SHARE
TWEET

Untitled

a guest Oct 10th, 2019 277 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Easy-RSA 3 parameter settings
  2.  
  3. # NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
  4. # this file in place -- instead, you should copy the entire easy-rsa directory
  5. # to another location so future upgrades don't wipe out your changes.
  6.  
  7. # HOW TO USE THIS FILE
  8. #
  9. # vars.example contains built-in examples to Easy-RSA settings. You MUST name
  10. # this file 'vars' if you want it to be used as a configuration file. If you do
  11. # not, it WILL NOT be automatically read when you call easyrsa commands.
  12. #
  13. # It is not necessary to use this config file unless you wish to change
  14. # operational defaults. These defaults should be fine for many uses without the
  15. # need to copy and edit the 'vars' file.
  16. #
  17. # All of the editable settings are shown commented and start with the command
  18. # 'set_var' -- this means any set_var command that is uncommented has been
  19. # modified by the user. If you're happy with a default, there is no need to
  20. # define the value to its default.
  21.  
  22. # NOTES FOR WINDOWS USERS
  23. #
  24. # Paths for Windows  *MUST* use forward slashes, or optionally double-esscaped
  25. # backslashes (single forward slashes are recommended.) This means your path to
  26. # the openssl binary might look like this:
  27. # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
  28.  
  29. # A little housekeeping: DON'T EDIT THIS SECTION
  30. #
  31. # Easy-RSA 3.x doesn't source into the environment directly.
  32. # Complain if a user tries to do this:
  33. if [ -z "$EASYRSA_CALLER" ]; then
  34.     echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
  35.     echo "This is no longer necessary and is disallowed. See the section called" >&2
  36.     echo "'How to use this file' near the top comments for more details." >&2
  37.     return 1
  38. fi
  39.  
  40. # DO YOUR EDITS BELOW THIS POINT
  41.  
  42. # This variable is used as the base location of configuration files needed by
  43. # easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
  44. # may override this default.
  45. #
  46. # The default value of this variable is the location of the easyrsa script
  47. # itself, which is also where the configuration files are located in the
  48. # easy-rsa tree.
  49.  
  50. #set_var EASYRSA    "${0%/*}"
  51.  
  52. # If your OpenSSL command is not in the system PATH, you will need to define the
  53. # path to it here. Normally this means a full path to the executable, otherwise
  54. # you could have left it undefined here and the shown default would be used.
  55. #
  56. # Windows users, remember to use paths with forward-slashes (or escaped
  57. # back-slashes.) Windows users should declare the full path to the openssl
  58. # binary here if it is not in their system PATH.
  59.  
  60. #set_var EASYRSA_OPENSSL    "openssl"
  61. #
  62. # This sample is in Windows syntax -- edit it for your path if not using PATH:
  63. #set_var EASYRSA_OPENSSL    "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
  64.  
  65. # Edit this variable to point to your soon-to-be-created key directory.  By
  66. # default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
  67. # directory you are currently in).
  68. #
  69. # WARNING: init-pki will do a rm -rf on this directory so make sure you define
  70. # it correctly! (Interactive mode will prompt before acting.)
  71.  
  72. #set_var EASYRSA_PKI        "$PWD/pki"
  73.  
  74. # Define X509 DN mode.
  75. # This is used to adjust what elements are included in the Subject field as the DN
  76. # (this is the "Distinguished Name.")
  77. # Note that in cn_only mode the Organizational fields further below aren't used.
  78. #
  79. # Choices are:
  80. #   cn_only  - use just a CN value
  81. #   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
  82.  
  83. #set_var EASYRSA_DN "cn_only"
  84.  
  85. # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
  86. # These are the default values for fields which will be placed in the
  87. # certificate.  Don't leave any of these fields blank, although interactively
  88. # you may omit any specific field by typing the "." symbol (not valid for
  89. # email.)
  90.  
  91. #set_var EASYRSA_REQ_COUNTRY    "US"
  92. #set_var EASYRSA_REQ_PROVINCE   "California"
  93. #set_var EASYRSA_REQ_CITY   "San Francisco"
  94. #set_var EASYRSA_REQ_ORG    "Copyleft Certificate Co"
  95. #set_var EASYRSA_REQ_EMAIL  "me@example.net"
  96. #set_var EASYRSA_REQ_OU     "My Organizational Unit"
  97.  
  98. # Choose a size in bits for your keypairs. The recommended value is 2048.  Using
  99. # 2048-bit keys is considered more than sufficient for many years into the
  100. # future. Larger keysizes will slow down TLS negotiation and make key/DH param
  101. # generation take much longer. Values up to 4096 should be accepted by most
  102. # software. Only used when the crypto alg is rsa (see below.)
  103.  
  104. #set_var EASYRSA_KEY_SIZE   2048
  105.  
  106. # The default crypto mode is rsa; ec can enable elliptic curve support.
  107. # Note that not all software supports ECC, so use care when enabling it.
  108. # Choices for crypto alg are: (each in lower-case)
  109. #  * rsa
  110. #  * ec
  111.  
  112. #set_var EASYRSA_ALGO       rsa
  113.  
  114. # Define the named curve, used in ec mode only:
  115.  
  116. #set_var EASYRSA_CURVE      secp384r1
  117.  
  118. # In how many days should the root CA key expire?
  119.  
  120. #set_var EASYRSA_CA_EXPIRE  3650
  121.  
  122. # In how many days should certificates expire?
  123.  
  124. #set_var EASYRSA_CERT_EXPIRE    1080
  125.  
  126. # How many days until the next CRL publish date?  Note that the CRL can still be
  127. # parsed after this timeframe passes. It is only used for an expected next
  128. # publication date.
  129.  
  130. # How many days before its expiration date a certificate is allowed to be
  131. # renewed?
  132. #set_var EASYRSA_CERT_RENEW 30
  133.  
  134. #set_var EASYRSA_CRL_DAYS   180
  135.  
  136. # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
  137. # is "no" to discourage use of deprecated extensions. If you require this
  138. # feature to use with --ns-cert-type, set this to "yes" here. This support
  139. # should be replaced with the more modern --remote-cert-tls feature.  If you do
  140. # not use --ns-cert-type in your configs, it is safe (and recommended) to leave
  141. # this defined to "no".  When set to "yes", server-signed certs get the
  142. # nsCertType=server attribute, and also get any NS_COMMENT defined below in the
  143. # nsComment field.
  144.  
  145. #set_var EASYRSA_NS_SUPPORT "no"
  146.  
  147. # When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
  148. # Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
  149.  
  150. #set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
  151.  
  152. # A temp file used to stage cert extensions during signing. The default should
  153. # be fine for most users; however, some users might want an alternative under a
  154. # RAM-based FS, such as /dev/shm or /tmp on some systems.
  155.  
  156. #set_var EASYRSA_TEMP_FILE  "$EASYRSA_PKI/extensions.temp"
  157.  
  158. # !!
  159. # NOTE: ADVANCED OPTIONS BELOW THIS POINT
  160. # PLAY WITH THEM AT YOUR OWN RISK
  161. # !!
  162.  
  163. # Broken shell command aliases: If you have a largely broken shell that is
  164. # missing any of these POSIX-required commands used by Easy-RSA, you will need
  165. # to define an alias to the proper path for the command.  The symptom will be
  166. # some form of a 'command not found' error from your shell. This means your
  167. # shell is BROKEN, but you can hack around it here if you really need. These
  168. # shown values are not defaults: it is up to you to know what you're doing if
  169. # you touch these.
  170. #
  171. #alias awk="/alt/bin/awk"
  172. #alias cat="/alt/bin/cat"
  173.  
  174. # X509 extensions directory:
  175. # If you want to customize the X509 extensions used, set the directory to look
  176. # for extensions here. Each cert type you sign must have a matching filename,
  177. # and an optional file named 'COMMON' is included first when present. Note that
  178. # when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
  179. # fallback to $EASYRSA for the 'x509-types' dir.  You may override this
  180. # detection with an explicit dir here.
  181. #
  182. #set_var EASYRSA_EXT_DIR    "$EASYRSA/x509-types"
  183.  
  184. # OpenSSL config file:
  185. # If you need to use a specific openssl config file, you can reference it here.
  186. # Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
  187. # EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
  188. # specific and you cannot just use a standard config file, so this is an
  189. # advanced feature.
  190.  
  191. #set_var EASYRSA_SSL_CONF   "$EASYRSA/openssl-easyrsa.cnf"
  192.  
  193. # Default CN:
  194. # This is best left alone. Interactively you will set this manually, and BATCH
  195. # callers are expected to set this themselves.
  196.  
  197. #set_var EASYRSA_REQ_CN     "ChangeMe"
  198.  
  199. # Cryptographic digest to use.
  200. # Do not change this default unless you understand the security implications.
  201. # Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
  202.  
  203. #set_var EASYRSA_DIGEST     "sha256"
  204.  
  205. # Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
  206. # in batch mode without any user input, confirmation on dangerous operations,
  207. # or most output. Setting this to any non-blank string enables batch mode.
  208.  
  209. #set_var EASYRSA_BATCH      ""
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top