OpenVPN script but asks for pass for CA authority

Adds extra security in case server in breached. If an attacker is able to take your CA private key it is encrypted with a passphrase. The regular script allows anyone who is able to steal with CA private key to issue new clients for your VPN. Obviously your server should be protected enough your private key is not stolen in the first place, but this adds an extra level of security.
2019-07-15 22:41:05 +01:00 · 2019-07-15 22:41:05 +01:00 · 5400deadad
commit 5400deadad
parent 4255046bd6
1 changed files with 2 additions and 2 deletions
--- a/openvpn-install-capass.sh
+++ b/openvpn-install-capass.sh
@ -648,14 +648,14 @@ function installOpenVPN () {
 	echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
 	# Create the PKI, set up the CA, the DH params and the server certificate
 	./easyrsa init-pki
-	./easyrsa --batch build-ca nopass
+	./easyrsa --batch build-ca

 	if [[ $DH_TYPE == "2" ]]; then
 		# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
 		openssl dhparam -out dh.pem $DH_KEY_SIZE
 	fi

-	./easyrsa build-server-full "$SERVER_NAME" nopass
+	./easyrsa build-server-full "$SERVER_NAME"
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl

 	case $TLS_SIG in