CA key length is configurable (minimum 4096)

2020-05-04 18:53:14 +02:00 · 2020-05-04 18:53:14 +02:00 · 21182a8dcf
parent b03e77d307
commit 21182a8dcf
2 changed files with 9 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Create a changelog
 * Add a version number and `version` command
 * Accept a `password-file` command line option to read password from a file
+* CA key length is configurable (minimum 4096)

 ### Changed

--- a/9
+++ b/9
@ -55,7 +55,7 @@ init() {
    if [ ! -f "${CA_KEY}" ]; then
        "${OPENSSL_BIN}" genrsa \
            -out "${CA_KEY}" \
-            -aes256 4096 \
+            -aes256 ${CA_KEY_LENGTH} \
            >/dev/null 2>&1
    fi

@ -604,7 +604,14 @@ main() {
    PKCS12_DIR="${CA_DIR}/pkcs12"
    OVPN_DIR="${CA_DIR}/openvpn"

+    CA_KEY_LENGTH=4096
+    if [ "${CA_KEY_LENGTH}" -lt 4096 ]; then
+        error "CA key must be at least 4096 bits long."
+    fi
    KEY_LENGTH=2048
+    if [ "${KEY_LENGTH}" -lt 2048 ]; then
+        error "User key must be at least 2048 bits long."
+    fi

    OPENSSL_BIN=$(command -v openssl)
    SUFFIX=$(/bin/date +"%s")