iankelling.org Git - vpn-setup/blob - client-cert-helper

   1 #!/bin/bash
   2 set -eE -o pipefail
   3
   4 # Outputs the keyfiles to stdout as tar.gz
   5
   6 rm -f /tmp/vpn-mk-client-cert.log
   7 exec 2>/tmp/vpn-mk-client-cert.log
   8
   9 name=$1
  10 common_name=$2
  11
  12 echo common_name=$common_name >&2
  13
  14 server_dir=/etc/openvpn
  15 if [[ -e /etc/openvpn/server ]]; then
  16   server_dir=/etc/openvpn/server
  17 fi
  18
  19 cafile=$server_dir/ca.crt
  20
  21 new=true
  22 keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key})
  23 if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
  24   new=false
  25   keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key})
  26 fi
  27
  28 if [[ ! -e $cafile ]]; then
  29   echo: error no cafile found at $cafile >/tmp/errors
  30   exit 1
  31 fi
  32
  33 exists=true
  34 for x in ${keyfiles[@]}; do
  35   if [[ ! -e $x ]]; then
  36     exists=false
  37     break
  38   fi
  39 done
  40
  41
  42 if ! $exists; then
  43   cd /etc/openvpn/easy-rsa
  44   if $new; then
  45     ./easyrsa build-client-full $common_name nopass >/dev/null
  46   else
  47     source vars >/dev/null
  48
  49     { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null
  50   fi
  51 fi
  52
  53 d=$(mktemp -d)
  54 cp $cafile $d/$name-ca.crt
  55 cp ${keyfiles[@]} $d
  56
  57 cp $server_dir/ta.key $d/$name-ta.key
  58
  59 tar cz -C $d .
  60 rm -rf $d