Page 1 of 1

programatically build certificates

Posted: Fri Jan 10, 2020 2:14 am
by qwertyjjj
When I run this it always asks me for the CA passphrase:
./easyrsa build-client-full ClientCert

I want to build certificates automatically using a bash script. How can I avoid having to enter the passphrase manually using the build-client-full command?

Re: programatically build certificates

Posted: Thu Jan 23, 2020 7:21 pm
by TiTex
It depends on how much of your SSL security you're willing to give up , you have a couple of options
1. you can remove the password from your ca.key

Code: Select all

cp ca.key ca.key.enc
openssl rsa -in ca.key.enc -out ca.key
2. you can apply the patch attached using git to the easyrsa script , in which i added a new option , --cakey-passwd-file=FILE where FILE is the path to a file holding the CAKey password on one line/first line

to view the options

Code: Select all

./easyrsa help options
and to have a default you can also add the value in the vars file , with

Code: Select all

set_var EASYRSA_CA_KEY_PASS     "/path/to/cakey_password_file"

Code: Select all

diff --git a/easyrsa b/easyrsa
index 5df2c23..b8758b1 100755
--- a/easyrsa
+++ b/easyrsa
@@ -225,6 +225,7 @@ Certificate & Request options: (these impact cert/req field values)
 --use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
 --curve=NAME    : for elliptic curve, sets the named curve to use
 --copy-ext      : Copy included request X509 extensions (namely subjAltName
+--cakey-passwd-file=FILE : Provide a file containing the Certificate Authority key password , on one line

 Organizational DN options: (only used with the 'org' DN mode)
   (values may be blank for org DN options)
@@ -804,6 +805,8 @@ $EASYRSA_TEMP_EXT"
        # make safessl-easyrsa.cnf

+       # check if we want to pass the CAKey password as a file
+       [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
        # sign request
        # shellcheck disable=SC2086
        crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
@@ -875,7 +878,10 @@ Run easyrsa without commands for usage and command help."
        if [ "$2" ]; then
                opts="$opts -crl_reason $2"
+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="$opts -passin file:${EASYRSA_CA_KEY_PASS}"
        verify_file x509 "$crt_in" || die "\
 Unable to revoke as the input file is not a valid certificate. Unexpected
 input in file: $crt_in"
@@ -1140,9 +1146,12 @@ gen_crl() {
        # make safessl-easyrsa.cnf

+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
        out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
-       "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
+       "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" $opts || die "\
 CRL Generation failed.
        mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@@ -1316,7 +1325,10 @@ Failed to change the private key passphrase. See above for error messages."
 update_db() {

-       "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die "\
+    # check if we want to pass the CAKey password as a file
+    [ -n "$EASYRSA_CA_KEY_PASS" ] && opts="-passin file:${EASYRSA_CA_KEY_PASS}"
+       "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" $opts || die "\
 Failed to perform update-db: see above for related openssl errors."
        return 0
 } # => update_db()
@@ -1469,7 +1481,7 @@ vars_setup() {
        elif [ -f "$prog_vars" ]; then
        # If a vars file was located, source it
        # If $EASYRSA_NO_VARS is defined (not blank) this is skipped
        if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
@@ -1480,7 +1492,7 @@ vars_setup() {
                notice "\
 Note: using Easy-RSA configuration from: $vars"
        # Set defaults, preferring existing env-vars if present
        set_var EASYRSA         "${0%/*}"
        set_var EASYRSA_OPENSSL openssl
@@ -1497,7 +1509,7 @@ Note: using Easy-RSA configuration from: $vars"
        set_var EASYRSA_CURVE           secp384r1
        set_var EASYRSA_EC_DIR          "$EASYRSA_PKI/ecparams"
        set_var EASYRSA_CA_EXPIRE       3650
-       set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
+       set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
        set_var EASYRSA_CERT_RENEW      30
        set_var EASYRSA_CRL_DAYS        180
        set_var EASYRSA_NS_SUPPORT      no
@@ -1515,7 +1527,7 @@ Note: using Easy-RSA configuration from: $vars"
        # Same as above for the x509-types extensions dir
        if [ -d "$EASYRSA_PKI/x509-types" ]; then
                set_var EASYRSA_EXT_DIR         "$EASYRSA_PKI/x509-types"
-       else
+       else
                #TODO: This should be removed.  Not really suitable for packaging.
                set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
@@ -1579,6 +1591,8 @@ while :; do
                export EASYRSA_REQ_CN="$val" ;;
                export EASYRSA_DIGEST="$val" ;;
+       --cakey-passwd-file)
+               export EASYRSA_CA_KEY_PASS="$val" ;;
                export EASYRSA_REQ_COUNTRY="$val" ;;

Re: programatically build certificates

Posted: Tue Jan 10, 2023 11:41 am
by larsen
Not the safest as passwords are visible via the process, but it works without removing the passphrase from the CA.

Code: Select all

export EASYOPT="--vars=/etc/openvpn/easy-rsa/vars --passout=pass:cert_password --passin=pass:ca_password"
cd /etc/openvpn/easy-rsa
./easyrsa ${EASYOPT} build-client-full ${connection}