programatically build certificates

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
qwertyjjj
OpenVPN User
Posts: 45
Joined: Tue Feb 01, 2011 10:43 am

programatically build certificates

Post by qwertyjjj » Fri Jan 10, 2020 2:14 am

When I run this it always asks me for the CA passphrase:
./easyrsa build-client-full ClientCert

I want to build certificates automatically using a bash script. How can I avoid having to enter the passphrase manually using the build-client-full command?

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: programatically build certificates

Post by TiTex » Thu Jan 23, 2020 7:21 pm

It depends on how much of your SSL security you're willing to give up , you have a couple of options
1. you can remove the password from your ca.key

Code: Select all

cp ca.key ca.key.enc
openssl rsa -in ca.key.enc -out ca.key
2. you can apply the patch attached using git to the easyrsa script , in which i added a new option , --cakey-passwd-file=FILE where FILE is the path to a file holding the CAKey password on one line/first line

to view the options

Code: Select all

./easyrsa help options
and to have a default you can also add the value in the vars file , with

Code: Select all

set_var EASYRSA_CA_KEY_PASS     "/path/to/cakey_password_file"
easyrsa-cakey-password.patch

Code: Select all

diff --git a/easyrsa b/easyrsa
index 5df2c23..b8758b1 100755
--- a/easyrsa
+++ b/easyrsa
@@ -225,6 +225,7 @@ Certificate & Request options: (these impact cert/req field values)
 --use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
 --curve=NAME    : for elliptic curve, sets the named curve to use
 --copy-ext      : Copy included request X509 extensions (namely subjAltName
+--cakey-passwd-file=FILE : Provide a file containing the Certificate Authority key password , on one line

 Organizational DN options: (only used with the 'org' DN mode)
   (values may be blank for org DN options)
@@ -804,6 +805,8 @@ $EASYRSA_TEMP_EXT"
        # make safessl-easyrsa.cnf
        make_ssl_config

+       # check if we want to pass the CAKey password as a file
+       [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
        # sign request
        # shellcheck disable=SC2086
        crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
@@ -875,7 +878,10 @@ Run easyrsa without commands for usage and command help."
        if [ "$2" ]; then
                opts="$opts -crl_reason $2"
        fi
-
+
+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
+
        verify_file x509 "$crt_in" || die "\
 Unable to revoke as the input file is not a valid certificate. Unexpected
 input in file: $crt_in"
@@ -1140,9 +1146,12 @@ gen_crl() {
        # make safessl-easyrsa.cnf
        make_ssl_config

+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
        out_file="$EASYRSA_PKI/crl.pem"
        out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
-       "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
+       "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" $opts || die "\
 CRL Generation failed.
 "
        mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@@ -1316,7 +1325,10 @@ Failed to change the private key passphrase. See above for error messages."
 update_db() {
        verify_ca_init

-       "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die "\
+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
+       "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" $opts || die "\
 Failed to perform update-db: see above for related openssl errors."
        return 0
 } # => update_db()
@@ -1469,7 +1481,7 @@ vars_setup() {
        elif [ -f "$prog_vars" ]; then
                vars="$prog_vars"
        fi
-
+
        # If a vars file was located, source it
        # If $EASYRSA_NO_VARS is defined (not blank) this is skipped
        if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
@@ -1480,7 +1492,7 @@ vars_setup() {
                notice "\
 Note: using Easy-RSA configuration from: $vars"
        fi
-
+
        # Set defaults, preferring existing env-vars if present
        set_var EASYRSA         "${0%/*}"
        set_var EASYRSA_OPENSSL openssl
@@ -1497,7 +1509,7 @@ Note: using Easy-RSA configuration from: $vars"
        set_var EASYRSA_CURVE           secp384r1
        set_var EASYRSA_EC_DIR          "$EASYRSA_PKI/ecparams"
        set_var EASYRSA_CA_EXPIRE       3650
-       set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
+       set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
        set_var EASYRSA_CERT_RENEW      30
        set_var EASYRSA_CRL_DAYS        180
        set_var EASYRSA_NS_SUPPORT      no
@@ -1515,7 +1527,7 @@ Note: using Easy-RSA configuration from: $vars"
        # Same as above for the x509-types extensions dir
        if [ -d "$EASYRSA_PKI/x509-types" ]; then
                set_var EASYRSA_EXT_DIR         "$EASYRSA_PKI/x509-types"
-       else
+       else
                #TODO: This should be removed.  Not really suitable for packaging.
                set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
        fi
@@ -1579,6 +1591,8 @@ while :; do
                export EASYRSA_REQ_CN="$val" ;;
        --digest)
                export EASYRSA_DIGEST="$val" ;;
+       --cakey-passwd-file)
+               export EASYRSA_CA_KEY_PASS="$val" ;;
        --req-c)
                empty_ok=1
                export EASYRSA_REQ_COUNTRY="$val" ;;

larsen
OpenVpn Newbie
Posts: 5
Joined: Tue Oct 05, 2021 7:22 pm

Re: programatically build certificates

Post by larsen » Tue Jan 10, 2023 11:41 am

Not the safest as passwords are visible via the process, but it works without removing the passphrase from the CA.

Code: Select all

export EASYOPT="--vars=/etc/openvpn/easy-rsa/vars --passout=pass:cert_password --passin=pass:ca_password"
cd /etc/openvpn/easy-rsa
./easyrsa ${EASYOPT} build-client-full ${connection}

Post Reply