-
Notifications
You must be signed in to change notification settings - Fork 0
/
gen-keys.sh
58 lines (47 loc) · 1.68 KB
/
gen-keys.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#! /bin/bash
EASYRSA=/etc/easy-rsa
VPN_NAME=${VPN_NAME:-"pivpn"}
# navigate into easy rsa dir
cd "$EASYRSA"
# initialise easy-rsa pki
if [ ! -d "$EASYRSA/pki" ]; then
echo "Initialising PKI..."
./easyrsa init-pki
fi
# generate certificate authority
if [ ! -f "$EASYRSA/pki/ca.crt" ]; then
echo "Generating certificate authority..."
# ./easyrsa build-ca nopass
echo -e "\n$VPN_NAME\n" | ./easyrsa build-ca nopass
fi
# generate diffie-hellman
if [ ! -f "$EASYRSA/pki/dh.pem" ]; then
echo "Generating Diffie-Hellman parameters..."
./easyrsa gen-dh
fi
# Generate server certificates
if [ ! -f "$EASYRSA/pki/issued/server.crt" ]; then
echo "Generating server certificate..."
echo -e "yes\n" | ./easyrsa build-server-full server nopass
fi
# generate HMAC key
if [ ! -f "$EASYRSA/pki/ta.key" ]; then
echo "Generating HMAC signature..."
openvpn --genkey secret "$EASYRSA/pki/ta.key"
fi
# generate openvpn recovation certificate
if [ ! -f "$EASYRSA/pki/crl.pem" ]; then
echo "Generating recovation certificate..."
./easyrsa gen-crl
fi
# copy server certificates and keys
echo "Copying certificates and keys..."
cp -rp "$EASYRSA/pki/"{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/
# Generate client cert and keys
echo "Generating client certificates and keys"
# ./easyrsa build-client-full clientname nopass # should add confirmation
echo -e "yes\n" | ./easyrsa build-client-full clientname nopass
# Create directory & copy files to it
echo "Copying client certificates and keys..."
mkdir -p /etc/openvpn/client/clientname
cp -rp "$EASYRSA/pki/"{ca.crt,issued/clientname.crt,private/clientname.key} /etc/openvpn/client/clientname/