-req <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+	echo you must define KEY_DIR
+fi
diff --git a/easy-rsa/vars b/easy-rsa/vars
new file mode 100644
index 0000000..da89cd2
--- /dev/null
+++ b/easy-rsa/vars
@@ -0,0 +1,49 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export D=`pwd`
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=$D/openssl.cnf
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR=$D/keys
+
+# Issue rm -rf warning
+echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY=KG
+export KEY_PROVINCE=NA
+export KEY_CITY=BISHKEK
+export KEY_ORG="OpenVPN-TEST"
+export KEY_EMAIL="me@myhost.mydomain"