Sico93

nanoVPN

Dec 13th, 2015
175
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Easy-RSA 3 parameter settings
  2.  
  3. # NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
  4. # this file in place -- instead, you should copy the entire easy-rsa directory
  5. # to another location so future upgrades don't wipe out your changes.
  6.  
  7. # HOW TO USE THIS FILE
  8. #
  9. # vars.example contains built-in examples to Easy-RSA settings. You MUST name
  10. # this file 'vars' if you want it to be used as a configuration file. If you do
  11. # not, it WILL NOT be automatically read when you call easyrsa commands.
  12. #
  13. # It is not necessary to use this config file unless you wish to change
  14. # operational defaults. These defaults should be fine for many uses without the
  15. # need to copy and edit the 'vars' file.
  16. #
  17. # All of the editable settings are shown commented and start with the command
  18. # 'set_var' -- this means any set_var command that is uncommented has been
  19. # modified by the user. If you're happy with a default, there is no need to
  20. # define the value to its default.
  21.  
  22. # NOTES FOR WINDOWS USERS
  23. #
  24. # Paths for Windows  *MUST* use forward slashes, or optionally double-esscaped
  25. # backslashes (single forward slashes are recommended.) This means your path to
  26. # the openssl binary might look like this:
  27. # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
  28.  
  29. # A little housekeeping: DON'T EDIT THIS SECTION
  30. #
  31. # Easy-RSA 3.x doesn't source into the environment directly.
  32. # Complain if a user tries to do this:
  33. if [ -z "$EASYRSA_CALLER" ]; then
  34.         echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
  35.         echo "This is no longer necessary and is disallowed. See the section called" >&2
  36.         echo "'How to use this file' near the top comments for more details." >&2
  37.         return 1
  38. fi
  39.  
  40. # DO YOUR EDITS BELOW THIS POINT
  41.  
  42. # This variable should point to the top level of the easy-rsa tree. By default,
  43. # this is taken to be the directory you are currently in.
  44.  
  45. #set_var EASYRSA        "$PWD"
  46.  
  47. # If your OpenSSL command is not in the system PATH, you will need to define the
  48. # path to it here. Normally this means a full path to the executable, otherwise
  49. # you could have left it undefined here and the shown default would be used.
  50. #
  51. # Windows users, remember to use paths with forward-slashes (or escaped
  52. # back-slashes.) Windows users should declare the full path to the openssl
  53. # binary here if it is not in their system PATH.
  54.  
  55. #set_var EASYRSA_OPENSSL        "openssl"
  56. #
  57. # This sample is in Windows syntax -- edit it for your path if not using PATH:
  58. #set_var EASYRSA_OPENSSL        "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
  59.  
  60. # Edit this variable to point to your soon-to-be-created key directory.
  61. #
  62. # WARNING: init-pki will do a rm -rf on this directory so make sure you define
  63. # it correctly! (Interactive mode will prompt before acting.)
  64.  
  65. #set_var EASYRSA_PKI            "$EASYRSA/pki"
  66.  
  67.  
  68. # Define X509 DN mode.
  69. # This is used to adjust what elements are included in the Subject field as the DN
  70. # (this is the "Distinguished Name.")
  71. # Note that in cn_only mode the Organizational fields further below aren't used.
  72. #
  73. # Choices are:
  74. #   cn_only  - use just a CN value
  75. #   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
  76.  
  77. #set_var EASYRSA_DN     "cn_only"
  78.  
  79. # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
  80. # These are the default values for fields which will be placed in the
  81. # certificate.  Don't leave any of these fields blank, although interactively
  82. # you may omit any specific field by typing the "." symbol (not valid for
  83. # email.)
  84.  
  85. set_var EASYRSA_REQ_COUNTRY     "DE"
  86. set_var EASYRSA_REQ_PROVINCE    "Berlin"
  87. set_var EASYRSA_REQ_CITY        "Berlin"
  88. set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
  89. set_var EASYRSA_REQ_EMAIL       "me@example.net"
  90. #set_var EASYRSA_REQ_OU         "My Organizational Unit"
  91.  
  92.  
  93. # Choose a size in bits for your keypairs. The recommended value is 2048.  Using
  94. # 2048-bit keys is considered more than sufficient for many years into the
  95. # future. Larger keysizes will slow down TLS negotiation and make key/DH param
  96. # generation take much longer. Values up to 4096 should be accepted by most
  97. # software. Only used when the crypto alg is rsa (see below.)
  98.  
  99. #set_var EASYRSA_KEY_SIZE       2048
  100.  
  101. # The default crypto mode is rsa; ec can enable elliptic curve support.
  102. # Note that not all software supports ECC, so use care when enabling it.
  103. # Choices for crypto alg are: (each in lower-case)
  104. #  * rsa
  105. #  * ec
  106.  
  107. #set_var EASYRSA_ALGO           rsa
  108.  
  109. # Define the named curve, used in ec mode only:
  110.  
  111. #set_var EASYRSA_CURVE          secp384r1
  112.  
  113. # In how many days should the root CA key expire?
  114.  
  115. #set_var EASYRSA_CERT_EXPIRE    3650
  116.  
  117. # How many days until the next CRL publish date?  Note that the CRL can still be
  118. # parsed after this timeframe passes. It is only used for an expected next
  119. # publication date.
  120.  
  121. #set_var EASYRSA_CRL_DAYS       180
  122.  
  123. # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
  124. # is "no" to discourage use of deprecated extensions. If you require this
  125. # feature to use with --ns-cert-type, set this to "yes" here. This support
  126. # should be replaced with the more modern --remote-cert-tls feature.  If you do
  127. # not use --ns-cert-type in your configs, it is safe (and recommended) to leave
  128. # this defined to "no".  When set to "yes", server-signed certs get the
  129. # nsCertType=server attribute, and also get any NS_COMMENT defined below in the
  130. # nsComment field.
  131.  
  132. #set_var EASYRSA_NS_SUPPORT     "no"
  133.  
  134. # When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
  135. # Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
  136.  
  137. #set_var EASYRSA_NS_COMMENT     "Easy-RSA Generated Certificate"
  138.  
  139. # A temp file used to stage cert extensions during signing. The default should
  140. # be fine for most users; however, some users might want an alternative under a
  141. # RAM-based FS, such as /dev/shm or /tmp on some systems.
  142.  
  143. #set_var EASYRSA_TEMP_FILE      "$EASYRSA_PKI/extensions.temp"
  144.  
  145. # !!
  146. # NOTE: ADVANCED OPTIONS BELOW THIS POINT
  147. # PLAY WITH THEM AT YOUR OWN RISK
  148. # !!
  149.  
  150. # Broken shell command aliases: If you have a largely broken shell that is
  151. # missing any of these POSIX-required commands used by Easy-RSA, you will need
  152. # to define an alias to the proper path for the command.  The symptom will be
  153. # some form of a 'command not found' error from your shell. This means your
  154. # shell is BROKEN, but you can hack around it here if you really need. These
  155. # shown values are not defaults: it is up to you to know what you're doing if
  156. # you touch these.
  157. #
  158. #alias awk="/alt/bin/awk"
  159. #alias cat="/alt/bin/cat"
  160.  
  161. # X509 extensions directory:
  162. # If you want to customize the X509 extensions used, set the directory to look
  163. # for extensions here. Each cert type you sign must have a matching filename,
  164. # and an optional file named 'COMMON' is included first when present. Note that
  165. # when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
  166. # fallback to $EASYRSA for the 'x509-types' dir.  You may override this
  167. # detection with an explicit dir here.
  168. #
  169. #set_var EASYRSA_EXT_DIR        "$EASYRSA/x509-types"
  170.  
  171. # OpenSSL config file:
  172. # If you need to use a specific openssl config file, you can reference it here.
  173. # Normally this file is auto-detected from a file named openssl-1.0.cnf from the
  174. # EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
  175. # specific and you cannot just use a standard config file, so this is an
  176. # advanced feature.
  177.  
  178. #set_var EASYRSA_SSL_CONF       "$EASYRSA/openssl-1.0.cnf"
  179.  
  180. # Default CN:
  181. # This is best left alone. Interactively you will set this manually, and BATCH
  182. # callers are expected to set this themselves.
  183.  
  184. #set_var EASYRSA_REQ_CN         "ChangeMe"
  185.  
  186. # Cryptographic digest to use.
  187. # Do not change this default unless you understand the security implications.
  188. # Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
  189.  
  190.  
  191. #set_var EASYRSA_DIGEST         "sha256"
  192.  
  193. # Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
  194. # in batch mode without any user input, confirmation on dangerous operations,
  195. # or most output. Setting this to any non-blank string enables batch mode.
  196.  
  197. #set_var EASYRSA_BATCH          ""
RAW Paste Data