Linux
OpenVPN easy-rsa 建構密鑰自動化?
我有很多密鑰要為我的客戶 VPN 伺服器生成。每當我使用 easy-rsa 生成這樣的密鑰時:
./build-key client1
有一些帶有一系列問題的輸出。這些問題都有
vars
文件中定義的預設答案。Generating a 1024 bit RSA private key ............................................++++++ .......................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CO]: Locality Name (eg, city) [Denver]: Organization Name (eg, company) [mycompany]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Email Address [it@mycompany.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CO' localityName :PRINTABLE:'Denver' organizationName :PRINTABLE:'mycompany' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'it@mycompany.com' Certificate is to be certified until Jan 3 20:16:04 2038 GMT (9999 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
總而言之,我必須手動按下以下鍵:
ENTER ENTER ENTER ENTER ENTER ENTER ENTER ENTER y ENTER y ENTER
基本上我只是接受所有預設答案並對最後兩個問題說“是”。是否有任何
-force
或-quiet
標誌或我可以使用的東西build-key
?如果沒有,是否有腳本或 bash 技巧可以讓我每次都這樣做?我在任何手冊頁中都找不到關於它的任何內容。
如果您查看 的來源
build-key
,您會發現它正在呼叫pkitool
。我編寫了一個包裝器,將 cilent 的密鑰和適當的 openvpn 配置文件捆綁到一個 tarball 中,然後我可以將其提供給我的使用者:#!/bin/bash client=$1 if [ x$client = x ]; then echo "Usage: $0 clientname" exit 1 fi if [ ! -e keys/$client.key ]; then echo "Generating keys..." . vars ./pkitool $client echo "...keys generated." fi tarball=./keys/$client.tgz if [ ! -e $tarball ]; then echo "Creating tarball..." tmpdir=/tmp/client-tar.$$ mkdir $tmpdir cp company.ovpn $tmpdir/company.ovpn cp keys/ca.crt $tmpdir cp keys/$client.key $tmpdir/client.key cp keys/$client.crt $tmpdir/client.crt tar -C $tmpdir -czvf $tarball . rm -rf $tmpdir echo "...tarball created" else echo "Nothing to do, so nothing done. (keys/$client.tgz already exists)" fi