2017-09-01 13:42:28 +02:00
|
|
|
#!/bin/sh
|
2016-06-28 22:35:26 +02:00
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
if [ -f /etc/ocserv/certs/server-cert.pem ]
|
|
|
|
then
|
|
|
|
echo "Initialized!"
|
|
|
|
exit 0
|
|
|
|
else
|
|
|
|
echo "Initializing ..."
|
|
|
|
fi
|
|
|
|
|
|
|
|
mkdir -p /etc/ocserv/certs
|
|
|
|
cd /etc/ocserv/certs
|
|
|
|
|
|
|
|
cat > ca.tmpl <<_EOF_
|
|
|
|
cn = "ocserv Root CA"
|
|
|
|
organization = "ocserv"
|
|
|
|
serial = 1
|
|
|
|
expiration_days = 3650
|
|
|
|
ca
|
|
|
|
signing_key
|
|
|
|
cert_signing_key
|
|
|
|
crl_signing_key
|
|
|
|
_EOF_
|
|
|
|
|
|
|
|
cat > server.tmpl <<_EOF_
|
|
|
|
cn = "${VPN_DOMAIN}"
|
2016-06-29 14:28:13 +02:00
|
|
|
dns_name = "${VPN_DOMAIN}"
|
2016-06-28 22:35:26 +02:00
|
|
|
organization = "ocserv"
|
|
|
|
serial = 2
|
|
|
|
expiration_days = 3650
|
|
|
|
encryption_key
|
|
|
|
signing_key
|
|
|
|
tls_www_server
|
|
|
|
_EOF_
|
|
|
|
|
2016-06-29 10:30:45 +02:00
|
|
|
cat > client.tmpl <<_EOF_
|
|
|
|
cn = "client@${VPN_DOMAIN}"
|
2017-09-01 13:38:21 +02:00
|
|
|
uid = "client"
|
2016-06-29 10:30:45 +02:00
|
|
|
unit = "ocserv"
|
|
|
|
expiration_days = 3650
|
|
|
|
signing_key
|
|
|
|
tls_www_client
|
|
|
|
_EOF_
|
|
|
|
|
|
|
|
# gen ca keys
|
2016-06-28 22:35:26 +02:00
|
|
|
certtool --generate-privkey \
|
|
|
|
--outfile ca-key.pem
|
|
|
|
|
|
|
|
certtool --generate-self-signed \
|
|
|
|
--load-privkey /etc/ocserv/certs/ca-key.pem \
|
|
|
|
--template ca.tmpl \
|
2017-09-01 13:38:21 +02:00
|
|
|
--outfile ca.pem
|
2016-06-28 22:35:26 +02:00
|
|
|
|
2016-06-29 10:30:45 +02:00
|
|
|
# gen server keys
|
2016-06-28 22:35:26 +02:00
|
|
|
certtool --generate-privkey \
|
|
|
|
--outfile server-key.pem
|
|
|
|
|
|
|
|
certtool --generate-certificate \
|
|
|
|
--load-privkey server-key.pem \
|
2017-09-01 13:38:21 +02:00
|
|
|
--load-ca-certificate ca.pem \
|
2016-06-28 22:35:26 +02:00
|
|
|
--load-ca-privkey ca-key.pem \
|
|
|
|
--template server.tmpl \
|
|
|
|
--outfile server-cert.pem
|
|
|
|
|
2016-06-29 10:30:45 +02:00
|
|
|
# gen client keys
|
|
|
|
certtool --generate-privkey \
|
|
|
|
--outfile client-key.pem
|
|
|
|
|
|
|
|
certtool --generate-certificate \
|
|
|
|
--load-privkey client-key.pem \
|
2017-09-01 13:38:21 +02:00
|
|
|
--load-ca-certificate ca.pem \
|
2016-06-29 10:30:45 +02:00
|
|
|
--load-ca-privkey ca-key.pem \
|
|
|
|
--template client.tmpl \
|
|
|
|
--outfile client-cert.pem
|
|
|
|
|
|
|
|
certtool --to-p12 \
|
|
|
|
--pkcs-cipher 3des-pkcs12 \
|
2017-09-01 13:38:21 +02:00
|
|
|
--load-ca-certificate ca.pem \
|
2016-06-29 10:30:45 +02:00
|
|
|
--load-certificate client-cert.pem \
|
2016-06-29 14:28:13 +02:00
|
|
|
--load-privkey client-key.pem \
|
2016-06-29 10:30:45 +02:00
|
|
|
--outfile client.p12 \
|
|
|
|
--outder \
|
2016-06-29 14:28:13 +02:00
|
|
|
--p12-name "${VPN_DOMAIN}" \
|
2016-06-29 10:30:45 +02:00
|
|
|
--password "${VPN_PASSWORD}"
|
|
|
|
|
2016-06-28 22:35:26 +02:00
|
|
|
sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
|
2016-06-29 18:03:46 +02:00
|
|
|
-e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" \
|
2017-06-04 12:45:16 +02:00
|
|
|
-e "s@^no-route =.*@no-route = ${LAN_NETWORK}/${LAN_NETMASK}@" /etc/ocserv/ocserv.conf
|
2016-06-28 22:35:26 +02:00
|
|
|
|
|
|
|
echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"
|