easy-rsa
easy-rsa copied to clipboard
OpenVPN
Separate key/request generation
Separating the backend process of key and request generation allows additional flexibility and workflows.
De-coupling these steps allows more abstraction in how each one is performed. In particular, this may be a benefit with future PKCS11 smart card integration or other advanced workflows. Another possible use-case is creating an updated request from an existing keypair.
So, I've tested the openssl commands to do key generation and CSR separately, as well as change the PEM output to PBKDF2. I've actually modified the easyrsa script with this code and it works. However, we probably ought to generate/handle some additional vars to get it to do more than just encrypt with aes256, and use RSA [EC as another option]
I don't know how helpful this code is, but I've tried to be as close to the original as possible.
I'd guess someone better than me could tweak this and have it running with additional options pretty quickly. ...So, in the function build_ca - replace these lines [around line: 455]
# "$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
# -config "$EASYRSA_SSL_CONF" -keyout "$out_key" -out "$out_file" $opts || \
# die "Failed to build the CA"
Here's my new code:
# Create the CA private key.
"$EASYRSA_OPENSSL" genpkey \
-out "$out_key" \
-outform PEM \
-algorithm $EASYRSA_ALGO \
-pkeyopt rsa_keygen_bits:"$EASYRSA_ALGO_PARAMS" \
-aes-256-cbc \
|| die "Failed to build the CA private key..."
"$EASYRSA_OPENSSL" req -new \
-key "$out_key" \
-config "$EASYRSA_SSL_CONF" \
-out "$out_file" $opts || \
die "Failed to build the CA"
We'll need a new var for the -pkeyopt if we want to passthrough an EC_Keygen. [i.e. "ec_paramgen_curve:curve"]
I'll put the second code snippit in a following post - though it's very similar.
Finally, an edit to function gen_req
This code in gen_req [line 544]
Remove
#"$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
# -config "$EASYRSA_SSL_CONF" -keyout "$key_out" -out "$req_out" $opts \
# || die "Failed to generate request"
#notice "\
Then add this:
#Create the private key, and create a CSR
#
"$EASYRSA_OPENSSL" genpkey \
-out "$key_out" \
-outform PEM \
-algorithm $EASYRSA_ALGO \
-pkeyopt rsa_keygen_bits:"$EASYRSA_ALGO_PARAMS" \
-aes-256-cbc \
|| die "Failed to build the private key..."
#
notice "Private key created. Your file is: $key_out"
# Now create a CSR
# note that $key_out in this context, is the key created above.
#
"$EASYRSA_OPENSSL" req -new \
-key "$key_out" \
-config "$EASYRSA_SSL_CONF" \
-out "$req_out" $opts \
|| die "Failed to generate request"
notice "CSR created. Your file is: $req_out"
We may want code here to allow a server/client key generation without any encryption - so that would be some added logic - I'm not sure how best to handle that.
Again, as in the CA, we'll need a variable for -pkeyopt that will handle EC instead of RSA. [i.e. "ec_paramgen_curve:curve" instead of the hard-coded "rsa_keygen_bits"]
The code for sign_req doesn't change. Is that at all helpful? [Sorry, but formatting the comment is pretty mucked up...]
Oh, we should change the set-rsa-pass and set-ec-pass code to also generate PBKDF2 PEM files, when changing the password. [I think I have code for that in a previous comment - I'll try to look it over.] [If we don't, then the main reason for the edits above is lost.]
