# Easy-RSA 3 parameter settings# NOTE: If you installed Easy-RSA from your d

1. # Easy-RSA 3 parameter settings
2.  
3. # NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
4. # this file in place -- instead, you should copy the entire easy-rsa directory
5. # to another location so future upgrades don't wipe out your changes.
6.  
7. # HOW TO USE THIS FILE
8. #
9. # vars.example contains built-in examples to Easy-RSA settings. You MUST name
10. # this file 'vars' if you want it to be used as a configuration file. If you do
11. # not, it WILL NOT be automatically read when you call easyrsa commands.
12. #
13. # It is not necessary to use this config file unless you wish to change
14. # operational defaults. These defaults should be fine for many uses without the
15. # need to copy and edit the 'vars' file.
16. #
17. # All of the editable settings are shown commented and start with the command
18. # 'set_var' -- this means any set_var command that is uncommented has been
19. # modified by the user. If you're happy with a default, there is no need to
20. # define the value to its default.
21.  
22. # NOTES FOR WINDOWS USERS
23. #
24. # Paths for Windows *MUST* use forward slashes, or optionally double-esscaped
25. # backslashes (single forward slashes are recommended.) This means your path to
26. # the openssl binary might look like this:
27. # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
28.  
29. # A little housekeeping: DON'T EDIT THIS SECTION
30. #
31. # Easy-RSA 3.x doesn't source into the environment directly.
32. # Complain if a user tries to do this:
33. if [ -z "$EASYRSA_CALLER" ]; then
34. echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
35. echo "This is no longer necessary and is disallowed. See the section called" >&2
36. echo "'How to use this file' near the top comments for more details." >&2
37. return 1
38. fi
39.  
40. # DO YOUR EDITS BELOW THIS POINT
41.  
42. # This variable is used as the base location of configuration files needed by
43. # easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
44. # may override this default.
45. #
46. # The default value of this variable is the location of the easyrsa script
47. # itself, which is also where the configuration files are located in the
48. # easy-rsa tree.
49.  
50. #set_var EASYRSA "${0%/*}"
51.  
52. # If your OpenSSL command is not in the system PATH, you will need to define the
53. # path to it here. Normally this means a full path to the executable, otherwise
54. # you could have left it undefined here and the shown default would be used.
55. #
56. # Windows users, remember to use paths with forward-slashes (or escaped
57. # back-slashes.) Windows users should declare the full path to the openssl
58. # binary here if it is not in their system PATH.
59.  
60. #set_var EASYRSA_OPENSSL "openssl"
61. #
62. # This sample is in Windows syntax -- edit it for your path if not using PATH:
63. #set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
64.  
65. # Edit this variable to point to your soon-to-be-created key directory. By
66. # default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
67. # directory you are currently in).
68. #
69. # WARNING: init-pki will do a rm -rf on this directory so make sure you define
70. # it correctly! (Interactive mode will prompt before acting.)
71.  
72. #set_var EASYRSA_PKI "$PWD/pki"
73.  
74. # Define X509 DN mode.
75. # This is used to adjust what elements are included in the Subject field as the DN
76. # (this is the "Distinguished Name.")
77. # Note that in cn_only mode the Organizational fields further below aren't used.
78. #
79. # Choices are:
80. # cn_only - use just a CN value
81. # org - use the "traditional" Country/Province/City/Org/OU/email/CN format
82.  
83. #set_var EASYRSA_DN "cn_only"
84.  
85. # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
86. # These are the default values for fields which will be placed in the
87. # certificate. Don't leave any of these fields blank, although interactively
88. # you may omit any specific field by typing the "." symbol (not valid for
89. # email.)
90.  
91. #set_var EASYRSA_REQ_COUNTRY "US"
92. #set_var EASYRSA_REQ_PROVINCE "California"
93. #set_var EASYRSA_REQ_CITY "San Francisco"
94. #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
95. #set_var EASYRSA_REQ_EMAIL "me@example.net"
96. #set_var EASYRSA_REQ_OU "My Organizational Unit"
97.  
98. # Choose a size in bits for your keypairs. The recommended value is 2048. Using
99. # 2048-bit keys is considered more than sufficient for many years into the
100. # future. Larger keysizes will slow down TLS negotiation and make key/DH param
101. # generation take much longer. Values up to 4096 should be accepted by most
102. # software. Only used when the crypto alg is rsa (see below.)
103.  
104. #set_var EASYRSA_KEY_SIZE 2048
105.  
106. # The default crypto mode is rsa; ec can enable elliptic curve support.
107. # Note that not all software supports ECC, so use care when enabling it.
108. # Choices for crypto alg are: (each in lower-case)
109. # * rsa
110. # * ec
111.  
112. #set_var EASYRSA_ALGO rsa
113.  
114. # Define the named curve, used in ec mode only:
115.  
116. #set_var EASYRSA_CURVE secp384r1
117.  
118. # In how many days should the root CA key expire?
119.  
120. #set_var EASYRSA_CA_EXPIRE 3650
121.  
122. # In how many days should certificates expire?
123.  
124. #set_var EASYRSA_CERT_EXPIRE 1080
125.  
126. # How many days until the next CRL publish date? Note that the CRL can still be
127. # parsed after this timeframe passes. It is only used for an expected next
128. # publication date.
129.  
130. # How many days before its expiration date a certificate is allowed to be
131. # renewed?
132. #set_var EASYRSA_CERT_RENEW 30
133.  
134. #set_var EASYRSA_CRL_DAYS 180
135.  
136. # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
137. # is "no" to discourage use of deprecated extensions. If you require this
138. # feature to use with --ns-cert-type, set this to "yes" here. This support
139. # should be replaced with the more modern --remote-cert-tls feature. If you do
140. # not use --ns-cert-type in your configs, it is safe (and recommended) to leave
141. # this defined to "no". When set to "yes", server-signed certs get the
142. # nsCertType=server attribute, and also get any NS_COMMENT defined below in the
143. # nsComment field.
144.  
145. #set_var EASYRSA_NS_SUPPORT "no"
146.  
147. # When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
148. # Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
149.  
150. #set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
151.  
152. # A temp file used to stage cert extensions during signing. The default should
153. # be fine for most users; however, some users might want an alternative under a
154. # RAM-based FS, such as /dev/shm or /tmp on some systems.
155.  
156. #set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
157.  
158. # !!
159. # NOTE: ADVANCED OPTIONS BELOW THIS POINT
160. # PLAY WITH THEM AT YOUR OWN RISK
161. # !!
162.  
163. # Broken shell command aliases: If you have a largely broken shell that is
164. # missing any of these POSIX-required commands used by Easy-RSA, you will need
165. # to define an alias to the proper path for the command. The symptom will be
166. # some form of a 'command not found' error from your shell. This means your
167. # shell is BROKEN, but you can hack around it here if you really need. These
168. # shown values are not defaults: it is up to you to know what you're doing if
169. # you touch these.
170. #
171. #alias awk="/alt/bin/awk"
172. #alias cat="/alt/bin/cat"
173.  
174. # X509 extensions directory:
175. # If you want to customize the X509 extensions used, set the directory to look
176. # for extensions here. Each cert type you sign must have a matching filename,
177. # and an optional file named 'COMMON' is included first when present. Note that
178. # when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
179. # fallback to $EASYRSA for the 'x509-types' dir. You may override this
180. # detection with an explicit dir here.
181. #
182. #set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
183.  
184. # OpenSSL config file:
185. # If you need to use a specific openssl config file, you can reference it here.
186. # Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
187. # EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
188. # specific and you cannot just use a standard config file, so this is an
189. # advanced feature.
190.  
191. #set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
192.  
193. # Default CN:
194. # This is best left alone. Interactively you will set this manually, and BATCH
195. # callers are expected to set this themselves.
196.  
197. #set_var EASYRSA_REQ_CN "ChangeMe"
198.  
199. # Cryptographic digest to use.
200. # Do not change this default unless you understand the security implications.
201. # Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
202.  
203. #set_var EASYRSA_DIGEST "sha256"
204.  
205. # Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
206. # in batch mode without any user input, confirmation on dangerous operations,
207. # or most output. Setting this to any non-blank string enables batch mode.
208.  
209. #set_var EASYRSA_BATCH ""