When I run this it always asks me for the CA passphrase:
./easyrsa build-client-full ClientCert
I want to build certificates automatically using a bash script. How can I avoid having to enter the passphrase manually using the build-client-full command?
programatically build certificates
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN User
- Posts: 45
- Joined: Tue Feb 01, 2011 10:43 am
-
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Re: programatically build certificates
It depends on how much of your SSL security you're willing to give up , you have a couple of options
1. you can remove the password from your ca.key
2. you can apply the patch attached using git to the easyrsa script , in which i added a new option , --cakey-passwd-file=FILE where FILE is the path to a file holding the CAKey password on one line/first line
to view the options
and to have a default you can also add the value in the vars file , with
easyrsa-cakey-password.patch
1. you can remove the password from your ca.key
Code: Select all
cp ca.key ca.key.enc
openssl rsa -in ca.key.enc -out ca.key
to view the options
Code: Select all
./easyrsa help options
Code: Select all
set_var EASYRSA_CA_KEY_PASS "/path/to/cakey_password_file"
Code: Select all
diff --git a/easyrsa b/easyrsa
index 5df2c23..b8758b1 100755
--- a/easyrsa
+++ b/easyrsa
@@ -225,6 +225,7 @@ Certificate & Request options: (these impact cert/req field values)
--use-algo=ALG : crypto alg to use: choose rsa (default) or ec
--curve=NAME : for elliptic curve, sets the named curve to use
--copy-ext : Copy included request X509 extensions (namely subjAltName
+--cakey-passwd-file=FILE : Provide a file containing the Certificate Authority key password , on one line
Organizational DN options: (only used with the 'org' DN mode)
(values may be blank for org DN options)
@@ -804,6 +805,8 @@ $EASYRSA_TEMP_EXT"
# make safessl-easyrsa.cnf
make_ssl_config
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
# sign request
# shellcheck disable=SC2086
crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
@@ -875,7 +878,10 @@ Run easyrsa without commands for usage and command help."
if [ "$2" ]; then
opts="$opts -crl_reason $2"
fi
-
+
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
+
verify_file x509 "$crt_in" || die "\
Unable to revoke as the input file is not a valid certificate. Unexpected
input in file: $crt_in"
@@ -1140,9 +1146,12 @@ gen_crl() {
# make safessl-easyrsa.cnf
make_ssl_config
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
out_file="$EASYRSA_PKI/crl.pem"
out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
- "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
+ "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" $opts || die "\
CRL Generation failed.
"
mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@@ -1316,7 +1325,10 @@ Failed to change the private key passphrase. See above for error messages."
update_db() {
verify_ca_init
- "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die "\
+ # check if we want to pass the CAKey password as a file
+ [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+
+ "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" $opts || die "\
Failed to perform update-db: see above for related openssl errors."
return 0
} # => update_db()
@@ -1469,7 +1481,7 @@ vars_setup() {
elif [ -f "$prog_vars" ]; then
vars="$prog_vars"
fi
-
+
# If a vars file was located, source it
# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
@@ -1480,7 +1492,7 @@ vars_setup() {
notice "\
Note: using Easy-RSA configuration from: $vars"
fi
-
+
# Set defaults, preferring existing env-vars if present
set_var EASYRSA "${0%/*}"
set_var EASYRSA_OPENSSL openssl
@@ -1497,7 +1509,7 @@ Note: using Easy-RSA configuration from: $vars"
set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams"
set_var EASYRSA_CA_EXPIRE 3650
- set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months
+ set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months
set_var EASYRSA_CERT_RENEW 30
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_NS_SUPPORT no
@@ -1515,7 +1527,7 @@ Note: using Easy-RSA configuration from: $vars"
# Same as above for the x509-types extensions dir
if [ -d "$EASYRSA_PKI/x509-types" ]; then
set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types"
- else
+ else
#TODO: This should be removed. Not really suitable for packaging.
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
fi
@@ -1579,6 +1591,8 @@ while :; do
export EASYRSA_REQ_CN="$val" ;;
--digest)
export EASYRSA_DIGEST="$val" ;;
+ --cakey-passwd-file)
+ export EASYRSA_CA_KEY_PASS="$val" ;;
--req-c)
empty_ok=1
export EASYRSA_REQ_COUNTRY="$val" ;;
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Oct 05, 2021 7:22 pm
Re: programatically build certificates
Not the safest as passwords are visible via the process, but it works without removing the passphrase from the CA.
Code: Select all
export EASYOPT="--vars=/etc/openvpn/easy-rsa/vars --passout=pass:cert_password --passin=pass:ca_password"
cd /etc/openvpn/easy-rsa
./easyrsa ${EASYOPT} build-client-full ${connection}