OpenVPN script but asks for pass for CA authority
Adds extra security in case server in breached. If an attacker is able to take your CA private key it is encrypted with a passphrase. The regular script allows anyone who is able to steal with CA private key to issue new clients for your VPN. Obviously your server should be protected enough your private key is not stolen in the first place, but this adds an extra level of security.
This commit is contained in:
dex4k
GitHub
parent
4255046bd6
commit
5400deadad
1 changed files with 2 additions and 2 deletions
|
|
@ -648,14 +648,14 @@ function installOpenVPN () {
|
||||||
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
|
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
|
||||||
# Create the PKI, set up the CA, the DH params and the server certificate
|
# Create the PKI, set up the CA, the DH params and the server certificate
|
||||||
./easyrsa init-pki
|
./easyrsa init-pki
|
||||||
./easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca
|
||||||
|
|
||||||
if [[ $DH_TYPE == "2" ]]; then
|
if [[ $DH_TYPE == "2" ]]; then
|
||||||
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
|
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
|
||||||
openssl dhparam -out dh.pem $DH_KEY_SIZE
|
openssl dhparam -out dh.pem $DH_KEY_SIZE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
./easyrsa build-server-full "$SERVER_NAME" nopass
|
./easyrsa build-server-full "$SERVER_NAME"
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
|
|
||||||
case $TLS_SIG in
|
case $TLS_SIG in
|
||||||
Loading…
Reference in a new issue