OpenVPN easy-rsa构建密钥自动化功能？

我有很多要为我的客户端VPN服务器生成的密钥。每当我使用easy-rsa生成这样的密钥时：

./build-key client1

有一些问题的输出。所有问题都有vars文件中定义的默认答案。

Generating a 1024 bit RSA private key
............................................++++++
.......................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CO]:
Locality Name (eg, city) [Denver]:
Organization Name (eg, company) [mycompany]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [it@mycompany.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CO'
localityName          :PRINTABLE:'Denver'
organizationName      :PRINTABLE:'mycompany'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'it@mycompany.com'
Certificate is to be certified until Jan  3 20:16:04 2038 GMT (9999 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

总而言之，我必须手动按下以下键：

ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
ENTER
y
ENTER
y
ENTER

基本上，我只是接受所有默认答案，并对最后两个问题说“是”。是否可以使用任何标记-force或-quiet标志build-key？如果没有，是否有脚本或bash技巧可用于每次执行？我找不到任何有关它的手册页。

如果您查看的来源build-key，就会发现它的来源pkitool。我写了一个包装程序，将用户的密钥和适当的openvpn配置文件打包到一个tarball中，然后可以提供给我的用户：

#!/bin/bash

client=$1

if [ x$client = x ]; then
    echo "Usage: $0 clientname"
    exit 1
fi

if [ ! -e keys/$client.key ]; then
    echo "Generating keys..."
    . vars
    ./pkitool $client
    echo "...keys generated." 
fi

tarball=./keys/$client.tgz

if [ ! -e $tarball ]; then
    echo "Creating tarball..."
    tmpdir=/tmp/client-tar.$$
    mkdir $tmpdir
    cp company.ovpn $tmpdir/company.ovpn
    cp keys/ca.crt $tmpdir 
    cp keys/$client.key $tmpdir/client.key
    cp keys/$client.crt $tmpdir/client.crt
    tar -C $tmpdir -czvf $tarball .
    rm -rf $tmpdir
    echo "...tarball created" 
else
    echo "Nothing to do, so nothing done. (keys/$client.tgz already exists)" 
fi

尝试--batch标志

./build-key --batch client1

我想到的最快的是expect; 它使您可以自动进行这些类型的命令行交互。

EasyRSA的新版本现在是单个二进制文件。要自动构建客户端密钥，您现在可以使用“ vars”文件（只需将其放置在easyrsa二进制文件所在的目录中）：

if [ -z "$EASYRSA_CALLER" ]; then
    echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
    echo "This is no longer necessary and is disallowed. See the section called" >&2
    echo "'How to use this file' near the top comments for more details." >&2
    return 1
fi

set_var EASYRSA        "$PWD"
set_var EASYRSA_OPENSSL        "openssl"
set_var EASYRSA_PKI            "$EASYRSA/pki"
set_var EASYRSA_DN     "org"

set_var EASYRSA_REQ_COUNTRY    "Country"
set_var EASYRSA_REQ_PROVINCE   "Province"
set_var EASYRSA_REQ_CITY       "City"
set_var EASYRSA_REQ_ORG        "Org Ltd"
set_var EASYRSA_REQ_EMAIL      "vpn@example.com"
set_var EASYRSA_REQ_OU         "Infrastructure"

set_var EASYRSA_KEY_SIZE       2048

set_var EASYRSA_ALGO           rsa

set_var EASYRSA_CA_EXPIRE      3650
set_var EASYRSA_CERT_EXPIRE    365
set_var EASYRSA_CRL_DAYS       180

set_var EASYRSA_TEMP_FILE      "$EASYRSA_PKI/extensions.temp"

并使用EasyRSA的二进制文件：

./easyrsa build-client-full client1 nopass

我有同样的问题。

我发现的解决方案是：

echo -en“ \ n \ n \ n \ n \ n \ n \ n \ ny \ ny \ n” | ./build-key client1

这与我使用的类似。希望这对某人有帮助，我花了几个小时才弄清楚。确保您正在目录easy-rsa中执行，并且不要忘记获取./vars的源代码

(echo -en "\n\n\n\n\n\n\n\n"; sleep 1; echo -en "\n"; sleep 1; echo -en "\n"; sleep 3; echo -en "yes"; echo -en "\n"; sleep 3; echo -en "yes"; echo -en "\n") | ./build-key $key_id 

我制作了一个类似pjz的包装器，但是将所有必需的文件捆绑到一个.ovpn文件中，该文件可以直接使用

＃！/ bin / bash
cd /etc/openvpn/easy-rsa/2.0
客户= $ 1

如果[x $ client = x]; 然后
    回声“用法：$ 0客户端名称”
    1号出口
科幻

如果[！-e键/$client.key]; 然后
    回显“正在生成密钥...”
    。瓦斯
    ./pkitool $客户端
    回显“ ...生成的密钥”。
科幻

bundle =。/ keys / $ client.ovpn

如果[！-e $ bundle]; 然后
    回显“正在创建捆绑包...”
    猫钥匙/ template.ovpn >> $捆绑
    回声''>> $ bundle
    猫钥匙/卡>> >>套装
    回声''>> $ bundle
    回声''>> $ bundle
    回声''>> $ bundle
    awk'/ BEGIN CERTIFICATE /，0'键/$client.crt >> $ bundle
    回声''>> $ bundle
    回声''>> $ bundle
    回声''>> $ bundle
    猫钥匙/$client.key >> $捆绑
    回声''>> $ bundle
    回声''>> $ bundle
    回声“ ...捆绑创建”
其他
    回声“什么都不做，所以什么也没做。（键/$client.ovpn已经存在）”
科幻

我刚刚尝试做同样的事情，在freeBSD盒上静默生成了openvpn用户。

这产生了一个新文件，恰当地命名为 ./build-key-quiet

#!/bin/sh

# Make a certificate/private key pair using a locally generated
# root certificate.
# JP - automating my time away

cd /root/openvpn

client=$1

if [ x$client = x ];
    then
    echo "Usage: $0 clientname"
    exit 1
fi

if [ ! -e keys/$client.key ];
  then
    echo "Generating keys..."
    . ./vars
    ./pkitool $client
    echo "Great Success ...keys generated."
fi

echo 'Generating ovpn Files'
cd /root/clients
./make-client-config.sh $client
rm -rf /tmp/*.ovpn
cp /root/clients/files/$client.ovpn /tmp/
chmod 777 /root/clients/files/*.ovpn

echo "cleaning up /tmp/ of old ovpn files..."
echo "OVPN file generated and copied into /tmp/$client.ovpn"

(echo -en "\n\n\n\n\n\n\n\n"; sleep 1; echo -en "\n"; sleep 1; echo -en "\n"; sleep 3; echo -en "yes"; echo -en "\n"; sleep 3; echo -en "yes"; echo -en "\n") | ./build-key $key_id

只需编辑构建密钥文件，然后删除--interact我知道的最简单的方法