1# easy-rsa parameter settings
2
3# NOTE: If you installed from an RPM,
4# don't edit this file in place in
5# /usr/share/openvpn/easy-rsa --
6# instead, you should copy the whole
7# easy-rsa directory to another location
8# (such as /etc/openvpn) so that your
9# edits will not be wiped out by a future
10# OpenVPN package upgrade.
11
12# This variable should point to
13# the top level of the easy-rsa
14# tree.
15export EASY_RSA="`pwd`"
16
17#
18# This variable should point to
19# the requested executables
20#
21export OPENSSL="openssl"
22export PKCS11TOOL="pkcs11-tool"
23export GREP="grep"
24
25
26# This variable should point to
27# the openssl.cnf file included
28# with easy-rsa.
29export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
30
31# Edit this variable to point to
32# your soon-to-be-created key
33# directory.
34#
35# WARNING: clean-all will do
36# a rm -rf on this directory
37# so make sure you define
38# it correctly!
39export KEY_DIR="$EASY_RSA/keys"
40
41# Issue rm -rf warning
42echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
43
44# PKCS11 fixes
45export PKCS11_MODULE_PATH="dummy"
46export PKCS11_PIN="dummy"
47
48# Increase this to 2048 if you
49# are paranoid.  This will slow
50# down TLS negotiation performance
51# as well as the one-time DH parms
52# generation process.
53export KEY_SIZE=1024
54
55# In how many days should the root CA key expire?
56export CA_EXPIRE=3650
57
58# In how many days should certificates expire?
59export KEY_EXPIRE=3650
60
61# These are the default values for fields
62# which will be placed in the certificate.
63# Don't leave any of these fields blank.
64export KEY_COUNTRY="US"
65export KEY_PROVINCE="CA"
66export KEY_CITY="SanFrancisco"
67export KEY_ORG="Fort-Funston"
68export KEY_EMAIL="me@myhost.mydomain"
69export KEY_OU="MyOrganizationalUnit"
70
71# X509 Subject Field
72export KEY_NAME="EasyRSA"
73
74# PKCS11 Smart Card
75# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
76# export PKCS11_PIN=1234
77
78# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
79# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
80# export KEY_CN="CommonName"
81