iankelling.org Git - vpn-setup/blob - client-cert-helper

   1 #!/bin/bash
   2 set -eE -o pipefail
   3
   4 rm -f /tmp/vpn-mk-client-cert.log
   5 exec 2>/tmp/vpn-mk-client-cert.log
   6
   7 name=$1
   8 common_name=$2
   9
  10 echo common_name=$common_name >&2
  11
  12 server_dir=/etc/openvpn
  13 if [[ -e /etc/openvpn/server ]]; then
  14   server_dir=/etc/openvpn/server
  15 fi
  16
  17 cafile=$server_dir/ca.crt
  18
  19 new=true
  20 keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key})
  21 if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
  22   new=false
  23   keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key})
  24 fi
  25
  26 if [[ ! -e $cafile ]]; then
  27   echo: error no cafile found at $cafile >/tmp/errors
  28   exit 1
  29 fi
  30
  31 exists=true
  32 for x in ${keyfiles[@]}; do
  33   if [[ ! -e $x ]]; then
  34     exists=false
  35     break
  36   fi
  37 done
  38
  39
  40 if ! $exists; then
  41   cd /etc/openvpn/easy-rsa
  42   if $new; then
  43     ./easyrsa build-client-full $common_name nopass >/dev/null
  44   else
  45     source vars >/dev/null
  46
  47     { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null
  48   fi
  49 fi
  50
  51 d=$(mktemp -d)
  52 cp $cafile $d/$name-ca.crt
  53 cp ${keyfiles[@]} $d
  54
  55 cp $server_dir/ta.key $d/$name-ta.key
  56
  57 tar cz -C $d .
  58 rm -rf $d