我有很多键为我的客户端VPN服务器生成。 每当我使用easy-rsa来生成这样的密钥:
./build-key client1 有一些输出有一系列的问题。 这些问题都有在vars文件中定义的默认答案。
Generating a 1024 bit RSA private key ............................................++++++ .......................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CO]: Locality Name (eg, city) [Denver]: Organization Name (eg, company) [mycompany]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CO' localityName :PRINTABLE:'Denver' organizationName :PRINTABLE:'mycompany' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 3 20:16:04 2038 GMT (9999 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
总而言之,我必须手动按下以下键:
ENTER ENTER ENTER ENTER ENTER ENTER ENTER ENTER y ENTER y ENTER
基本上我只是接受所有的默认答案,并对最后两个问题说'是'。 是否有任何-force或-quiet标志或我可以使用build-key ? 如果没有,我是否可以使用脚本或bash技巧来每次都这样做? 我找不到任何关于它的任何手册页。
如果你看一下build-key的来源,你会发现它叫做pkitool 。 我编写了一个包装器,将cilent的键和合适的openvpnconfiguration文件捆绑到一个tarball中,然后我可以给我的用户:
#!/bin/bash client=$1 if [ x$client = x ]; then echo "Usage: $0 clientname" exit 1 fi if [ ! -e keys/$client.key ]; then echo "Generating keys..." . vars ./pkitool $client echo "...keys generated." fi tarball=./keys/$client.tgz if [ ! -e $tarball ]; then echo "Creating tarball..." tmpdir=/tmp/client-tar.$$ mkdir $tmpdir cp company.ovpn $tmpdir/company.ovpn cp keys/ca.crt $tmpdir cp keys/$client.key $tmpdir/client.key cp keys/$client.crt $tmpdir/client.crt tar -C $tmpdir -czvf $tarball . rm -rf $tmpdir echo "...tarball created" else echo "Nothing to do, so nothing done. (keys/$client.tgz already exists)" fi
尝试–batch标志
./build-key --batch client1
我脑中想到的最快的是expect ; 它允许您自动执行这些命令行交互。
EasyRSA的新版本现在作为一个单一的二进制文件。 要自动构build客户端密钥,现在可以使用“vars”文件(只需将它放在与easyrsa二进制文件相同的目录中):
if [ -z "$EASYRSA_CALLER" ]; then echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 echo "This is no longer necessary and is disallowed. See the section called" >&2 echo "'How to use this file' near the top comments for more details." >&2 return 1 fi set_var EASYRSA "$PWD" set_var EASYRSA_OPENSSL "openssl" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "org" set_var EASYRSA_REQ_COUNTRY "Country" set_var EASYRSA_REQ_PROVINCE "Province" set_var EASYRSA_REQ_CITY "City" set_var EASYRSA_REQ_ORG "Org Ltd" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "Infrastructure" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
并使用EasyRSA的二进制文件:
./easyrsa build-client-full client1 nopass
这与我使用的相似。 希望这可以帮助别人,花了我几个小时才弄明白这一点。 确保你在easy-rsa目录下执行,不要忘记input./vars
(echo -en "\n\n\n\n\n\n\n\n"; sleep 1; echo -en "\n"; sleep 1; echo -en "\n"; sleep 3; echo -en "yes"; echo -en "\n"; sleep 3; echo -en "yes"; echo -en "\n") | ./build-key $key_id
我有同样的问题。
我find的解决scheme是:
echo -en“\ n \ n \ n \ n \ n \ n \ n \ ny \ ny \ n”| ./build-key client1