The primary use of 'init-pki soft' is to present a simple way to renew an expired CA Certificate. The method Easy-RSA uses is to create a new CA and sign old Requests.
Key(1): pki/private/easyrsa-tls.key - Singular Easy-RSA TLS key.
Key(2): pki/easyrsa-keepsafe-tls.key - Created by 'init-pki soft'.
The Easy-RSA TLS Key(1) in use is not changed by this method. Also, this TLS Key(1) is private data, therefore, it is not added to new inline files. This allows the new inline files to be easily distrubuted, without leaking security data.
All members of the VPN in use have a local copy of the TLS Key(1). This key(1) can either be added to the OpenVPN config file, using option '--tls-auth/--tls-crypt ', or be pasted into the inline file locally.
This patch integrates the Easy-RSA TLS Key into 'init-pki soft' by recreating the key(2) after the PKI has been reset. However, the key(2) is recreated by a different file-name, to ensure that it is not included with newly generated inline files.
After building a new CA, the TLS key(2) is copied to the original key(1). However, these TLS keys will be omitted from new inline files until the key(2), created by 'init-pki soft', is deleted.
All inline files that contain private keys are written to sub-dir 'pki/inline/private'. All inline files that do NOT contain any private keys are written to 'pki/inline'.
Also, minimise some 'case' statements and minor improvements.
The primary use of 'init-pki soft' is to present a simple way to renew an expired CA Certificate. The method Easy-RSA uses is to create a new CA and sign old Requests.
Key(1): pki/private/easyrsa-tls.key - Singular Easy-RSA TLS key. Key(2): pki/easyrsa-keepsafe-tls.key - Created by 'init-pki soft'.
The Easy-RSA TLS Key(1) in use is not changed by this method. Also, this TLS Key(1) is private data, therefore, it is not added to new inline files. This allows the new inline files to be easily distrubuted, without leaking security data.
All members of the VPN in use have a local copy of the TLS Key(1). This key(1) can either be added to the OpenVPN config file, using option '--tls-auth/--tls-crypt', or be pasted into the inline file locally.
This patch integrates the Easy-RSA TLS Key into 'init-pki soft' by recreating the key(2) after the PKI has been reset. However, the key(2) is recreated by a different file-name, to ensure that it is not included with newly generated inline files.
After building a new CA, the TLS key(2) is copied to the original key(1). However, these TLS keys will be omitted from new inline files until the key(2), created by 'init-pki soft', is deleted.
All inline files that contain private keys are written to sub-dir 'pki/inline/private'. All inline files that do NOT contain any private keys are written to 'pki/inline'.
Also, minimise some 'case' statements and minor improvements.