Friday, September 4, 2009

openVPN easyrsa batch em "build-key"

We were deploying a solution for our customer, Pizza Hut/KFC Malaysia which deploy pfSense as a VPN gateway and firewall to a little under 300 outlets in Malaysia.

Each outlet has a unique “storeID” which is then required to run OpenVPN daemon at the background and fires a connection whenever a layer 2 link is established.

To create under 300 certificates using OpenVPN’s (v2.x.x) easyrsa scripts on a CentOS clients isn’t funny. So being a lazy ass, i wrote a simple way to help to create these files fast!

Assuming you’ve got the whole works with OpenVPN and pfSense sorted. If not read this great document here. Once you’ve got the server side done on pfSense, you will need to generate more keys for (in this case, Pizza Hut’s) 300 branches peer certificates.

Snail factor

  • Build-key prompts amongst other things the commonName or server name each time a certificate is to be generated

What is needed?

  • To create store certificates that automatically creates the certificates without prompt and also using a $variable$ to “insert” the commonName value. This means, a certificate will be created with the storeID.key and storeID.crt and the storeID.csr

How - Conceptually?

  1. Automate the build-key file to disable prompts
  2. Fire a variable into the system to pickup the $variable$ which then will be the filename and the commonName

How – Technically

(Assumptions – easyrsa is in /etc/openvpn/easyrsa and keys are in /etc/openvpn/easyrsa/keys. In /easyrsa, you have all the scripts like build-ca, build-key)

Create a file called build_batch into /etc/openvpn/easyrsa with the following lines. Make the file executable chmod +x build_batch


if test $# -ne 1; then
echo "usage: batch-build <name>";
exit 1
export KEY_CNAME=$1
./build-key $1

Now, edit (nano/vi) the openssl.cnf file in the /etc/openvpn/easyrsa look for the following lines

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

Add a new line like below and save the file.

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

# Add this line below
commonName_default        = $ENV::KEY_CNAME

Now, edit (nano/vi) the build-key in that same directory. At the end of the openssl –req and openssl ca statements, add the –batch argument.

This is how part of the original file look like

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \

We modify to add –batch at some part of the line like below and save the file

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -batch -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -batch -config $KEY_CONFIG && \

Now you’re ready to run in batch. But before that, please feed the vars in the environment like below in /etc/openvpn/easyrsa

source vars

Run a sample like below

./build_batch test01

This will build the test01.crt, test01.csr and test01.key automatically in /etc/openvpn/easyrsa/keys with the commonName test01 also :)


Now, if you want to do lots of these, use this Excel below


Use the Excel file (build-cert sheet) to generate script lines (see the excel sample) so you can copy and paste into a SSH remote session in the appropriate directory.

Copy in batch up to 50 lines (within buffer) from the copypaster column and paste via a SSH session into the /etc/openvpn/easyrsa and it will generate without prompting anything. Quick and easy.


To remove/revoke certs, do the same but use the Excel’s revoke-cert sheet.


<Ignore CRL/STR_COPY issues, i don’t have CRLs defined>

If things mess up a lot, just run. Warning, this will remove your CA, server and dh information which you then need to repopulate inside pfSense.


After clean-all you must recreate all below


Then re run the above stuff.

Post a Comment