ovpn-key 0.7.2 → 0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9fde0a6063ccfbd4a7f51ee4d0749ce791999dda0c4d4b5254d21c4de821a1d7
-  data.tar.gz: 54d1af5174381b59453545900ecd56d90d8aef8f240c4bd5738393e03374cbeb
+  metadata.gz: ecf480dc290e372a3b081ebc12dceb82e2f0ca22ea508cbbe622e8e1ce80b58f
+  data.tar.gz: 585a28ba43b652afd0add8b912a8ff0590ad99ffcb96abcb9929c8ca488c03b1
 SHA512:
-  metadata.gz: f979223351319b4b440c27ded450507a8d13f5a3092fdd7af26150b92cb81ea52911bb729589b0bb50f9c5fe6f22e84bed1f9f88964a88fe3958a6fa1d1e46ef
-  data.tar.gz: e5b87efe66c151a90fa3abf209c848c08615f22a6df090c07a3337bb4002fdcb903c5dd652234966b672b1994a13e6f4246af219722c017aa3d4ac8fbfcfc66f
+  metadata.gz: 47783d3b02d6948cb19fc4434dff11a980c0fc9f22675a66d2cc6fc34423be7e7b2dc6b4e46f420eaa85755ef14ca8e787dddaa30eacd707837033138239753f
+  data.tar.gz: 405a4389cf9b26a8a8cf6e4e615a04dc2bcf80b6fe71ed7b22c3380c3e5d215e70bab5d3ef8ba78eab20e94e19e74d1dd3c58fe47e118760cae842fbfc1e7c40

data/NOTICE

@@ -1,6 +1,6 @@
 ovpn-key: https://github.com/chillum/ovpn-key
 
-Copyright 2018 Vasily Korytov
+Copyright 2018-2021 Vasily Korytov
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this software except in compliance with the License.

data/README.md

@@ -2,7 +2,7 @@
 
 This utility is designed as [easy-rsa](https://github.com/OpenVPN/easy-rsa) replacement suitable for one exact use case.
 
-It's basically a wrapper around `openssl` to:
+It's basically a wrapper around OpenSSL API to:
 * create a self-signed CA
 * create client and server certificates and pack them to ZIP files along with the OpenVPN config
 * revoke the certificates
@@ -12,9 +12,12 @@ It supports encrypting `.key` files with a passphrase (there is an option to dis
 
 It can be used with a non-self signed CA, just place your `ca.key` and `ca.crt` in the keys directory and skip the `--ca` step.
 
-It can be used to manage a non-OpenVPN CA, in that case `--zip` step will be useless, but all others will work.
+It can be used to manage a non-OpenVPN CA, in that case `--zip` and `--static` steps will be useless, but all others will work.
 
-For now it should be considered experimental and rather undocumented.  
+OpenVPN static keys are supported partially, as they should be used for `tls-auth`/`tls-crypt` only.
+Please note that they are not encrypted regardless of `--nopass` option.
+
+For now this utility should be considered experimental and rather undocumented.  
 If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), where the problems are.
 
 ### Installation
@@ -25,13 +28,15 @@ If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), wher
 ### Usage
 
 1. `ovpn-key --init`
-2. edit `ovpn-key.yml` and `openssl.ini`
-3. `ovpn-key --ca --dh --server --nopass`
-4. `ovpn-key --client somebody`
-5. `ovpn-key --revoke somebody`
-6. add a file with `.ovpn` extension to the directory  
+2. edit `ovpn-key.yml`
+3. `ovpn-key --ca --dh`
+4. `ovpn-key --server --nopass`
+5. `ovpn-key --client somebody [--nopass]`
+6. `ovpn-key --revoke somebody`
+7. `ovpn-key --static` (generates `ta.key`)
+8. add a file with `.ovpn` extension to the directory  
    it should contain every setting except for `cert` and `key`
-7. `ovpn-key --zip somebody-else`
+9. `ovpn-key --zip somebody-else [--nopass]`
 
 ### Configuration
 

data/bin/ovpn-key

@@ -1,76 +1,82 @@
-#! /usr/bin/env ruby
-require 'optparse'
+#! /usr/bin/env ruby -w
+# frozen_string_literal: true
+
 require 'fileutils'
+require 'io/console'
+require 'openssl'
+require 'optparse'
 require 'yaml'
 require 'zip'
-require_relative '../lib/version.rb'
-require_relative '../lib/functions.rb'
+require_relative '../lib/version'
+require_relative '../lib/functions'
 
-SSL_CONF = 'openssl.ini'
 APP_CONF = 'ovpn-key.yml'
+CRL_FILE = 'crl.pem'
+SERIAL_FILE = 'serial'
 
 options = {}
 OptionParser.new do |opts|
-  opts.banner = "Usage: #{File.basename $0} <options> [--nopass]"
-  opts.on("--init [directory]", "Init a CA directory (defaults to current)") do |v|
-    options[:init] = v ? v : "."
+  opts.banner = "Usage: #{File.basename $PROGRAM_NAME} <options> [--nopass]"
+  opts.on('--init [directory]', 'Init a CA directory (defaults to current)') do |v|
+    options[:init] = v || '.'
   end
-  opts.on("--ca", "Generate a CA (ca.crt)") do |v|
+  opts.on('--ca', 'Generate a CA (ca.crt)') do |v|
     check_crt('ca')
     options[:generate_ca] = v
   end
-  opts.on("--dh", "Generate a DH keyfile (dh.pem)") do |v|
+  opts.on('--dh', 'Generate a DH keyfile (dh.pem)') do |v|
     # it's safe to overwrite this file
     options[:generate_dh] = v
   end
-  opts.on("--server [name]", "Generate a server key (defaults to 'server')") do |v|
-    options[:generate_server] = v ? v : "server"
+  opts.on('--static', 'Generate OpenVPN static key (ta.key)') do |v|
+    options[:generate_static] = v
+    check_crt('ta')
+  end
+  opts.on('--server [name]', "Generate a server key (defaults to 'server')") do |v|
+    options[:generate_server] = v || 'server'
     check_crt(options[:generate_server])
   end
-  opts.on("--client [name]", "Generate a client key and sign it") do |v|
+  opts.on('--client [name]', 'Generate a client key and sign it') do |v|
     check_client(v)
     options[:generate_client] = v
   end
-  opts.on("--zip    [name]", "Ditto plus pack it to ZIP with OpenVPN config") do |v|
+  opts.on('--zip    [name]', 'Ditto plus pack it to ZIP with OpenVPN config') do |v|
     check_client(v)
     options[:generate_zip] = v
   end
-  opts.on("--revoke [name]", "Revoke a certificate (using crl.pem) and delete it") do |v|
-    abort "Please specify what certificate to revoke" unless v
+  opts.on("--revoke [name]', 'Revoke a certificate (using #{CRL_FILE}) and delete it") do |v|
+    abort 'Please specify what certificate to revoke' unless v
     options[:revoke] = v
   end
-  opts.on("--nopass", "Don't protect .key files with a password") do |v|
+  opts.on('--nopass', "Don't protect .key files with a password") do |v|
     options[:no_password] = v
   end
 end.parse!
-if ARGV.length > 0
-  abort "Error: invalid args: #{ARGV.join ' '}\nSee `#{File.basename $0} -h` for help"
+if ARGV.length.positive?
+  abort "Error: invalid args: #{ARGV.join ' '}\nSee `#{File.basename $PROGRAM_NAME} -h` for help"
 end
-unless options[:init] || options[:generate_ca] || options[:generate_dh] || options[:generate_server] \
-  || options[:generate_client] || options[:generate_zip] || options[:revoke]
-  abort "See `#{File.basename $0} -h` for usage"
+unless options[:init] || options[:generate_ca] || options[:generate_dh] || options[:generate_static] \
+  || options[:generate_server] || options[:generate_client] || options[:generate_zip] || options[:revoke]
+  abort "See `#{File.basename $PROGRAM_NAME} -h` for usage"
 end
-if options[:generate_client] and options[:generate_zip]
+if options[:generate_client] && options[:generate_zip]
   # I assume that user likely wants one of them and is confused with usage
-  abort "There can be only one: --client or --zip"
+  abort 'There can be only one: --client or --zip'
 end
-umask = File.umask 0077
+umask = File.umask 0o077
 
 if options[:init]
   unless options[:init] == '.'
     create_dir options[:init]
     Dir.chdir options[:init]
   end
-  ['certs', 'meta'].each {|dir| create_dir dir}
-  ['meta/index.txt', 'meta/index.txt.attr', 'meta/serial', SSL_CONF, APP_CONF].each {|file|
-    unless File.exist? file
-      FileUtils.copy_file(File.expand_path("defaults/#{file}", "#{__dir__}/.."), "./#{file}")
-      puts "Created file: #{file}"
-    end
-  }
+  unless File.exist? APP_CONF
+    FileUtils.copy_file(File.expand_path("defaults/#{APP_CONF}", "#{__dir__}/.."), "./#{APP_CONF}")
+    puts "Created file: #{APP_CONF}"
+  end
 elsif !File.exist? APP_CONF
   begin
-    rc = YAML.load_file(File.expand_path "~/.#{APP_CONF}")
+    rc = YAML.load_file(File.expand_path("~/.#{APP_CONF}"))
   rescue Errno::ENOENT
     # no configuration file in home directory is not an error
   end
@@ -80,28 +86,82 @@ end
 begin
   settings = YAML.load_file(APP_CONF)
 rescue Errno::ENOENT
-  abort "Run `#{File.basename $0} --init` before generating certificates"
+  abort "Run `#{File.basename $PROGRAM_NAME} --init` before generating certificates"
 end
 ZIP_DIR  = settings['zip_dir']  || '~'
-OPENSSL  = settings['openssl']  || 'openssl'
-KEY_SIZE = settings['key_size'] || 2048
+OPENVPN  = settings['openvpn']  || 'openvpn'
 ENCRYPT  = settings['encrypt']  || 'aes128'
+DIGEST   = settings['digest']   || 'sha256'
+KEY_SIZE = settings['key_size'] || 2048
 CN_CA    = settings['ca_name']  || 'Certification Authority'
-REQ      = settings['details']
+
+unless settings['ca_days'].nil?
+  if settings['expire'].nil?
+    puts 'Migrating pre-0.8 configuration to new format: ca_days'
+    puts "WARNING: if you tweaked `default_days` or `default_days_crl` in #{SSL_CONF}, edit #{APP_CONF}"
+    File.open(APP_CONF, 'a') do |f|
+      f.write "# ca_days is not used anymore, you can remove it\nexpire:\n"
+      f.write "  ca:     #{settings['ca_days']}\n  crl:    3650\n  server: 3650\n  client: 3650\n"
+    end
+  else
+    puts "WARNING: `ca_days` setting is deprecated, remove it from #{APP_CONF}"
+  end
+end
+
+settings['expire']           ||= {}
+settings['expire']['ca']     ||= settings['ca_days'] || 3650
+settings['expire']['crl']    ||= 3650
+settings['expire']['server'] ||= 3650
+settings['expire']['client'] ||= 3650
+EXPIRE = settings['expire']
+
+if settings['x509'].nil? && !settings['details'].nil?
+  puts 'Migrating pre-0.8 configuration to new format: details'
+  REQ = OpenSSL::X509::Name.parse(settings['details']).to_a
+  File.open(APP_CONF, 'a') do |f|
+    f.write "# details is not used anymore, you can remove it\nx509:\n"
+    REQ.map {|i, j| f.write "  #{i}: #{j}\n" }
+  end
+else
+  REQ = settings['x509']
+  puts "WARNING: `details` section is deprecated, remove it from #{APP_CONF}" unless settings['details'].nil?
+end
+if settings['openssl']
+  puts "WARNING: `openssl` setting is deprecated, remove it from #{APP_CONF}"
+end
+
+if !File.exist?(SERIAL_FILE) && File.exist?('meta/serial')
+  FileUtils.copy_file('meta/serial', SERIAL_FILE)
+  puts 'Copied meta/serial to serial'
+end
+%w[certs meta].each {|dir|
+  puts "WARNING: #{dir} directory is not used anymore. you can remove it" if File.exist? dir
+}
+if File.exist? 'openssl.ini'
+  puts 'WARNING: openssl.ini file is not used anymore. you can remove it'
+end
 
 if options[:generate_ca]
-  gen_key('ca', 'ca', options[:no_password])
-  sign_key('ca', 'ca', CN_CA)
-  gen_crl
+  ca_pass = options[:no_password] ? nil : ask_password('ca')
+  gen_key('ca', ca_pass)
+  sign_key('ca', CN_CA, ca_pass)
+  gen_crl(ca_pass)
 end
 if options[:generate_dh]
-  exe "#{OPENSSL} dhparam -out dh.pem #{KEY_SIZE}"
+  File.open('dh.pem', 'w') do |f|
+    print 'Generating dh.pem. This will take a while'
+    f.write OpenSSL::PKey::DH.new(KEY_SIZE)
+    puts '. Done'
+  end
+end
+if options[:generate_static]
+  exe "#{OPENVPN} --genkey --secret ta.key"
 end
 if options[:generate_server]
-  gen_and_sign('server', options[:generate_server], options[:no_password])
+  gen_and_sign('server', options[:generate_server], options[:no_password] ? nil : ask_password(options[:generate_server]))
 end
 if options[:generate_client]
-  gen_and_sign('client', options[:generate_client], options[:no_password])
+  gen_and_sign('client', options[:generate_client], options[:no_password] ? nil : ask_password(options[:generate_client]))
 end
 if options[:generate_zip]
   ovpn_files = Dir['*.ovpn']
@@ -109,28 +169,27 @@ if options[:generate_zip]
   when 1
     ovpn_file = ovpn_files.first
   when 0
-    abort "No .ovpn file in current directory, please add one"
+    abort 'No .ovpn file in current directory, please add one'
   else
-    abort "More than one .ovpn files in current directory, aborting"
+    abort 'More than one .ovpn files in current directory, aborting'
   end
 
-  gen_and_sign('client', options[:generate_zip], options[:no_password])
+  gen_and_sign('client', options[:generate_zip], options[:no_password] ? nil : ask_password(options[:generate_zip]))
 
   zip_file = File.join(File.expand_path(ZIP_DIR), "#{File.basename ovpn_file, '.ovpn'}.tblk.zip")
   File.delete(zip_file) if File.exist?(zip_file)
   File.umask umask
   Zip::File.open(zip_file, Zip::File::CREATE) do |zip|
     zip.get_output_stream(ovpn_file) {|f|
-      File.open(ovpn_file).each {|line| f.write line}
+      f.write File.read(ovpn_file)
       f.write "cert #{options[:generate_zip]}.crt\nkey #{options[:generate_zip]}.key\n"
     }
-    [ 'ca.crt', "#{options[:generate_zip]}.crt", "#{options[:generate_zip]}.key"].each {|i|
+    ['ca.crt', "#{options[:generate_zip]}.crt", "#{options[:generate_zip]}.key"].each {|i|
       zip.add(i, i)
     }
+    zip.add('ta.key', 'ta.key') if File.exist? 'ta.key'
   end
 end
 if options[:revoke]
-  exe "#{OPENSSL} ca -revoke '#{options[:revoke]}.crt' -config #{SSL_CONF}"
-  gen_crl
-  ['crt', 'key'].each {|ext| File.delete "#{options[:revoke]}.#{ext}"}
+  revoke(options[:revoke])
 end

data/defaults/ovpn-key.yml

@@ -1,6 +1,17 @@
 zip_dir:  '~'
-openssl:  openssl
+openvpn:  openvpn
+encrypt:  AES128
+digest:   SHA256
 key_size: 2048
-encrypt:  aes128
+expire: # days
+  ca:     3650
+  crl:    3650
+  server: 3650
+  client: 3650
 ca_name:  Certification Authority
-details:  /C=US/ST=CA/L=San Francisco/O=Dva Debila/OU=OpenVPN
+x509:
+  C:  US
+  ST: CA
+  L:  San Francisco
+  O:  Dva Debila
+  OU: OpenVPN

data/lib/functions.rb

@@ -1,48 +1,144 @@
-def check_crt filename
-  ['key', 'crt'].each {|ext|
+# frozen_string_literal: true
+
+def check_crt(filename)
+  %w[key crt].each {|ext|
     abort "#{filename}.#{ext} already exists, exiting" if File.exist? "#{filename}.#{ext}"
   }
 end
 
-def check_client name
-  abort "Error: client should have an alphanumeric name" unless name
+def check_client(name)
+  abort 'Error: client should have an alphanumeric name' unless name
   check_crt(name)
 end
 
-def exe cmd
-  system(cmd) or abort "error executing: #{cmd}"
+def exe(cmd)
+  system(cmd) || abort("error executing: #{cmd}")
 end
 
-def gen_and_sign type, certname, no_password
-  gen_key(type, certname, no_password)
-  sign_key(type, certname, certname)
+def ask_password(name)
+  password = ''
+  loop do
+    print "Enter password for #{name}.key: "
+    password = $stdin.noecho(&:gets).chomp
+    puts # trailing newline
+    break unless password.empty?
+  end
+  password
 end
 
-def gen_key type, certname, no_password
-  if no_password
-    exe "#{OPENSSL} genrsa -out '#{certname}.key' #{KEY_SIZE} -config #{SSL_CONF} -extensions ext.#{type}"
-  else
-    exe "#{OPENSSL} genrsa -#{ENCRYPT} -out '#{certname}.key' #{KEY_SIZE} -config #{SSL_CONF} -extensions ext.#{type}"
-  end
+def gen_and_sign(type, certname, password)
+  gen_key(certname, password)
+  sign_key(type, certname, password)
 end
 
-def sign_key type, certname, cn
-  if certname == 'ca'
-    exe "#{OPENSSL} req -new -x509 -key '#{certname}.key' -out '#{certname}.crt' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
-  else
-    exe "#{OPENSSL} req -new -key '#{certname}.key' -out '#{certname}.csr' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
-    exe "#{OPENSSL} ca -in '#{certname}.csr' -out '#{certname}.crt' -config #{SSL_CONF} -extensions ext.#{type} -batch"
-    File.delete "#{certname}.csr"
+def gen_key(certname, password)
+  key = OpenSSL::PKey::RSA.new(KEY_SIZE)
+  File.open("#{certname}.key", 'w') do |f|
+    f.write password ? key.to_pem(OpenSSL::Cipher.new(ENCRYPT), password) : key
   end
 end
 
-def gen_crl
-  exe "#{OPENSSL} ca -gencrl -out crl.pem -config #{SSL_CONF}"
+# type is one of: 'ca', 'server', 'client'
+# rubocop:disable Naming/MethodParameterName
+def sign_key(type, cn, password)
+  # rubocop:enable Naming/MethodParameterName
+  certname = type == 'ca' ? 'ca' : cn
+  key = OpenSSL::PKey::RSA.new File.read("#{certname}.key"), password
+  subj = OpenSSL::X509::Name.new([['CN', cn]] + REQ.to_a)
+  serial = begin
+    File.read(SERIAL_FILE).to_i
+  rescue Errno::ENOENT
+    0
+  end + 1
+
+  cert = OpenSSL::X509::Certificate.new
+  cert.version = 2
+  cert.serial = serial
+  cert.not_before = Time.now
+  cert.not_after =
+    Time.now +
+    case type
+    when 'ca'
+      EXPIRE['ca']
+    when 'server'
+      EXPIRE['server']
+    when 'client'
+      EXPIRE['client']
+      # days to seconds
+    end * 86_400
+  cert.public_key = key.public_key
+  cert.subject = subj
+  cert.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+
+  ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+  ef.issuer_certificate = cert
+
+  cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
+  cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid,issuer:always')
+  cert.add_extension ef.create_extension('basicConstraints', type == 'ca' ? 'CA:true' : 'CA:false')
+
+  case type
+  when 'ca'
+    cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign')
+    cert.sign key, OpenSSL::Digest.new(DIGEST)
+  when 'server'
+    cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,digitalSignature')
+    cert.add_extension ef.create_extension('extendedKeyUsage', 'serverAuth')
+  when 'client'
+    cert.add_extension ef.create_extension('keyUsage', 'digitalSignature')
+    cert.add_extension ef.create_extension('extendedKeyUsage', 'clientAuth')
+  end
+  unless type == 'ca'
+    ca_key = begin
+      OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
+    rescue OpenSSL::PKey::RSAError
+      retry
+    end
+    cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
+  end
+
+  File.open(SERIAL_FILE, 'w') {|f| f.write serial }
+  File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
 end
 
-def create_dir name
-  unless Dir.exist? name
-    Dir.mkdir name
-    puts "Created directory: #{name}"
+def revoke(certname)
+  crl = OpenSSL::X509::CRL.new(File.read(CRL_FILE))
+  cert = OpenSSL::X509::Certificate.new(File.read("#{certname}.crt"))
+  revoke = OpenSSL::X509::Revoked.new.tap {|rev|
+    rev.serial = cert.serial
+    rev.time = Time.now
+  }
+  crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
+  crl.add_revoked(revoke)
+  begin
+    update_crl(crl, ask_password('ca'))
+  rescue OpenSSL::PKey::RSAError
+    retry
   end
+
+  %w[crt key].each {|ext| File.delete "#{certname}.#{ext}" }
+end
+
+def gen_crl(ca_pass)
+  return if File.exist? CRL_FILE
+
+  crl = OpenSSL::X509::CRL.new
+  crl.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+  update_crl(crl, ca_pass)
+end
+
+def update_crl(crl, ca_pass)
+  ca_key = OpenSSL::PKey::RSA.new File.read('ca.key'), ca_pass
+  crl.last_update = Time.now
+  crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
+  crl.version = crl.version + 1
+  crl.sign(ca_key, OpenSSL::Digest.new(DIGEST))
+  File.open(CRL_FILE, 'w') {|f| f.write crl.to_pem }
+end
+
+def create_dir(name)
+  return if Dir.exist? name
+
+  Dir.mkdir name
+  puts "Created directory: #{name}"
 end

data/lib/version.rb

@@ -1 +1,3 @@
-::Version = '0.7.2'
+# frozen_string_literal: true
+
+::VERSION = '0.8'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ovpn-key
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: '0.8'
 platform: ruby
 authors:
 - Vasily Korytov
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-09-25 00:00:00.000000000 Z
+date: 2021-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubyzip
@@ -16,16 +16,17 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: ''
-email: vasily.korytov@icloud.com
+        version: '2.0'
+description: Generates and revokes certificates, also packs them to ZIP files with
+  OpenVPN configuration
+email: v.korytov@outlook.com
 executables:
 - ovpn-key
 extensions: []
@@ -34,10 +35,6 @@ files:
 - NOTICE
 - README.md
 - bin/ovpn-key
-- defaults/meta/index.txt
-- defaults/meta/index.txt.attr
-- defaults/meta/serial
-- defaults/openssl.ini
 - defaults/ovpn-key.yml
 - lib/functions.rb
 - lib/version.rb
@@ -45,7 +42,7 @@ homepage: https://github.com/chillum/ovpn-key
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -53,16 +50,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.0'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Key management utility for OpenVPN
 test_files: []

data/defaults/meta/index.txt.attr

@@ -1 +0,0 @@
-unique_subject = yes

data/defaults/meta/serial

@@ -1 +0,0 @@
-01

data/defaults/openssl.ini

@@ -1,49 +0,0 @@
-[req]
-default_md = sha256
-distinguished_name = dn.ovpn
-days = 3650
-
-[dn.ovpn]
-CN          = Certificate name (required)
-
-[ca]
-default_ca  = ca.ovpn
-
-[ca.ovpn]
-default_md  = sha256
-private_key = ca.key
-certificate = ca.crt
-database    = meta/index.txt
-serial      = meta/serial
-crl         = crl.pem
-policy      = policy.ovpn
-# create this directory if changing this value
-new_certs_dir    = certs
-default_days     = 3650
-default_crl_days = 3650
-subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid,issuer:always
-
-[ext.ca]
-basicConstraints = CA:true
-
-[ext.server]
-basicConstraints = CA:false
-nsCertType       = server
-extendedKeyUsage = serverAuth
-keyUsage         = digitalSignature, keyEncipherment
-
-[ext.client]
-basicConstraints = CA:false
-extendedKeyUsage = clientAuth
-keyUsage         = digitalSignature
-
-[policy.ovpn]
-commonName             = supplied
-countryName            = optional
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-name                   = optional
-emailAddress           = optional