Skip to content

Commit

Permalink
build-ca: Add instructions and confirmation for TLS Key re-use
Browse files Browse the repository at this point in the history
Add detailed instructions for TLS Key re-use.
Add confirmation for TLS Key re-use.

init-pki soft: Correct TLS Key file hash value.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Sep 4, 2024
1 parent 79cc3f9 commit 3855f6a
Showing 1 changed file with 30 additions and 3 deletions.
33 changes: 30 additions & 3 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -1405,9 +1405,11 @@ and initialize a fresh PKI here."
tls_key_hash="$(
"$EASYRSA_OPENSSL" dgst -sha256 \
"$tls_key_file")"
tls_key_hash="${tls_key_hash##* }"
old_tls_key_hash="$(
"$EASYRSA_OPENSSL" dgst -sha256 \
"$old_tls_key_file")"
old_tls_key_hash="${old_tls_key_hash##* }"
[ "$tls_key_hash" = "$old_tls_key_hash" ] || \
user_error "\
Easy-RSA TLS Keys do not match, only ONE of these files is valid:
Expand Down Expand Up @@ -1461,7 +1463,7 @@ Please delete the key above that is no longer in use."
Previous Easy-RSA TLS key saved to:
* $old_tls_key_file${NL}"
else
# if an old TLD key still exists then notify user
# if an OLD TLS key still exists then notify user
if [ -f "$old_tls_key_file" ]; then
tls_msg="${NL}
Existing Easy-RSA TLS key preserved:
Expand Down Expand Up @@ -1669,11 +1671,34 @@ Unable to create necessary PKI files (permissions?)"
unset -v err_msg

# If one exists then recreate TLS Key
tls_key_file="$EASYRSA_PKI/private/easyrsa-tls.key"
tls_key_file="$EASYRSA_PKI"/private/easyrsa-tls.key
old_tls_key_file="$EASYRSA_PKI"/easyrsa-keepsafe-tls.key
if [ -f "$old_tls_key_file" ]; then
confirm "Re-install existing Easy-RSA TLS Key ? " yes "
An Easy-RSA TLS Key, saved by 'init-pki soft', has been found.
This TLS Key is in use by your VPN, it is recommended that you
re-install this TLS Key.

Note:
This a private key and will NOT be added to new inline files.

To create a new Easy-RSA TLS Key, delete this old TLS Key above."
cp "$old_tls_key_file" "$tls_key_file" || \
warn "Failed to install TLS Key!"
tls_key_msg="${NL}
NOTICE: The previous Easy-RSA TLS Key has been installed:
* $tls_key_file

This TLS Key will NOT be added to new inline files. These new
inline files can then be easily distributed to your servers and
clients. The TLS Key that your servers and clients have previously
received, can be added to the inline file manually.

To re-enable automatically adding this TLS Key to inline files,
simply delete the backup TLS Key at:
* $old_tls_key_file

To create a new Easy-RSA TLS Key, delete both TLS Keys above."
else
tls_key_msg="${NL}
Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'"
Expand Down Expand Up @@ -1940,7 +1965,9 @@ Prior to signing operations, place your resulting Sub-CA cert at:
else
notice "\
CA creation complete. Your new CA certificate is at:
* $out_file${tls_key_msg}"
* $out_file${tls_key_msg}

Build-ca completed successfully."
fi
} # => build_ca()

Expand Down

0 comments on commit 3855f6a

Please sign in to comment.