[Openvpn-devel] maybe a bug in pkitool script

Wed, 17 Jun 2009 15:28:47 +0000 

Hi,

I would like to inform/contribute with some situation I got now.

At first, I would like to change the "CA" directory from the
"clients/server" certificate because I want to use ./clean-all to refresh
the client certificates, and let the CA original, so I let vars with the
"clients" keys/certs and in the openssl.cnf I changed the CA location:

[ CA_default ]

# CHANGES TO AVOID ./clean-all TO DELETE CA
dirCA           = /etc/openvpn/2.0/ca
dir             = $ENV::KEY_DIR         # Where everything is kept
certs           = $dir                  # Where the issued certs are kept
crl_dir         = $dirCA                        # Where the issued crl are
kept
database        = $dirCA/index.txt      # database index file.
new_certs_dir   = $dir                  # default place for new certs.

certificate     = $dirCA/ca.crt         # The CA certificate
serial          = $dirCA/serial                 # The current serial number
crl             = $dirCA/crl.pem                # The current CRL
private_key     = $dirCA/ca.key         # The private key
RANDFILE        = $dirCA/.rand          # private random number file

In the "pkitool" script which comes with the openvpn, I noticed that when it
builds a new client/server cert he uses the openssl "-config openssl.cnf"
diretive(1), but to check if the CA exists, it uses the $KEY_DIR in vars(2).


(1)         # Build cert/key
        ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE
$NODES_REQ -new -newkey rsa:$KEY_SIZE \
                -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config
"$KEY_CONFIG" $PKCS11_ARGS ) && \
            ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out
"$KEY_CN.crt" \
                -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" )
&& \
            ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey
"$KEY_CN.key" \
                -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12"
$NODES_P12 ) && \
            ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$KEY_CN.key"
) && \
            ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )


(2)         # Make sure CA key/cert is available
       if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
           if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
               echo "$PROGNAME: Need a readable $CA.crt and $CA.key in
$KEY_DIR"
               echo "Try $PROGNAME --initca to build a root
certificate/key."
               exit 1
           fi
       fi


Is that considered a bug?

Thanks in advance,

Lucas Mocellin.

Reply via email to