我需要为客户端 VPN 服务器生成很多密钥。每当我使用 easy-rsa 生成密钥时,如下所示:
./build-key client1
有一些输出包含一系列问题。所有问题都有文件中定义的默认答案vars。
Generating a 1024 bit RSA private key
............................................++++++
.......................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CO]:
Locality Name (eg, city) [Denver]:
Organization Name (eg, company) [mycompany]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CO'
localityName :PRINTABLE:'Denver'
organizationName :PRINTABLE:'mycompany'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 3 20:16:04 2038 GMT (9999 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
总而言之,我必须手动按下以下键:
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
y
ENTER
y
ENTER
基本上我只是接受所有默认答案并对最后两个问题说“是”。是否有任何-force或-quiet标志或其他东西可以使用build-key?如果没有,是否有脚本或 bash 技巧可以用来每次执行此操作?我在任何手册页中都找不到有关它的任何信息。
答案1
如果你查看 的源代码build-key,你会发现它正在调用pkitool。我编写了一个包装器,将客户端的密钥和适当的 openvpn 配置文件捆绑成一个 tarball,然后我可以将其提供给我的用户:
#!/bin/bash
client=$1
if [ x$client = x ]; then
echo "Usage: $0 clientname"
exit 1
fi
if [ ! -e keys/$client.key ]; then
echo "Generating keys..."
. vars
./pkitool $client
echo "...keys generated."
fi
tarball=./keys/$client.tgz
if [ ! -e $tarball ]; then
echo "Creating tarball..."
tmpdir=/tmp/client-tar.$$
mkdir $tmpdir
cp company.ovpn $tmpdir/company.ovpn
cp keys/ca.crt $tmpdir
cp keys/$client.key $tmpdir/client.key
cp keys/$client.crt $tmpdir/client.crt
tar -C $tmpdir -czvf $tarball .
rm -rf $tmpdir
echo "...tarball created"
else
echo "Nothing to do, so nothing done. (keys/$client.tgz already exists)"
fi
答案2
尝试- 批旗帜
./build-key --batch client1
答案3
新版本的易用型RSA现在作为单个二进制文件提供。要自动构建客户端密钥,您现在可以使用“vars”文件(只需将其放在与 easyrsa 二进制文件相同的目录中即可):
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA "$PWD"
set_var EASYRSA_OPENSSL "openssl"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "Country"
set_var EASYRSA_REQ_PROVINCE "Province"
set_var EASYRSA_REQ_CITY "City"
set_var EASYRSA_REQ_ORG "Org Ltd"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "Infrastructure"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
并使用 EasyRSA 的二进制文件:
./easyrsa build-client-full client1 nopass
答案4
我有同样的问题。
我找到的解决方案是:
echo -en“\n\n\n\n\n\n\n\ny\ny\n”| ./build-key client1