Linux

OpenVPN easy-rsa 建構密鑰自動化?

  • February 25, 2020

我有很多密鑰要為我的客戶 VPN 伺服器生成。每當我使用 easy-rsa 生成這樣的密鑰時:

./build-key client1

有一些帶有一系列問題的輸出。這些問題都有vars文件中定義的預設答案。

Generating a 1024 bit RSA private key
............................................++++++
.......................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CO]:
Locality Name (eg, city) [Denver]:
Organization Name (eg, company) [mycompany]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [it@mycompany.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CO'
localityName          :PRINTABLE:'Denver'
organizationName      :PRINTABLE:'mycompany'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'it@mycompany.com'
Certificate is to be certified until Jan  3 20:16:04 2038 GMT (9999 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

總而言之,我必須手動按下以下鍵:

ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
y
ENTER
y
ENTER

基本上我只是接受所有預設答案並對最後兩個問題說“是”。是否有任何-force-quiet標誌或我可以使用的東西build-key?如果沒有,是否有腳本或 bash 技巧可以讓我每次都這樣做?我在任何手冊頁中都找不到關於它的任何內容。

如果您查看 的來源build-key,您會發現它正在呼叫pkitool。我編寫了一個包裝器,將 cilent 的密鑰和適當的 openvpn 配置文件捆綁到一個 tarball 中,然後我可以將其提供給我的使用者:

#!/bin/bash

client=$1

if [ x$client = x ]; then
   echo "Usage: $0 clientname"
   exit 1
fi

if [ ! -e keys/$client.key ]; then
   echo "Generating keys..."
   . vars
   ./pkitool $client
   echo "...keys generated." 
fi

tarball=./keys/$client.tgz

if [ ! -e $tarball ]; then
   echo "Creating tarball..."
   tmpdir=/tmp/client-tar.$$
   mkdir $tmpdir
   cp company.ovpn $tmpdir/company.ovpn
   cp keys/ca.crt $tmpdir 
   cp keys/$client.key $tmpdir/client.key
   cp keys/$client.crt $tmpdir/client.crt
   tar -C $tmpdir -czvf $tarball .
   rm -rf $tmpdir
   echo "...tarball created" 
else
   echo "Nothing to do, so nothing done. (keys/$client.tgz already exists)" 
fi

引用自:https://serverfault.com/questions/172509