1 files changed, 100 insertions, 93 deletions

diff --git a/easy-rsa/README b/easy-rsa/README
index fd424ef..02800c2 100644
--- a/easy-rsa/README
+++ b/easy-rsa/README
@@ -1,14 +1,53 @@
-This is a small RSA key management package,
-based on the openssl command line tool, that
-can be found in the easy-rsa subdirectory
+EASY-RSA Version 2.0-rc1
+
+This is a small RSA key management package, based on the openssl
+command line tool, that can be found in the easy-rsa subdirectory
 of the OpenVPN distribution.
 
-These are reference notes.  For step
-by step instructions, see the HOWTO:
+These are reference notes.  For step-by-step instructions, see the
+HOWTO:
 
 http://openvpn.net/howto.html
 
-INSTALL
+This package is based on the ./pkitool script.  Run ./pkitool
+without arguments for a detailed help message (which is also pasted
+below).
+
+Release Notes for easy-rsa-2.0
+
+* Most functionality has been consolidated into the pkitool
+  script. For compatibility, all previous scripts from 1.0 such
+  as build-key and build-key-server are provided as stubs
+  which call pkitool to do the real work.
+
+* pkitool has a --batch flag (enabled by default) which generates
+  keys/certs without needing any interactive input.  pkitool
+  can still generate certs/keys using interactive prompting by
+  using the --interact flag.
+
+* The inherit-inter script has been provided for creating
+  a new PKI rooted on an intermediate certificate built within a
+  higher-level PKI.  See comments in the inherit-inter script
+  for more info.
+
+* The openssl.cnf file has been modified.  pkitool will not
+  work with the openssl.cnf file included with previous
+  easy-rsa releases.
+
+* The vars file has been modified -- the following extra
+  variables have been added: EASY_RSA, CA_EXPIRE,
+  KEY_EXPIRE.
+
+* The make-crl and revoke-crt scripts have been removed and
+  are replaced by the revoke-full script.
+
+* The "Organizational Unit" X509 field can be set using
+  the KEY_OU environmental variable before calling pkitool.
+
+* This release only affects the Linux/Unix version of easy-rsa.
+  The Windows version (written to use the Windows shell) is unchanged.
+
+INSTALL easy-rsa
 
 1. Edit vars.
 2. Set KEY_CONFIG to point to the openssl.cnf file
@@ -34,92 +73,6 @@ INSTALL
    only .key files should be kept confidential.
    .crt and .csr files can be sent over insecure
    channels such as plaintext email.
-8. You should never need to copy a .key file
-   between computers.  Normally each computer
-   will have its own certificate/key pair.
-
-BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
-
-1. ./build-ca
-2. ca.crt and ca.key will be built in your KEY_DIR
-   directory
-
-BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
-
-1. ./build-inter inter
-2. inter.crt and inter.key will be built in your KEY_DIR
-   directory and signed with your root certificate.
-
-BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
-the server end of a SSL/TLS connection).
-
-1. ./build-dh
-
-BUILD A CERTIFICATE SIGNING REQUEST (If
-you want to sign your certificate with a root
-certificate controlled by another individual
-or organization, or residing on a different machine).
-
-1. Get ca.crt (the root certificate) from your
-   certificate authority.  Though this
-   transfer can be over an insecure channel, to prevent
-   man-in-the-middle attacks you must confirm that
-   ca.crt was not tampered with.  Large CAs solve this
-   problem by hardwiring their root certificates into
-   popular web browsers.  A simple way to verify a root
-   CA is to call the issuer on the telephone and confirm
-   that the md5sum or sha1sum signatures on the ca.crt
-   files match (such as with the command: "md5sum ca.crt").
-2. Choose a name for your certificate such as your computer
-   name.  In our example we will use "mycert".
-3. ./build-req mycert
-4. You can ignore most of the fields, but set
-   "Common Name" to something unique such as your
-   computer's host name.  Leave all password
-   fields blank, unless you want your private key
-   to be protected by password.  Using a password
-   is not required -- it will make your key more secure
-   but also more inconvenient to use, because you will
-   need to supply your password anytime the key is used.
-   NOTE: if you are using a password, use ./build-req-pass
-   instead of ./build-req
-5. Your key will be written to $KEY_DIR/mycert.key
-6. Your certificate signing request will be written to
-   to $KEY_DIR/mycert.csr
-7. Email mycert.csr to the individual or organization
-   which controls the root certificate.  This can be
-   done over an insecure channel.
-8. After the .csr file is signed by the root certificate
-   authority, you will receive a file mycert.crt
-   (your certificate).  Place mycert.crt in your
-   KEY_DIR directory.
-9. The combined files of mycert.crt, mycert.key,
-   and ca.crt can now be used to secure one end of
-   an SSL/TLS connection.
-
-SIGN A CERTIFICATE SIGNING REQUEST
-
-1. ./sign-req mycert
-2. mycert.crt will be built in your KEY_DIR
-   directory using mycert.csr and your root CA
-   file as input.
-
-BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
-USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
-script generates and signs a certificate in one step,
-but it requires that the generated certificate and private
-key files be copied to the destination host over a
-secure channel.
-
-1. ./build-key mycert (no password protection)
-2. OR ./build-key-pass mycert (with password protection)
-3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
-4. OR ./build-key-server mycert (with nsCertType=server)
-5. mycert.crt and mycert.key will be built in your
-   KEY_DIR directory, and mycert.crt will be signed
-   by your root CA. If ./build-key-pkcs12 was used a
-   mycert.p12 file will also be created including the
-   private key, certificate and the ca certificate.
 
 IMPORTANT
 
@@ -130,7 +83,8 @@ verification by clients.  There are currently four different ways
 of accomplishing this, listed in the order of preference:
 
 (1) Build your server certificates with the build-key-server
-    script.  This will designate the certificate as a
+    script, or using the --server option to pkitool.
+    This will designate the certificate as a
     server-only certificate by setting nsCertType=server.
     Now add the following line to your client configuration:
       
@@ -159,3 +113,56 @@ NOTES
 
 Show certificate fields:
   openssl x509 -in cert.crt -text
+
+PKITOOL documentation
+
+pkitool 2.0
+Usage: pkitool [options...] [common-name]
+Options:
+  --batch    : batch mode (default)
+  --interact : interactive mode
+  --server   : build server cert
+  --initca   : build root CA
+  --inter    : build intermediate CA
+  --pass     : encrypt private key with password
+  --csr      : only generate a CSR, do not sign
+  --sign     : sign an existing CSR
+  --pkcs12   : generate a combined pkcs12 file
+Notes:
+  Please edit the vars script to reflect your configuration,
+  then source it with "source ./vars".
+  Next, to start with a fresh PKI configuration and to delete any
+  previous certificates and keys, run "./clean-all".
+  Finally, you can run this tool (pkitool) to build certificates/keys.
+Generated files and corresponding OpenVPN directives:
+(Files will be placed in the $KEY_DIR directory, defined in ./vars)
+  ca.crt     -> root certificate (--ca)
+  ca.key     -> root key, keep secure (not directly used by OpenVPN)
+  .crt files -> client/server certificates (--cert)
+  .key files -> private keys, keep secure (--key)
+  .csr files -> certificate signing request (not directly used by OpenVPN)
+  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
+Examples:
+  pkitool --initca          -> Build root certificate
+  pkitool --initca --pass   -> Build root certificate with password-protected key
+  pkitool --server server1  -> Build "server1" certificate/key
+  pkitool client1           -> Build "client1" certificate/key
+  pkitool --pass client2    -> Build password-protected "client2" certificate/key
+  pkitool --pkcs12 client3  -> Build "client3" certificate/key in PKCS #12 format
+  pkitool --csr client4     -> Build "client4" CSR to be signed by another CA
+  pkitool --sign client4    -> Sign "client4" CSR
+  pkitool --inter interca   -> Build an intermediate key-signing certificate/key
+                               Also see ./inherit-inter script.
+Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys.
+Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :
+  [edit vars with your site-specific info]
+  source ./vars
+  ./clean-all
+  ./build-dh     -> takes a long time, consider backgrounding
+  ./pkitool --initca
+  ./pkitool --server myserver
+  ./pkitool client1
+  ./pkitool --pass client2
+Typical usage for adding client cert to existing PKI:
+  source ./vars
+  ./pkitool client-new