programatically build certificates

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
qwertyjjj
OpenVPN User
Posts: 45
Joined: Tue Feb 01, 2011 10:43 am

programatically build certificates

Post by qwertyjjj » Fri Jan 10, 2020 2:14 am

When I run this it always asks me for the CA passphrase:
./easyrsa build-client-full ClientCert

I want to build certificates automatically using a bash script. How can I avoid having to enter the passphrase manually using the build-client-full command?

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: programatically build certificates

Post by TiTex » Thu Jan 23, 2020 7:21 pm

It depends on how much of your SSL security you're willing to give up , you have a couple of options
1. you can remove the password from your ca.key

Code: Select all

cp ca.key ca.key.enc
openssl rsa -in ca.key.enc -out ca.key
2. you can apply the patch attached using git to the easyrsa script , in which i added a new option , --cakey-passwd-file=FILE where FILE is the path to a file holding the CAKey password on one line/first line

to view the options

Code: Select all

./easyrsa help options
and to have a default you can also add the value in the vars file , with

Code: Select all

set_var EASYRSA_CA_KEY_PASS     "/path/to/cakey_password_file"
easyrsa-cakey-password.patch

Code: Select all

diff --git a/easyrsa b/easyrsa
index 5df2c23..b8758b1 100755
--- a/easyrsa
+++ b/easyrsa
@@ -225,6 +225,7 @@ Certificate & Request options: (these impact cert/req field values)
 --use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
 --curve=NAME    : for elliptic curve, sets the named curve to use
 --copy-ext      : Copy included request X509 extensions (namely subjAltName
+--cakey-passwd-file=FILE : Provide a file containing the Certificate Authority key password , on one line

 Organizational DN options: (only used with the 'org' DN mode)
   (values may be blank for org DN options)
@@ -804,6 +805,8 @@ $EASYRSA_TEMP_EXT"
        # make safessl-easyrsa.cnf
        make_ssl_config

+       # check if we want to pass the CAKey password as a file
+       [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
        # sign request
        # shellcheck disable=SC2086
        crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
@@ -875,7 +878,10 @@ Run easyrsa without commands for usage and command help."
        if [ "$2" ]; then
                opts="$opts -crl_reason $2"
        fi
-
+
+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
+
        verify_file x509 "$crt_in" || die "\
 Unable to revoke as the input file is not a valid certificate. Unexpected
 input in file: $crt_in"
@@ -1140,9 +1146,12 @@ gen_crl() {
        # make safessl-easyrsa.cnf
        make_ssl_config

+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
        out_file="$EASYRSA_PKI/crl.pem"
        out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
-       "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
+       "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" $opts || die "\
 CRL Generation failed.
 "
        mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@@ -1316,7 +1325,10 @@ Failed to change the private key passphrase. See above for error messages."
 update_db() {
        verify_ca_init

-       "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die "\
+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
+       "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" $opts || die "\
 Failed to perform update-db: see above for related openssl errors."
        return 0
 } # => update_db()
@@ -1469,7 +1481,7 @@ vars_setup() {
        elif [ -f "$prog_vars" ]; then
                vars="$prog_vars"
        fi
-
+
        # If a vars file was located, source it
        # If $EASYRSA_NO_VARS is defined (not blank) this is skipped
        if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
@@ -1480,7 +1492,7 @@ vars_setup() {
                notice "\
 Note: using Easy-RSA configuration from: $vars"
        fi
-
+
        # Set defaults, preferring existing env-vars if present
        set_var EASYRSA         "${0%/*}"
        set_var EASYRSA_OPENSSL openssl
@@ -1497,7 +1509,7 @@ Note: using Easy-RSA configuration from: $vars"
        set_var EASYRSA_CURVE           secp384r1
        set_var EASYRSA_EC_DIR          "$EASYRSA_PKI/ecparams"
        set_var EASYRSA_CA_EXPIRE       3650
-       set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
+       set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
        set_var EASYRSA_CERT_RENEW      30
        set_var EASYRSA_CRL_DAYS        180
        set_var EASYRSA_NS_SUPPORT      no
@@ -1515,7 +1527,7 @@ Note: using Easy-RSA configuration from: $vars"
        # Same as above for the x509-types extensions dir
        if [ -d "$EASYRSA_PKI/x509-types" ]; then
                set_var EASYRSA_EXT_DIR         "$EASYRSA_PKI/x509-types"
-       else
+       else
                #TODO: This should be removed.  Not really suitable for packaging.
                set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
        fi
@@ -1579,6 +1591,8 @@ while :; do
                export EASYRSA_REQ_CN="$val" ;;
        --digest)
                export EASYRSA_DIGEST="$val" ;;
+       --cakey-passwd-file)
+               export EASYRSA_CA_KEY_PASS="$val" ;;
        --req-c)
                empty_ok=1
                export EASYRSA_REQ_COUNTRY="$val" ;;

larsen
OpenVpn Newbie
Posts: 5
Joined: Tue Oct 05, 2021 7:22 pm

Re: programatically build certificates

Post by larsen » Tue Jan 10, 2023 11:41 am

Not the safest as passwords are visible via the process, but it works without removing the passphrase from the CA.

Code: Select all

export EASYOPT="--vars=/etc/openvpn/easy-rsa/vars --passout=pass:cert_password --passin=pass:ca_password"
cd /etc/openvpn/easy-rsa
./easyrsa ${EASYOPT} build-client-full ${connection}

ssbstudent311
OpenVpn Newbie
Posts: 2
Joined: Thu Sep 12, 2024 9:18 pm

Re: programatically build certificates

Post by ssbstudent311 » Thu Sep 12, 2024 9:46 pm

Lab created diamonds engagement rings, also known as synthetic diamonds or cultured diamonds, are made using a process that replicates natural diamond formation deep within the earth. These unique and ethical diamonds have the same physical properties and chemical structure as natural diamonds but are grown in a lab using technology. The diamond expert is key in the initial consultation to guide you through the process of choosing the right stone and setting. Lab grown diamonds are all about ethical sourcing and sustainability so it’s the responsible choice. lab grown diamonds canada

Post Reply