Commit b217a4f8 authored by Janek Bevendorff's avatar Janek Bevendorff

Add OpenSSL certificate management script for OpenVPN

parent 85f4a78a
......@@ -14,7 +14,7 @@
"elasticsearch": "Helper scripts for managing Elasticsearch on the Betaweb cluster.",
"git": "Helper scripts for working with the Webis Git server and GitLab instance.",
"webis20": "Storage Management Scripts, need direct access to RAID Controller and MegaCLI installed",
"openvpn": "Webis OpenVPN tools"
"vpn": "Webis OpenVPN tools"
},
"commands_aliases": {
......@@ -22,7 +22,6 @@
"util": ["ut"],
"betamng": ["bm"],
"betaweb": ["bw"],
"elasticsearch": ["es"],
"openvpn": ["vpn"]
"elasticsearch": ["es"]
}
}
#!/usr/bin/env bash
if [ "$1" == "" ]; then
echo "Usage: $(basename $0) pkcs12-file.p12" >&2
exit 1
fi
echo -n "Password: " >&2
read -s pass
cat <<EOL
client
remote vpn.webis.de
dev tun
proto udp
port 1194
user nobody
group nobody
remote-cert-tls server
<ca>
$(echo $pass | openssl pkcs12 -in "$1" -passin stdin -cacerts -nodes -nokeys)
</ca>
<cert>
$(echo $pass | openssl pkcs12 -in "$1" -passin stdin -clcerts -nodes -nokeys)
</cert>
<key>
$(echo -e "$pass\n$pass" | openssl pkcs12 -in "$1" -passin stdin -passout stdin -nocerts -aes256)
</key>
EOL
echo >&2
This diff is collapsed.
# Default value if env variable is not set
CA_BASE_DIR = /does/not/exist
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
commonName = "Certificate Common Name (CN)"
emailAddress = "Certificate Email Address"
emailAddress_default = "webis@listserv.uni-weimar.de"
countryName = "Country Name (2 letter code)"
countryName_default = "DE"
stateOrProvinceName = "State Name (full name)"
stateOrProvinceName_default = "Thuringia"
localityName = "Locality Name (e.g., city)"
localityName_default = "Weimar"
organizationName = "Organization Name (e.g., company)"
organizationName_default = "Webis"
[ req_attributes ]
[ v3_req_client ]
basicConstraints = critical, CA:FALSE
extendedKeyUsage = critical, clientAuth
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
[ v3_cert_client ]
nsCertType = client
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ v3_req_server ]
basicConstraints = critical, CA:FALSE
extendedKeyUsage = critical, serverAuth
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
[ v3_cert_server ]
nsCertType = server
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ v3_req_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[ v3_cert_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ ca ]
default_ca = webis_ca
[ webis_ca ]
dir = $ENV::CA_BASE_DIR
new_certs_dir = $dir/certs
serial = $dir/serial.txt
crlnumber = $dir/crlnumber.txt
database = $dir/index.txt
default_bits = 2048
default_md = sha256
default_days = 730
default_crl_days = 1825
policy = policy_match
name_opt = ca_default
cert_opt = ca_default
unique_subject = no
[ policy_match ]
commonName = supplied
emailAddress = supplied
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment