When I run this it always asks me for the CA passphrase:
./easyrsa build-client-full ClientCert
I want to build certificates automatically using a bash script. How can I avoid having to enter the passphrase manually using the build-client-full command?
programatically build certificates
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN User
- Posts: 45
- Joined: Tue Feb 01, 2011 10:43 am
-
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Re: programatically build certificates
It depends on how much of your SSL security you're willing to give up , you have a couple of options
1. you can remove the password from your ca.key
2. you can apply the patch attached using git to the easyrsa script , in which i added a new option , --cakey-passwd-file=FILE where FILE is the path to a file holding the CAKey password on one line/first line
to view the options
and to have a default you can also add the value in the vars file , with
easyrsa-cakey-password.patch
1. you can remove the password from your ca.key
Code: Select all
cp ca.key ca.key.enc
openssl rsa -in ca.key.enc -out ca.key
to view the options
Code: Select all
./easyrsa help options
Code: Select all
set_var EASYRSA_CA_KEY_PASS "/path/to/cakey_password_file"
Code: Select all
diff --git a/easyrsa b/easyrsa
index 5df2c23..b8758b1 100755
--- a/easyrsa
+++ b/easyrsa
@@ -225,6 +225,7 @@ Certificate & Request options: (these impact cert/req field values)
--use-algo=ALG : crypto alg to use: choose rsa (default) or ec
--curve=NAME : for elliptic curve, sets the named curve to use
--copy-ext : Copy included request X509 extensions (namely subjAltName
+--cakey-passwd-file=FILE : Provide a file containing the Certificate Authority key password , on one line
Organizational DN options: (only used with the 'org' DN mode)
(values may be blank for org DN options)
@@ -804,6 +805,8 @@ $EASYRSA_TEMP_EXT"
# make safessl-easyrsa.cnf
make_ssl_config
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
# sign request
# shellcheck disable=SC2086
crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
@@ -875,7 +878,10 @@ Run easyrsa without commands for usage and command help."
if [ "$2" ]; then
opts="$opts -crl_reason $2"
fi
-
+
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
+
verify_file x509 "$crt_in" || die "\
Unable to revoke as the input file is not a valid certificate. Unexpected
input in file: $crt_in"
@@ -1140,9 +1146,12 @@ gen_crl() {
# make safessl-easyrsa.cnf
make_ssl_config
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
out_file="$EASYRSA_PKI/crl.pem"
out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
- "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
+ "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" $opts || die "\
CRL Generation failed.
"
mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@@ -1316,7 +1325,10 @@ Failed to change the private key passphrase. See above for error messages."
update_db() {
verify_ca_init
- "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die "\
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
+ "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" $opts || die "\
Failed to perform update-db: see above for related openssl errors."
return 0
} # => update_db()
@@ -1469,7 +1481,7 @@ vars_setup() {
elif [ -f "$prog_vars" ]; then
vars="$prog_vars"
fi
-
+
# If a vars file was located, source it
# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
@@ -1480,7 +1492,7 @@ vars_setup() {
notice "\
Note: using Easy-RSA configuration from: $vars"
fi
-
+
# Set defaults, preferring existing env-vars if present
set_var EASYRSA "${0%/*}"
set_var EASYRSA_OPENSSL openssl
@@ -1497,7 +1509,7 @@ Note: using Easy-RSA configuration from: $vars"
set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams"
set_var EASYRSA_CA_EXPIRE 3650
- set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months
+ set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months
set_var EASYRSA_CERT_RENEW 30
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_NS_SUPPORT no
@@ -1515,7 +1527,7 @@ Note: using Easy-RSA configuration from: $vars"
# Same as above for the x509-types extensions dir
if [ -d "$EASYRSA_PKI/x509-types" ]; then
set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types"
- else
+ else
#TODO: This should be removed. Not really suitable for packaging.
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
fi
@@ -1579,6 +1591,8 @@ while :; do
export EASYRSA_REQ_CN="$val" ;;
--digest)
export EASYRSA_DIGEST="$val" ;;
+ --cakey-passwd-file)
+ export EASYRSA_CA_KEY_PASS="$val" ;;
--req-c)
empty_ok=1
export EASYRSA_REQ_COUNTRY="$val" ;;
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Oct 05, 2021 7:22 pm
Re: programatically build certificates
Not the safest as passwords are visible via the process, but it works without removing the passphrase from the CA.
Code: Select all
export EASYOPT="--vars=/etc/openvpn/easy-rsa/vars --passout=pass:cert_password --passin=pass:ca_password"
cd /etc/openvpn/easy-rsa
./easyrsa ${EASYOPT} build-client-full ${connection}
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Sep 12, 2024 9:18 pm
Re: programatically build certificates
Lab created diamonds engagement rings, also known as synthetic diamonds or cultured diamonds, are made using a process that replicates natural diamond formation deep within the earth. These unique and ethical diamonds have the same physical properties and chemical structure as natural diamonds but are grown in a lab using technology. The diamond expert is key in the initial consultation to guide you through the process of choosing the right stone and setting. Lab grown diamonds are all about ethical sourcing and sustainability so it’s the responsible choice. lab grown diamonds canada