Re: [Openvpn-devel] [easy-rsa 3/4] build: doc
Looks good. Moves docs into a separate directory with it's own makefile. Provided that patch 2/4 was sane autotools-vise, I give this one an ACK. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock > Signed-off-by: Alon Bar-Lev> --- > Makefile.am |2 +- > configure.ac|1 + > doc/Makefile.am | 16 > doc/README-1.0 | 161 > doc/README-2.0 | 229 > +++ > easy-rsa/1.0/README | 161 > easy-rsa/2.0/README | 229 > --- > 7 files changed, 408 insertions(+), 391 deletions(-) > create mode 100644 doc/Makefile.am > create mode 100644 doc/README-1.0 > create mode 100644 doc/README-2.0 > delete mode 100644 easy-rsa/1.0/README > delete mode 100644 easy-rsa/2.0/README > > diff --git a/Makefile.am b/Makefile.am > index f6433d5..743da35 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -33,7 +33,7 @@ MAINTAINERCLEANFILES = \ > $(srcdir)/depcomp $(srcdir)/aclocal.m4 \ > $(srcdir)/config.guess $(srcdir)/config.sub > > -EXTRA_DIST = easy-rsa > +EXTRA_DIST = doc easy-rsa > > dist_doc_DATA = \ > COPYRIGHT.GPL \ > diff --git a/configure.ac b/configure.ac > index f9625e5..1e52ece 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -47,5 +47,6 @@ AC_SUBST([easyrsadir]) > > AC_CONFIG_FILES([ > Makefile > + doc/Makefile > ]) > AC_OUTPUT > diff --git a/doc/Makefile.am b/doc/Makefile.am > new file mode 100644 > index 000..de183c6 > --- /dev/null > +++ b/doc/Makefile.am > @@ -0,0 +1,16 @@ > +# > +# Easy-RSA -- This is a small RSA key management package, based on the > openssl > +# command line tool, that can be found in the easy-rsa > subdirectory > +# of the OpenVPN distribution. While this tool is primary > concerned > +# with key management for the SSL VPN application space, it can > also > +# be used for building web certificates. > +# > +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. > +# Copyright (C) 2006-2012 Alon Bar-Lev > +# > + > +MAINTAINERCLEANFILES = \ > + $(srcdir)/Makefile.in > + > +dist_doc_DATA = README-2.0 > +dist_noinst_DATA = README-1.0 > diff --git a/doc/README-1.0 b/doc/README-1.0 > new file mode 100644 > index 000..fd424ef > --- /dev/null > +++ b/doc/README-1.0 > @@ -0,0 +1,161 @@ > +This is a small RSA key management package, > +based on the openssl command line tool, that > +can be found in the easy-rsa subdirectory > +of the OpenVPN distribution. > + > +These are reference notes. For step > +by step instructions, see the HOWTO: > + > +http://openvpn.net/howto.html > + > +INSTALL > + > +1. Edit vars. > +2. Set KEY_CONFIG to point to the openssl.cnf file > + included in this distribution. > +3. Set KEY_DIR to point to a directory which will > + contain all keys, certificates, etc. This > + directory need not exist, and if it does, > + it will be deleted with rm -rf, so BE > + CAREFUL how you set KEY_DIR. > +4. (Optional) Edit other fields in vars > + per your site data. You may want to > + increase KEY_SIZE to 2048 if you are > + paranoid and don't mind slower key > + processing, but certainly 1024 is > + fine for testing purposes. KEY_SIZE > + must be compatible across both peers > + participating in a secure SSL/TLS > + connection. > +5 . vars > +6. ./clean-all > +7. As you create certificates, keys, and > + certificate signing requests, understand that > + only .key files should be kept confidential. > + .crt and .csr files can be sent over insecure > + channels such as plaintext email. > +8. You should never need to copy a .key file > + between computers. Normally each computer > + will have its own certificate/key pair. > + > +BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY > + > +1. ./build-ca > +2. ca.crt and ca.key will be built in your KEY_DIR > + directory > + > +BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional) > + > +1. ./build-inter inter > +2. inter.crt and inter.key will be built in your KEY_DIR > + directory and signed with your root certificate. > + > +BUILD DIFFIE-HELLMAN PARAMETERS (necessary for > +the server end of a SSL/TLS connection). > + > +1. ./build-dh > + > +BUILD A CERTIFICATE SIGNING REQUEST (If > +you want to sign your certificate with a root > +certificate controlled by another individual > +or organization, or residing on a different machine). > + > +1. Get ca.crt (the root certificate) from your > + certificate authority. Though this > + transfer can be over an insecure channel, to prevent > + man-in-the-middle attacks you must confirm that > + ca.crt was not tampered with. Large CAs solve this > + problem by hardwiring their
[Openvpn-devel] [easy-rsa 3/4] build: doc
Signed-off-by: Alon Bar-Lev--- Makefile.am |2 +- configure.ac|1 + doc/Makefile.am | 16 doc/README-1.0 | 161 doc/README-2.0 | 229 +++ easy-rsa/1.0/README | 161 easy-rsa/2.0/README | 229 --- 7 files changed, 408 insertions(+), 391 deletions(-) create mode 100644 doc/Makefile.am create mode 100644 doc/README-1.0 create mode 100644 doc/README-2.0 delete mode 100644 easy-rsa/1.0/README delete mode 100644 easy-rsa/2.0/README diff --git a/Makefile.am b/Makefile.am index f6433d5..743da35 100644 --- a/Makefile.am +++ b/Makefile.am @@ -33,7 +33,7 @@ MAINTAINERCLEANFILES = \ $(srcdir)/depcomp $(srcdir)/aclocal.m4 \ $(srcdir)/config.guess $(srcdir)/config.sub -EXTRA_DIST = easy-rsa +EXTRA_DIST = doc easy-rsa dist_doc_DATA = \ COPYRIGHT.GPL \ diff --git a/configure.ac b/configure.ac index f9625e5..1e52ece 100644 --- a/configure.ac +++ b/configure.ac @@ -47,5 +47,6 @@ AC_SUBST([easyrsadir]) AC_CONFIG_FILES([ Makefile + doc/Makefile ]) AC_OUTPUT diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 000..de183c6 --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,16 @@ +# +# Easy-RSA -- This is a small RSA key management package, based on the openssl +# command line tool, that can be found in the easy-rsa subdirectory +# of the OpenVPN distribution. While this tool is primary concerned +# with key management for the SSL VPN application space, it can also +# be used for building web certificates. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# Copyright (C) 2006-2012 Alon Bar-Lev +# + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +dist_doc_DATA = README-2.0 +dist_noinst_DATA = README-1.0 diff --git a/doc/README-1.0 b/doc/README-1.0 new file mode 100644 index 000..fd424ef --- /dev/null +++ b/doc/README-1.0 @@ -0,0 +1,161 @@ +This is a small RSA key management package, +based on the openssl command line tool, that +can be found in the easy-rsa subdirectory +of the OpenVPN distribution. + +These are reference notes. For step +by step instructions, see the HOWTO: + +http://openvpn.net/howto.html + +INSTALL + +1. Edit vars. +2. Set KEY_CONFIG to point to the openssl.cnf file + included in this distribution. +3. Set KEY_DIR to point to a directory which will + contain all keys, certificates, etc. This + directory need not exist, and if it does, + it will be deleted with rm -rf, so BE + CAREFUL how you set KEY_DIR. +4. (Optional) Edit other fields in vars + per your site data. You may want to + increase KEY_SIZE to 2048 if you are + paranoid and don't mind slower key + processing, but certainly 1024 is + fine for testing purposes. KEY_SIZE + must be compatible across both peers + participating in a secure SSL/TLS + connection. +5 . vars +6. ./clean-all +7. As you create certificates, keys, and + certificate signing requests, understand that + only .key files should be kept confidential. + .crt and .csr files can be sent over insecure + channels such as plaintext email. +8. You should never need to copy a .key file + between computers. Normally each computer + will have its own certificate/key pair. + +BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY + +1. ./build-ca +2. ca.crt and ca.key will be built in your KEY_DIR + directory + +BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional) + +1. ./build-inter inter +2. inter.crt and inter.key will be built in your KEY_DIR + directory and signed with your root certificate. + +BUILD DIFFIE-HELLMAN PARAMETERS (necessary for +the server end of a SSL/TLS connection). + +1. ./build-dh + +BUILD A CERTIFICATE SIGNING REQUEST (If +you want to sign your certificate with a root +certificate controlled by another individual +or organization, or residing on a different machine). + +1. Get ca.crt (the root certificate) from your + certificate authority. Though this + transfer can be over an insecure channel, to prevent + man-in-the-middle attacks you must confirm that + ca.crt was not tampered with. Large CAs solve this + problem by hardwiring their root certificates into + popular web browsers. A simple way to verify a root + CA is to call the issuer on the telephone and confirm + that the md5sum or sha1sum signatures on the ca.crt + files match (such as with the command: "md5sum ca.crt"). +2. Choose a name for your certificate such as your computer + name. In our example we will use "mycert". +3. ./build-req mycert +4. You can ignore most of the fields, but set + "Common Name" to something unique such as your + computer's host name. Leave all