Each outlet has a unique “storeID” which is then required to run OpenVPN daemon at the background and fires a connection whenever a layer 2 link is established.

To create under 300 certificates using OpenVPN’s (v2.x.x) easyrsa scripts on a CentOS clients isn’t funny. So being a lazy ass, i wrote a simple way to help to create these files fast!

Assuming you’ve got the whole works with OpenVPN and pfSense sorted. If not read this great document here. Once you’ve got the server side done on pfSense, you will need to generate more keys for (in this case, Pizza Hut’s) 300 branches peer certificates.

Snail factor

• Build-key prompts amongst other things the commonName or server name each time a certificate is to be generated

What is needed?

• To create store certificates that automatically creates the certificates without prompt and also using a $variable$ to “insert” the commonName value. This means, a certificate will be created with the storeID.key and storeID.crt and the storeID.csr

How – Conceptually?

1. Automate the build-key file to disable prompts
2. Fire a variable into the system to pickup the $variable$ which then will be the filename and the commonName

How – Technically

(Assumptions – easyrsa is in /etc/openvpn/easyrsa and keys are in /etc/openvpn/easyrsa/keys. In /easyrsa, you have all the scripts like build-ca, build-key)

Create a file called build_batch into /etc/openvpn/easyrsa with the following lines. Make the file executable chmod +x build_batch

Now, edit (nano/vi) the openssl.cnf file in the /etc/openvpn/easyrsa look for the following lines

Add a new line like below and save the file.

Now, edit (nano/vi) the build-key in that same directory. At the end of the openssl –req and openssl ca statements, add the –batch argument.

This is how part of the original file look like

We modify to add –batch at some part of the line like below and save the file

Now you’re ready to run in batch. But before that, please feed the vars in the environment like below in /etc/openvpn/easyrsa

Run a sample like below

This will build the test01.crt, test01.csr and test01.key automatically in /etc/openvpn/easyrsa/keys with the commonName test01 also

Done.

Now, if you want to do lots of these, use this Excel below

Use the Excel file (build-cert sheet) to generate script lines (see the excel sample) so you can copy and paste into a SSH remote session in the appropriate directory.

Copy in batch up to 50 lines (within buffer) from the copypaster column and paste via a SSH session into the /etc/openvpn/easyrsa and it will generate without prompting anything. Quick and easy.

To remove/revoke certs, do the same but use the Excel’s revoke-cert sheet.

If you get issues where the script says it can’t find certificates (but have removed the commonName out of its database) simply go to /keys and manually delete the relevant keys e.g. store1.csr, store1.key and store1.crt.

If things mess up a lot, just run. Source ./vars again loads env variables properly.

Warning, this will remove your CA, server and dh information which you then need to repopulate inside pfSense.

So, if you want to save those, simply do not remove all ca.* <server>.* dh*. Copy them somewhere safe and place them back into /keys to “restore”.

But, if you want to start all over again, you can run the above ./clean-all but and that should remove everything in /keys and reset the database appropriately. Then you must recreate all below

Then re run the above stuff.