man.rst 2.85 KB
Newer Older
1 2 3 4 5
cdist-type__easy_rsa_cert(7)
============================

NAME
----
ssrq's avatar
ssrq committed
6
cdist-type__easy_rsa_cert - Manage a server or client key pair.
7 8 9 10


DESCRIPTION
-----------
ssrq's avatar
ssrq committed
11 12 13 14 15 16 17 18 19 20
This type manages private keys and certificates using Easy-RSA.
The certificate type (server or client) can be defined using ``--cert-type``.

As a prerequisite the :strong:`cdist-type__easy_rsa_pki`\ (7) and
:strong:`cdist-type__easy_rsa_ca`\ (7) must have created a PKI structure and
Certificate Authority (CA) in said directory beforehand.

**NB:** This type will neither update an existing certificate's subject nor
other parameters if the object's parameters are changed at a later point in
time.
21 22 23 24 25


REQUIRED PARAMETERS
-------------------
cert-type
ssrq's avatar
ssrq committed
26 27 28 29
    The type of the certificate, either ``server`` or ``client``.
dir
    Full path of the corresponding Easy-RSA PKI structure (as created by
    :strong:`cdist-type__easy_rsa_pki`\ (7)).
30 31 32 33


OPTIONAL PARAMETERS
-------------------
ssrq's avatar
ssrq committed
34 35 36 37 38 39 40 41 42
cert-expiration-days
    Days until expiration of the certificate.
common-name
    The Common Name (CN) for this CA.
    Defaults to ``__object_id``.
digest
    The digest to use for the CA.
    Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
key-size
43
    The keysize to use for the request.
ssrq's avatar
ssrq committed
44 45 46 47 48 49 50
state
    Possible values:

    signed
        the certificate has been created and signed by the CA.
    valid
        like signed, but will renew the certificate if it expired.
51 52
        *NB:* Easy-RSA will also generate a new private key when renewing the
        certificate.
ssrq's avatar
ssrq committed
53 54
    revoked
        either the certificate is no defined, or will be revoked.
55

ssrq's avatar
ssrq committed
56
    Default is: ``signed``.
57
use-algo
ssrq's avatar
ssrq committed
58 59 60 61 62 63 64 65 66
    The algorithm to use.
    Possible values:

    rsa
        RSA mode.
    ec
        Elliptic Curve Cryptography mode.

    Default is: ``rsa``.
67

ssrq's avatar
ssrq committed
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

The following optional parameters correspond to the default values in
organisational fields (only used if the PKI's DN mode is set to ``org``):

country
    Country.
province
    Province.
city
    City.
org
    Organisation.
org-unit
    Organisational unit.
email
    Email.
84 85 86 87 88 89 90 91 92 93 94


BOOLEAN PARAMETERS
------------------
None.


EXAMPLES
--------

.. code-block:: sh
ssrq's avatar
ssrq committed
95 96 97 98
    # server certificate
    __easy_rsa_cert openvpn-server \
        --dir /etc/easy-rsa \
        --cert-type server
99

ssrq's avatar
ssrq committed
100 101 102 103
    # client certificate
    __easy_rsa_cert janedoe \
        --dir /etc/easy-rsa \
        --cert-type client
104 105 106 107


SEE ALSO
--------
ssrq's avatar
ssrq committed
108 109
:strong:`cdist-type__easy_rsa_pki`\ (7),
:strong:`cdist-type__easy_rsa_ca`\ (7)
110 111 112 113


AUTHORS
-------
ssrq's avatar
ssrq committed
114 115 116
| Marko Seric <marko.seric--@--ssrq-sds-fds.ch>
| Beni Ruef <bernhard.ruef--@--ssrq-sds-fds.ch>
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
117 118 119 120


COPYING
-------
ssrq's avatar
ssrq committed
121
Copyright \(C) 2020 the AUTHORS. You can redistribute it
122 123 124
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.