source: hybrid/branches/releng-9/nanobsd/files/tools/openvpn-easy-rsa@ 12900

Last change on this file since 12900 was 10458, checked in by rick, 13 years ago

OpenVPN easy-rsa is an great tool, hacking it into a NanoBSD env was a bit more
challenging, but this should do the trick more and less. Please note generating
the random bits can take an long...time.

  • Property svn:executable set to *
File size: 2.6 KB
Line 
1#!/bin/sh
2#
3# Initialize the OpenVPN Easy-RSA 2.0 scripts
4#
5# Rick van der Zwet <rick@wirelessleiden.nl>
6#
7
8# This variable should point to
9# the top level of the easy-rsa
10# tree.
11export EASY_RSA=${EASY_RSA:-"/usr/local/share/easy-rsa"}
12
13if [ ! -d "$EASY_RSA" ]; then
14 echo "# Installing easy-rsa at $EASY_RSA"
15 trap "mount -ur /; exit 1" 1 2 15
16 mount -uwo noatime / || exit 1
17 make -C /usr/local/share/doc/openvpn/easy-rsa/2.0 install DESTDIR=$EASY_RSA || exit 1
18 # Avoid disasters and move the vars template holder
19 mv $EASY_RSA/vars $EASY_RSA/vars.old || exit 1
20 mount -ur /
21 trap - 1 2 15
22fi
23
24#
25# This variable should point to
26# the requested executables
27#
28export OPENSSL="openssl"
29export PKCS11TOOL="pkcs11-tool"
30export GREP="grep"
31
32
33# This variable should point to
34# the openssl.cnf file included
35# with easy-rsa.
36export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
37
38# Edit this variable to point to
39# your soon-to-be-created key
40# directory.
41#
42# WARNING: clean-all will do
43# a rm -rf on this directory
44# so make sure you define
45# it correctly!
46export KEY_DIR="${KEY_DIR:-/etc/easy-rsa-keys}"
47
48# Issue rm -rf warning
49echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
50
51# PKCS11 fixes
52export PKCS11_MODULE_PATH="dummy"
53export PKCS11_PIN="dummy"
54
55# Increase this to 2048 if you
56# are paranoid. This will slow
57# down TLS negotiation performance
58# as well as the one-time DH parms
59# generation process.
60export KEY_SIZE=1024
61
62# In how many days should the root CA key expire?
63export CA_EXPIRE=3650
64
65# In how many days should certificates expire?
66export KEY_EXPIRE=3650
67
68# These are the default values for fields
69# which will be placed in the certificate.
70# Don't leave any of these fields blank.
71export KEY_COUNTRY="US"
72export KEY_PROVINCE="CA"
73export KEY_CITY="SanFrancisco"
74export KEY_ORG="Fort-Funston"
75export KEY_EMAIL="me@myhost.mydomain"
76export KEY_EMAIL=mail@host.domain
77export KEY_CN=changeme
78export KEY_NAME=changeme
79export KEY_OU=changeme
80export PKCS11_MODULE_PATH=changeme
81export PKCS11_PIN=1234
82
83# Start the local shell
84cd $EASY_RSA
85echo "#"
86echo "# Type exit when done to write changes to persistent disk"
87echo "#"
88# Primer to remember what we are doing
89sed -n -e '/Typical/,$p' README | sed -e 's/^/## /g' | grep -v '. ./vars'
90echo "#"
91bash || sh
92
93echo "# Writing changes to persistent storage (/cfg)"
94trap "umount /cfg; exit 1" 1 2 15 EXIT
95
96mount -ro noatime /cfg || exit 1
97CFG_KEY_DIR=/cfg/`basename $KEY_DIR`
98diff -b -B -q -r $KEY_DIR $CFG_KEY_DIR || {
99 mount -uwo noatime /cfg || exit 1
100 rm -fR $CFG_KEY_DIR || exit 1
101 cp -R $KEY_DIR $CFG_KEY_DIR || exit 1
102}
Note: See TracBrowser for help on using the repository browser.