OpenSSL PKI for OpenVPN

1. # https://www.sysadmin.md/verbose-vpn-server-installation-using-openvpn-and-openssl.html
2.  
3. # Environment Variables
4. dir=./pki/
5. openssl_conf=./openssl.conf
6. ca_privkey=$dir/private/ca.key
7. ca_cert=$dir/certs/ca.crt
8. server_privkey=$dir/private/server.key
9. server_request=$dir/reqs/server.req
10. server_cert=$dir/certs/server.crt
11. client_privkey=$dir/private/client.key
12. client_request=$dir/reqs/client.req
13. client_cert=$dir/certs/client.crt
14. serial=$dir/serial
15. index=$dir/index.txt
16. ca_crl=$dir/crl
17.  
18. # Initialization
19. mkdir $dir
20. mkdir $dir/private/
21. mkdir $dir/certs/
22. mkdir $dir/reqs/
23. touch $index
24.  
25.  
26. # $openssl_conf:
27.     [ ca ]
28.     default_ca                              = CA_OpenVPN
29.  
30.     [ CA_OpenVPN ]
31.     dir                                     = ./pki
32.     certs                                   = $dir/certs
33.     crl_dir                                 = $dir/crls
34.     database                                = $dir/index.txt
35.     new_certs_dir                           = $certs
36.     certificate                             = $dir/certs/ca.crt
37.     serial                                  = $dir/serial
38.     crl                                     = $dir/crls/crl.pem
39.     private_key                             = $dir/private/ca.key
40.     RANDFILE                                = $dir/.rand
41.     x509_extensions                         = vpn_cert_ext
42.     default_days                            = 3650
43.     default_crl_days                        = 365
44.     default_md                              = sha256
45.     policy                                  = vpn_policy
46.  
47.     [ vpn_cert_ext ]
48.     basicConstraints                        = CA:FALSE
49.  
50.     [ vpn_policy ]
51.     organizationName                        = match
52.     organizationalUnitName                  = supplied
53.     commonName                              = supplied
54.     emailAddress                            = supplied
55.  
56.     [ req ]
57.     default_bits                            = 2048
58.     distinguished_name                      = req_vpn_dn
59.     x509_extensions                         = vpn_CA_cert_ext
60.  
61.     [ req_vpn_dn ]
62.     commonName                              = Common Name (eg. Linux machine)
63.     commonName_max                          = 64
64.     commonName_default                      = MyTestCA
65.     0.organizationName                      = Organization Name (eg. company)
66.     0.organizationName_default              = MyTestCA
67.     organizationalUnitName                  = Organizational Unit Name (eg, section)
68.     organizationalUnitName_default          = My Organizational Unit
69.     emailAddress                            = Email Address
70.     emailAddress_default                    = example@example.com
71.  
72.     [ vpn_CA_cert_ext ]
73.     basicConstraints                        = CA:TRUE
74.  
75.  
76. # Root CA Private Key
77.     # Generate CA Root Certificate and Private Key
78.     openssl req -new -x509 -nodes -keyout $ca_privkey -out $ca_cert -days 3650 -config $openssl_conf
79.     # Verify
80.         openssl rsa -noout -text -in $ca_privkey
81.         openssl x509 -noout -text -in $ca_cert
82.  
83.  
84.  
85. # Server Certificate
86.     # Generate Server Private Key and Certificate Signing Request
87.     openssl req -new -nodes -keyout $server_privkey -out $server_request -config $openssl_conf
88.     # Verify
89.         openssl rsa -noout -text -in $server_privkey
90.         openssl req -noout -text -in $server_request
91.  
92.     # Sign and Issue Server Certificate
93.     openssl rand -hex 16 > $serial
94.     openssl ca -in $server_request -batch -out $server_cert -config $openssl_conf
95.     # Verify
96.         openssl x509 -noout -text -in $server_cert
97.  
98.  
99. # Client Certificate
100.     # Generate Client Private Key and Certificate Signing Request
101.     openssl req -new -nodes -keyout $client_privkey -out $client_request -config $openssl_conf
102.     # Verify
103.         openssl rsa -noout -text -in $client_privkey
104.         openssl req -noout -text -in $client_request
105.  
106.  
107.     # Sign and Issue Client Certificate
108.     openssl rand -hex 16 > $serial
109.     openssl ca -in $client_request -batch -out $client_cert -config $openssl_conf
110.     # Verify
111.         openssl x509 -noout -text -in $client_cert
112.  
113.  
114. # crl
115.     # Generate crl
116.     openssl ca -gencrl -out $ca_crl -config $openssl_conf
117.     # Verify
118.         openssl crl -noout -text -in $ca_crl
119.