OpenVPN easy-rsa build-key automation?
If you look at the source of build-key
, you'll find it's calling pkitool
. I wrote a wrapper to bundle up the cilent's keys and the appropriate openvpn config files into a tarball I could then give to my users:
#!/bin/bash
client=$1
if [ x$client = x ]; then
echo "Usage: $0 clientname"
exit 1
fi
if [ ! -e keys/$client.key ]; then
echo "Generating keys..."
. vars
./pkitool $client
echo "...keys generated."
fi
tarball=./keys/$client.tgz
if [ ! -e $tarball ]; then
echo "Creating tarball..."
tmpdir=/tmp/client-tar.$$
mkdir $tmpdir
cp company.ovpn $tmpdir/company.ovpn
cp keys/ca.crt $tmpdir
cp keys/$client.key $tmpdir/client.key
cp keys/$client.crt $tmpdir/client.crt
tar -C $tmpdir -czvf $tarball .
rm -rf $tmpdir
echo "...tarball created"
else
echo "Nothing to do, so nothing done. (keys/$client.tgz already exists)"
fi
try --batch flag
./build-key --batch client1
The new version of EasyRSA comes as a single binary right now. To automate building a client key, you can now use "vars" file (just place it in the same directory as easyrsa binary):
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA "$PWD"
set_var EASYRSA_OPENSSL "openssl"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "Country"
set_var EASYRSA_REQ_PROVINCE "Province"
set_var EASYRSA_REQ_CITY "City"
set_var EASYRSA_REQ_ORG "Org Ltd"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "Infrastructure"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
and use EasyRSA's binary:
./easyrsa build-client-full client1 nopass