How to generate openvpn client key dynamically wit

2019-02-24 18:27发布

问题:

I want to generate clients key with PHP. When a client key generated it should give me the expiry date of the key.

root@zohaib-VirtualBox:/etc/openvpn/easy-rsa# ./build-key client1

Generating a 2048 bit RSA private key .............................................................+++ ............................+++

writing new private key to 'client1.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank. Country Name (2 letter code) [GB]:

State or Province Name (full name) [London]:

Locality Name (eg, city) [London]:

Organization Name (eg, company) [Org]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [client1]:

Name [OrgServer]:

Email Address [admin@org.com]:

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf

Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'GB'

stateOrProvinceName :PRINTABLE:'London'

localityName :PRINTABLE:'London'

organizationName :PRINTABLE:'Org'

commonName :PRINTABLE:'client1'

name :PRINTABLE:'OrgServer'

emailAddress :IA5STRING:'admin@gamban.com'

Certificate is to be certified until Apr 21 15:43:47 2026 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@zohaib-VirtualBox:/etc/openvpn/easy-rsa#

回答1:

You can use shell_exec and get the result to use, for example, with a regex to match expiry the date of key etc, i.e.:

$ovpnKey = shell_exec("your command here");

The result of the command will held on var $ovpnKey.


Update:

To automatize the creation of new OpenVPN client certificates, use the following script. Make sure you edit, at least, the following variables OPENVPN_RSA_DIR OPENVPN_KEYS KEY_DOWNLOAD_PATH

#! /bin/bash
# Script to automate creating new OpenVPN clients
# The client cert and key, along with the CA cert is
# zipped up and placed somewhere to download securely
#
# H Cooper - 05/02/11
#
# Usage: new-openvpn-client.sh <common-name>

# Set where we're working from
OPENVPN_RSA_DIR=/etc/openvpn/easy-rsa/2.0
OPENVPN_KEYS=$OPENVPN_RSA_DIR/keys
KEY_DOWNLOAD_PATH=/var/www/secure

# Either read the CN from $1 or prompt for it
if [ -z "$1" ]
    then echo -n "Enter new client common name (CN): "
    read -e CN
else
    CN=$1
fi

# Ensure CN isn't blank
if [ -z "$CN" ]
    then echo "You must provide a CN."
    exit
fi

# Check the CN doesn't already exist
if [ -f $OPENVPN_KEYS/$CN.crt ]
    then echo "Error: certificate with the CN $CN alread exists!"
        echo "    $OPENVPN_KEYS/$CN.crt"
    exit
fi

# Enter the easy-rsa directory and establish the default variables
cd $OPENVPN_RSA_DIR
source ./vars > /dev/null

# Copied from build-key script (to ensure it works!)
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --batch $CN

# Take the new cert and place it somewhere it can be downloaded securely
zip -q $KEY_DOWNLOAD_PATH/$CN-`date +%d%m%y`.zip keys/$CN.crt keys/$CN.key keys/ca.crt

# Celebrate!
echo ""
echo "#############################################################"
echo "COMPLETE! Download the new certificate here:"
echo "https://domain.com/secure/$CN-`date +%d%m%y`.zip"
echo "#############################################################"

Save the above bash script as new-openvpn-client.sh and give it execute permissions.

Then use php shell_exec to generate the keys:

$ovpnKey = shell_exec("sh /full/path/to/new-openvpn-client.sh <common-name>");

Sources:

https://gist.github.com/hcooper/814247