-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
Integrate Easy-RSA TLS-Key for use with 'init-pki soft'
The primary use of 'init-pki soft' is to present a simple way to renew an expired CA Certificate. The method Easy-RSA uses is to create a new CA and sign old Requests. Key(1): pki/private/easyrsa-tls.key - Singular Easy-RSA TLS key. Key(2): pki/easyrsa-keepsafe-tls.key - Created by 'init-pki soft'. The Easy-RSA TLS Key(1) in use is not changed by this method. Also, this TLS Key(1) is private data, therefore, it is not added to new inline files. This allows the new inline files to be easily distrubuted, without leaking security data. All members of the VPN in use have a local copy of the TLS Key(1). This key(1) can either be added to the OpenVPN config file, using option '--tls-auth/--tls-crypt <key-file>', or be pasted into the inline file locally. This patch integrates the Easy-RSA TLS Key into 'init-pki soft' by recreating the key(2) after the PKI has been reset. However, the key(2) is recreated by a different file-name, to ensure that it is not included with newly generated inline files. After building a new CA, the TLS key(2) is copied to the original key(1). However, these TLS keys will be omitted from new inline files until the key(2), created by 'init-pki soft', is deleted. All inline files that contain private keys are written to sub-dir 'pki/inline/private'. All inline files that do NOT contain any private keys are written to 'pki/inline'. Also, minimise some 'case' statements and minor improvements. Signed-off-by: Richard T Bonhomme <[email protected]>
1 parent
294c05b
commit 03d9dc2
Showing
2 changed files
with
166 additions
and
71 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters