ovpn_init: Protect the CA key by default

* Protect the CA key with a passphrase by default to protect it from a
  filsystem compromise.  An attacker could still steal the other keys
  stored (ie the server's cert key), but not issue new keys.
* This is a good compromise for now.
This commit is contained in:
Kyle Manna 2014-06-04 17:07:07 -07:00
parent e1902bc2cd
commit 126f3a4557

View File

@ -13,11 +13,16 @@ if [ -z "$cn" ]; then
exit 1 exit 1
fi fi
# Specify "nopass" as arg[2] to make the CA insecure
nopass=$2
# Provides a sufficient warning before erasing pre-existing files # Provides a sufficient warning before erasing pre-existing files
easyrsa init-pki easyrsa init-pki
# For a CA key with a password, manually init; this is autopilot # CA always has a password for protection in event server is compromised. The
easyrsa build-ca nopass # password is only needed to sign client/server certificates. No password is
# needed for normal OpenVPN operation.
easyrsa build-ca $nopass
easyrsa gen-dh easyrsa gen-dh
openvpn --genkey --secret $OPENVPN/pki/ta.key openvpn --genkey --secret $OPENVPN/pki/ta.key
@ -34,6 +39,7 @@ openvpn --genkey --secret $OPENVPN/pki/ta.key
echo "$cn" > $OPENVPN/servername echo "$cn" > $OPENVPN/servername
# For a server key with a password, manually init; this is autopilot
easyrsa build-server-full $cn nopass easyrsa build-server-full $cn nopass
ovpn_genconfig "$cn" ovpn_genconfig "$cn"