From 126f3a4557396b6de4fa65599879470c231709c9 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Wed, 4 Jun 2014 17:07:07 -0700 Subject: [PATCH] ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. --- bin/ovpn_init | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/ovpn_init b/bin/ovpn_init index 74b2a21..e24291b 100755 --- a/bin/ovpn_init +++ b/bin/ovpn_init @@ -13,11 +13,16 @@ if [ -z "$cn" ]; then exit 1 fi +# Specify "nopass" as arg[2] to make the CA insecure +nopass=$2 + # Provides a sufficient warning before erasing pre-existing files easyrsa init-pki -# For a CA key with a password, manually init; this is autopilot -easyrsa build-ca nopass +# CA always has a password for protection in event server is compromised. The +# password is only needed to sign client/server certificates. No password is +# needed for normal OpenVPN operation. +easyrsa build-ca $nopass easyrsa gen-dh openvpn --genkey --secret $OPENVPN/pki/ta.key @@ -34,6 +39,7 @@ openvpn --genkey --secret $OPENVPN/pki/ta.key echo "$cn" > $OPENVPN/servername +# For a server key with a password, manually init; this is autopilot easyrsa build-server-full $cn nopass ovpn_genconfig "$cn"