iankelling.org Git - vpn-setup/blob - client-cert-helper

   1 #!/bin/bash
   2 set -eE -o pipefail
   3
   4 # Outputs the keyfiles to stdout as tar.gz
   5
   6 rm -f /tmp/vpn-mk-client-cert.log
   7 exec 2>/tmp/vpn-mk-client-cert.log
   8
   9 name=$1
  10 common_name=$2
  11
  12 echo common_name=$common_name >&2
  13
  14 server_dir=/etc/openvpn
  15 if [[ -e /etc/openvpn/server ]]; then
  16   server_dir=/etc/openvpn/server
  17 fi
  18
  19 cafile=$server_dir/ca-$name.crt
  20
  21 ### begin section roughly copied from vpn-server-setup
  22 rsadir=/etc/openvpn/easy-rsa-$name
  23 new=true
  24 keyfiles=(
  25   $rsadir/pki/private/$common_name.key
  26   $rsadir/pki/issued/$common_name.crt
  27 )
  28 if [[ -e /etc/openvpn/easy-rsa-$name/build-ca ]]; then
  29   new=false
  30   keyfiles=(
  31     $rsadir/keys/$common_name.key
  32     $rsadir/keys/$common_name.crt
  33   )
  34 fi
  35 ### end section roughly copied from vpn-server-setup
  36
  37 if [[ ! -e $cafile ]]; then
  38   echo: error no cafile found at $cafile >/tmp/errors
  39   exit 1
  40 fi
  41
  42 exists=true
  43 for x in ${keyfiles[@]}; do
  44   if [[ ! -e $x ]]; then
  45     exists=false
  46     break
  47   fi
  48 done
  49
  50
  51 if ! $exists; then
  52   cd /etc/openvpn/easy-rsa-$name
  53   if $new; then
  54     ./easyrsa build-client-full $common_name nopass >/dev/null
  55   else
  56     source vars >/dev/null
  57
  58     { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null
  59   fi
  60 fi
  61
  62 d=$(mktemp -d)
  63 cp $server_dir/ta-$name.key $cafile $d
  64 for f in ${keyfiles[@]}; do
  65   cp $f $d/$name.${f##*.}
  66 done
  67
  68 tar cz -C $d .
  69 rm -rf $d