Answer the question
In order to leave comments, you need to log in
Automatic certificate generation for vpn needs, how?
Good day to all.
Essence of the question:
There is an openvpn server, all the necessary certificates, keys, dh, etc. are generated on it. etc. There are one and a half hundred computers (may change upwards at any time) with which you need to establish a connection.
Question: How to generate and sign such a number of certificates automatically? I understand that I need to use a loop, but how can I pass parameters to easy-rsa so that it does not work interactively (stops my loops waiting for a response or a name or password)? Maybe use openssl directly without easy-rsa? And in general, what is the best way for me to try to solve this problem (writing a script) - in bash or use, for example, python?
PS It is not necessary to create a request from each machine! Everything needs to be done on a computer with a certification authority and later distributed to client computers.
Answer the question
In order to leave comments, you need to log in
You must pass all the necessary data to openssl in the com. line, for example, the -subj switch and the -passin and -passout switches to specify passwords for private key files. Everything else, if it does not change for you (and only the subject will apparently change for you), can be safely specified in openssl.conf, there is an example config in easy-rsa. You can specify a different config file name for any of the openssl commands with the -config key.
Oh yes, also read about the -batch option https://www.openssl.org/docs/manmaster/apps/ca.html , maybe it will come in handy too.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question