Integrate Easy-RSA TLS-Key for use with 'init-pki soft' #1220
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The primary use of 'init-pki soft' is to present a simple way to renew an expired CA Certificate. The method Easy-RSA uses is to create a new CA and sign old Requests. Key(1): pki/private/easyrsa-tls.key - Singular Easy-RSA TLS key. Key(2): pki/easyrsa-keepsafe-tls.key - Created by 'init-pki soft'. The Easy-RSA TLS Key(1) in use is not changed by this method. Also, this TLS Key(1) is private data, therefore, it is not added to new inline files. This allows the new inline files to be easily distrubuted, without leaking security data. All members of the VPN in use have a local copy of the TLS Key(1). This key(1) can either be added to the OpenVPN config file, using option '--tls-auth/--tls-crypt <key-file>', or be pasted into the inline file locally. This patch integrates the Easy-RSA TLS Key into 'init-pki soft' by recreating the key(2) after the PKI has been reset. However, the key(2) is recreated by a different file-name, to ensure that it is not included with newly generated inline files. After building a new CA, the TLS key(2) is copied to the original key(1). However, these TLS keys will be omitted from new inline files until the key(2), created by 'init-pki soft', is deleted. All inline files that contain private keys are written to sub-dir 'pki/inline/private'. All inline files that do NOT contain any private keys are written to 'pki/inline'. Also, minimise some 'case' statements and minor improvements. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
added
enhancement
development
Signed-off-by: Richard T Bonhomme <[email protected]>
Open
Remove checks that an SSL Config file exists, after completion of write_easyrsa_ssl_cnf_tmp() Change warnings to fatal errors, when checking SSL Config file hash. Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The primary use of 'init-pki soft' is to present a simple way to renew an expired CA Certificate. The method Easy-RSA uses is to create a new CA and sign old Requests.
Key(1): pki/private/easyrsa-tls.key - Singular Easy-RSA TLS key.
Key(2): pki/easyrsa-keepsafe-tls.key - Created by 'init-pki soft'.
The Easy-RSA TLS Key(1) in use is not changed by this method. Also, this TLS Key(1) is private data, therefore, it is not added to new inline files. This allows the new inline files to be easily distrubuted, without leaking security data.
All members of the VPN in use have a local copy of the TLS Key(1). This key(1) can either be added to the OpenVPN config file, using option '--tls-auth/--tls-crypt ', or be pasted into the inline file locally.
This patch integrates the Easy-RSA TLS Key into 'init-pki soft' by recreating the key(2) after the PKI has been reset. However, the key(2) is recreated by a different file-name, to ensure that it is not included with newly generated inline files.
After building a new CA, the TLS key(2) is copied to the original key(1). However, these TLS keys will be omitted from new inline files until the key(2), created by 'init-pki soft', is deleted.
All inline files that contain private keys are written to sub-dir 'pki/inline/private'. All inline files that do NOT contain any private keys are written to 'pki/inline'.
Also, minimise some 'case' statements and minor improvements.