1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#!/usr/bin/env python3
#
# Copyright (C) 2022, VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from os import system
from vyos.pki import create_private_key
from vyos.pki import create_certificate_request
from vyos.pki import create_certificate
from vyos.pki import create_certificate_revocation_list
from vyos.pki import create_dh_parameters
from vyos.pki import encode_certificate
from vyos.pki import encode_dh_parameters
from vyos.pki import encode_private_key
subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'vyos'}
ca_subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'vyos CA'}
subca_subject = {'country': 'DE', 'state': 'BY', 'locality': 'Cloud', 'organization': 'VyOS', 'common_name': 'vyos SubCA'}
ca_cert = '/config/auth/ovpn_test_ca.pem'
ca_key = '/config/auth/ovpn_test_ca.key'
ca_cert_chain = '/config/auth/ovpn_test_chain.pem'
ca_crl = '/config/auth/ovpn_test_ca.crl'
subca_cert = '/config/auth/ovpn_test_subca.pem'
subca_csr = '/tmp/subca.csr'
subca_key = '/config/auth/ovpn_test_subca.key'
ssl_cert = '/config/auth/ovpn_test_server.pem'
ssl_key = '/config/auth/ovpn_test_server.key'
dh_pem = '/config/auth/ovpn_test_dh.pem'
s2s_key = '/config/auth/ovpn_test_site2site.key'
auth_key = '/config/auth/ovpn_test_tls_auth.key'
def create_cert(subject, cert_path, key_path, sign_by=None, sign_by_key=None, ca=False, sub_ca=False):
priv_key = create_private_key('rsa', 2048)
cert_req = create_certificate_request(subject, priv_key)
cert = create_certificate(
cert_req,
sign_by if sign_by else cert_req,
sign_by_key if sign_by_key else priv_key,
is_ca=ca, is_sub_ca=sub_ca)
with open(cert_path, 'w') as f:
f.write(encode_certificate(cert))
with open(key_path, 'w') as f:
f.write(encode_private_key(priv_key))
return cert, priv_key
def create_empty_crl(crl_path, sign_by, sign_by_key):
crl = create_certificate_revocation_list(sign_by, sign_by_key, [1])
with open(crl_path, 'w') as f:
f.write(encode_certificate(crl))
return crl
if __name__ == '__main__':
# Create Root CA
ca_cert_obj, ca_key_obj = create_cert(ca_subject, ca_cert, ca_key, ca=True)
# Create Empty CRL
create_empty_crl(ca_crl, ca_cert_obj, ca_key_obj)
# Create Intermediate CA
subca_cert_obj, subca_key_obj = create_cert(
subca_subject, subca_cert, subca_key,
sign_by=ca_cert_obj, sign_by_key=ca_key_obj,
ca=True, sub_ca=True)
# Create Chain
with open(ca_cert_chain, 'w') as f:
f.write(encode_certificate(subca_cert_obj) + "\n")
f.write(encode_certificate(ca_cert_obj) + "\n")
# Create Server Cert
create_cert(subject, ssl_cert, ssl_key, sign_by=subca_cert_obj, sign_by_key=subca_key_obj)
# Create DH params
dh_params = create_dh_parameters()
with open(dh_pem, 'w') as f:
f.write(encode_dh_parameters(dh_params))
# OpenVPN S2S Key
system(f'openvpn --genkey secret {s2s_key}')
# OpenVPN Auth Key
system(f'openvpn --genkey secret {auth_key}')
|
