hilfe mein git ist komisch

etc/openvpn/easy-rsa/openssl-easyrsa.cnf

@@ -0,0 +1,149 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::EASYRSA_PKI	# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
+
+certificate	= $dir/ca.crt		# The CA certificate
+serial		= $dir/serial		# The current serial number
+crl		= $dir/crl.pem		# The current CRL
+private_key	= $dir/private/ca.key	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= basic_exts		# The extensions to add to the cert
+
+# A placeholder to handle the --copy-ext feature:
+#%COPY_EXTS%	# Do NOT remove or change this line as --copy-ext support requires it
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions	= crl_ext
+
+default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
+default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
+
+# Note: preserve=no|yes, does nothing for EasyRSA.
+# Use sign-req command option 'preserve' instead.
+preserve	= no			# keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject	= no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+serialNumber	= optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits		= $ENV::EASYRSA_KEY_SIZE
+default_keyfile	= privkey.pem
+default_md		= $ENV::EASYRSA_DIGEST
+distinguished_name	= $ENV::EASYRSA_DN
+x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= $ENV::EASYRSA_REQ_CN
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::EASYRSA_REQ_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::EASYRSA_REQ_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::EASYRSA_REQ_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::EASYRSA_REQ_ORG
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= $ENV::EASYRSA_REQ_OU
+
+commonName			= Common Name (eg: your user, host, or server name)
+commonName_max			= 64
+commonName_default		= $ENV::EASYRSA_REQ_CN
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::EASYRSA_REQ_EMAIL
+emailAddress_max		= 64
+
+serialNumber		= Serial-number (eg, device serial-number)
+serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
+#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

etc/openvpn/easy-rsa/pki/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUd4INqGTrRX8tpNjILVfLp/FW9JowDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDA2MTcyNjM1WhcNMzUx
+MDA0MTcyNjM1WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAL0DDWBsUoqQdvX8UytBHfSZYUmPL/dvyYQt/STT
+7cZKsl0OqV2EzqhGJYPmPHcKiBoeEoqaBsHnLa/c6PbGWrvztFXHotYOMW0Jigv2
+KKotB2GT9k7mhrOcUMuu6J6SossJtlekebQkIBXj7N31m+Zs/k5kayeaScg8cCYW
+o7SwP2afUZ7vSsxisAgEnKsq0fousPguGdT5Ooh0TAUEKl/PR69pGMaXD1MQl5wv
+dcJV3X2GhcXpJbAGuhBjcZB/LCFjtlQ+9IDvhcN4rhWNa0LsMoL3sPh/dsdt0G2c
+bxc4+OuLQ42eWcAV0RsTMGofTULcRuXcA3XvTRllgCWplbUCAwEAAaOBkDCBjTAM
+BgNVHRMEBTADAQH/MB0GA1UdDgQWBBTdFqHUghgUs4N1F02DZ5P7TfJYtzBRBgNV
+HSMESjBIgBTdFqHUghgUs4N1F02DZ5P7TfJYt6EapBgwFjEUMBIGA1UEAwwLRWFz
+eS1SU0EgQ0GCFHeCDahk60V/LaTYyC1Xy6fxVvSaMAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAP0X9x4SQFXaR7FEYwjAQ+uX1EtWQP+GhA3MKQI7scQL6
+TxMc/103x7Ty3Sb0tbG9iOMb5v9rXqiLFyzxqZAh4yiLnsJDwe/OlozfkVcGhXcl
+L67q56je+D/PptD6UoWBYvLPPdu8DNaa/0aVsyE0hXIrjnNYNz8Kb9YXLmbxp051
+/5GxpMdonyEOIxQv40lITDH0Ynlx0QiPF0bqDYT5nsMGx8gRTStKL+WMQGi0CHGe
+PoyOFdR0JdJcR6vvr8b+32fHeIZrpwTrqUoUJuR0HtFrhhIF7es9bmw3px1mMd1M
+OJ+fp9iYT1JcKtB6WeV+TOTkfsFzdg+EIqG4os+ZzA==
+-----END CERTIFICATE-----

etc/openvpn/easy-rsa/pki/certs_by_serial/1AD495E082C3D1972625515573003DFE.pem

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1a:d4:95:e0:82:c3:d1:97:26:25:51:55:73:00:3d:fe
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct  6 17:26:35 2025 GMT
+            Not After : Jan  9 17:26:35 2028 GMT
+        Subject: CN=emy-laptop
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:5c:37:61:fa:ac:b0:8a:93:3d:b4:9a:3b:5c:
+                    92:85:da:27:6e:06:d5:c8:3e:fd:a5:68:68:94:7f:
+                    74:c8:b0:b2:8d:f8:d5:b8:17:1f:af:b3:18:23:c3:
+                    09:a0:7c:20:f9:67:67:4c:18:e4:ba:a3:16:b9:8d:
+                    7c:cd:ea:86:0e:42:24:00:db:cb:84:c7:7d:b9:5e:
+                    9c:2c:3d:7e:84:2f:cd:31:72:39:c4:be:ea:53:ce:
+                    62:95:fc:c3:12:ee:e8:28:6c:81:82:17:61:59:c7:
+                    cd:81:58:ad:13:f3:08:d0:99:62:65:e1:34:0e:e0:
+                    00:77:96:45:63:f8:b6:c1:7e:4f:2e:f9:fd:00:4c:
+                    d3:c1:51:0f:d5:44:9c:40:22:64:be:3b:7c:b0:4c:
+                    71:52:05:57:a1:02:f5:b0:95:10:03:c9:be:48:2c:
+                    f6:79:d4:46:1f:33:1a:67:c3:de:02:a0:06:50:74:
+                    20:0b:32:62:ab:28:1b:e9:37:5c:22:b7:81:03:0e:
+                    0d:a6:e9:2d:4a:30:e0:3a:48:6e:93:55:15:30:fd:
+                    fe:9e:03:26:45:ff:05:4c:d0:f9:ad:74:7c:c5:7b:
+                    5e:91:71:a3:96:a2:d3:94:81:80:50:7c:4d:d5:01:
+                    ec:0f:72:15:4c:f9:58:79:70:70:9b:aa:a5:2b:4e:
+                    e3:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                34:04:A6:AE:98:9D:F5:BA:A9:32:EA:B3:70:7E:4D:02:BE:61:A2:5A
+            X509v3 Authority Key Identifier: 
+                keyid:DD:16:A1:D4:82:18:14:B3:83:75:17:4D:83:67:93:FB:4D:F2:58:B7
+                DirName:/CN=Easy-RSA CA
+                serial:77:82:0D:A8:64:EB:45:7F:2D:A4:D8:C8:2D:57:CB:A7:F1:56:F4:9A
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        64:e4:69:7d:d8:2e:8d:20:fd:b2:59:5e:f8:13:41:85:a2:d3:
+        01:2e:84:d7:8c:50:d0:42:fd:c7:e6:3b:5c:b7:fc:77:a6:93:
+        92:54:63:ed:6e:90:24:c4:93:e6:d1:fb:ee:65:7e:4b:98:fb:
+        44:41:0f:7d:a3:5c:cd:44:69:8c:f9:69:0e:4c:77:1e:cb:0b:
+        13:08:22:f4:93:51:89:da:0d:a4:60:e8:6c:3c:a9:7a:a6:6d:
+        92:d1:33:5c:30:bc:43:54:67:85:ae:26:4f:17:d4:40:da:d4:
+        32:96:30:ef:8b:30:7c:04:36:b8:a8:e5:a3:46:97:99:77:c3:
+        77:1e:5c:12:f3:f6:db:b3:49:3a:d7:e9:02:3f:67:58:9a:54:
+        6f:1a:c2:59:52:8c:4a:5f:bd:41:02:d7:ef:99:75:06:64:6b:
+        6a:68:94:f5:3e:04:67:a8:3e:1f:c0:8b:97:e4:cf:72:04:a9:
+        dd:53:24:b9:62:10:90:c3:ab:e1:f4:c5:4e:f5:e5:de:27:85:
+        11:54:8e:11:68:f8:1c:d0:d5:0a:af:a0:64:27:76:0b:51:67:
+        09:4a:d7:21:ee:b4:44:87:34:e6:73:00:e0:64:92:52:ab:6f:
+        1e:8d:de:84:e9:fb:d9:a5:b8:52:48:6f:01:6c:ed:7b:de:8d:
+        b7:9d:9a:56
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIQGtSV4ILD0ZcmJVFVcwA9/jANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNTEwMDYxNzI2MzVaFw0yODAxMDkx
+NzI2MzVaMBUxEzARBgNVBAMMCmVteS1sYXB0b3AwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDkXDdh+qywipM9tJo7XJKF2iduBtXIPv2laGiUf3TIsLKN
++NW4Fx+vsxgjwwmgfCD5Z2dMGOS6oxa5jXzN6oYOQiQA28uEx325XpwsPX6EL80x
+cjnEvupTzmKV/MMS7ugobIGCF2FZx82BWK0T8wjQmWJl4TQO4AB3lkVj+LbBfk8u
++f0ATNPBUQ/VRJxAImS+O3ywTHFSBVehAvWwlRADyb5ILPZ51EYfMxpnw94CoAZQ
+dCALMmKrKBvpN1wit4EDDg2m6S1KMOA6SG6TVRUw/f6eAyZF/wVM0PmtdHzFe16R
+caOWotOUgYBQfE3VAewPchVM+Vh5cHCbqqUrTuOJAgMBAAGjgaIwgZ8wCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUNASmrpid9bqpMuqzcH5NAr5holowUQYDVR0jBEowSIAU
+3Rah1IIYFLODdRdNg2eT+03yWLehGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB
+ghR3gg2oZOtFfy2k2MgtV8un8Vb0mjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV
+HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGTkaX3YLo0g/bJZXvgTQYWi0wEu
+hNeMUNBC/cfmO1y3/Hemk5JUY+1ukCTEk+bR++5lfkuY+0RBD32jXM1EaYz5aQ5M
+dx7LCxMIIvSTUYnaDaRg6Gw8qXqmbZLRM1wwvENUZ4WuJk8X1EDa1DKWMO+LMHwE
+Nrio5aNGl5l3w3ceXBLz9tuzSTrX6QI/Z1iaVG8awllSjEpfvUEC1++ZdQZka2po
+lPU+BGeoPh/Ai5fkz3IEqd1TJLliEJDDq+H0xU715d4nhRFUjhFo+BzQ1QqvoGQn
+dgtRZwlK1yHutESHNOZzAOBkklKrbx6N3oTp+9mluFJIbwFs7XvejbedmlY=
+-----END CERTIFICATE-----

etc/openvpn/easy-rsa/pki/certs_by_serial/F11C11E27C13A18E3D8BFD00106D3EA9.pem

@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f1:1c:11:e2:7c:13:a1:8e:3d:8b:fd:00:10:6d:3e:a9
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct  6 17:26:35 2025 GMT
+            Not After : Jan  9 17:26:35 2028 GMT
+        Subject: CN=server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bb:2e:ae:5e:e6:9d:d0:ec:e1:63:6d:c8:a8:a5:
+                    08:5f:cb:60:b9:8d:14:59:18:22:46:11:cb:ef:fa:
+                    06:a9:40:05:ef:86:7b:a6:96:1e:45:f0:e2:5e:d1:
+                    86:b5:95:e0:a9:1c:bd:c2:82:4e:c0:58:af:29:c3:
+                    69:fd:c3:a1:33:ad:eb:a0:d4:ea:54:73:1c:f3:a1:
+                    9c:4a:01:02:c9:20:84:11:8c:59:0d:9b:c7:78:4a:
+                    fa:31:d7:85:19:28:05:b0:29:18:3d:73:9e:a6:af:
+                    db:4d:1a:9c:d0:a7:9d:0a:88:a3:fe:54:60:f3:97:
+                    f2:e8:c1:ca:49:8b:6a:ce:40:47:b4:0d:16:37:1d:
+                    d2:23:9b:3a:5a:dc:cb:9f:2e:dc:c9:07:6c:e7:bc:
+                    bb:f9:11:73:1b:e2:18:23:be:07:4a:9e:d0:19:b8:
+                    a1:75:15:64:cb:b2:df:0a:a0:24:5e:5d:0f:31:ad:
+                    38:5d:43:4a:25:4d:f0:22:a1:ad:eb:46:df:d9:7f:
+                    bf:d0:63:50:af:a3:a8:27:98:24:bb:ac:e9:b6:e5:
+                    df:a9:08:b9:04:c0:41:83:7c:0b:8d:cb:68:24:51:
+                    d6:8c:15:21:53:f8:f5:b4:b0:3e:1c:ef:33:43:f0:
+                    ff:df:81:2d:fb:b5:00:52:c3:e7:08:d2:41:13:96:
+                    02:4b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                0F:D3:A1:AB:04:98:97:E8:C0:56:11:18:8D:17:EB:BA:F9:4D:D4:83
+            X509v3 Authority Key Identifier: 
+                keyid:DD:16:A1:D4:82:18:14:B3:83:75:17:4D:83:67:93:FB:4D:F2:58:B7
+                DirName:/CN=Easy-RSA CA
+                serial:77:82:0D:A8:64:EB:45:7F:2D:A4:D8:C8:2D:57:CB:A7:F1:56:F4:9A
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        61:73:c8:ad:42:75:c8:ef:d1:a3:86:06:d2:d3:ca:8c:dd:d7:
+        c4:85:71:b9:bc:04:9e:82:d3:13:b2:d0:ea:d9:40:0b:a0:00:
+        4b:df:c7:95:20:43:d1:0f:a8:c9:4d:aa:0e:84:7f:cd:86:14:
+        b3:fc:1d:04:c8:33:fd:66:77:aa:9b:52:2d:ea:b2:bf:59:38:
+        c9:b1:0e:b2:37:c3:32:3e:11:32:98:50:a3:97:aa:b8:5e:23:
+        b6:83:d7:da:57:97:b5:30:28:ee:2a:49:e4:42:e6:1f:32:4f:
+        b8:3c:14:7b:17:24:38:70:64:a3:21:c8:1e:65:59:d4:66:9c:
+        4c:05:d3:23:1b:97:f6:d4:9c:a9:cf:12:42:77:a5:3d:b4:8a:
+        f5:5e:00:7d:e9:ff:39:23:13:0d:6a:5b:b6:d4:36:eb:d9:b6:
+        6a:2f:f1:42:7c:59:d7:24:54:7f:b1:1b:63:ca:8e:67:28:d1:
+        d8:8c:50:d5:4e:5e:e7:3f:b9:53:5b:3b:1f:a3:8c:86:1e:96:
+        07:dc:5e:e0:31:e5:fb:c2:3e:8b:8d:52:21:3e:1c:eb:ad:24:
+        cd:44:5c:1d:6a:28:cc:d8:eb:0e:68:79:6b:c3:7e:09:b2:7e:
+        32:7d:c9:7b:fa:8f:46:79:5e:e1:ad:c6:cc:18:b2:04:f9:5a:
+        7a:bb:ca:2d
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIRAPEcEeJ8E6GOPYv9ABBtPqkwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDA2MTcyNjM1WhcNMjgwMTA5
+MTcyNjM1WjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC7Lq5e5p3Q7OFjbciopQhfy2C5jRRZGCJGEcvv+gapQAXvhnum
+lh5F8OJe0Ya1leCpHL3Cgk7AWK8pw2n9w6Ezreug1OpUcxzzoZxKAQLJIIQRjFkN
+m8d4Svox14UZKAWwKRg9c56mr9tNGpzQp50KiKP+VGDzl/LowcpJi2rOQEe0DRY3
+HdIjmzpa3MufLtzJB2znvLv5EXMb4hgjvgdKntAZuKF1FWTLst8KoCReXQ8xrThd
+Q0olTfAioa3rRt/Zf7/QY1Cvo6gnmCS7rOm25d+pCLkEwEGDfAuNy2gkUdaMFSFT
++PW0sD4c7zND8P/fgS37tQBSw+cI0kETlgJLAgMBAAGjgbUwgbIwCQYDVR0TBAIw
+ADAdBgNVHQ4EFgQUD9OhqwSYl+jAVhEYjRfruvlN1IMwUQYDVR0jBEowSIAU3Rah
+1IIYFLODdRdNg2eT+03yWLehGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR3
+gg2oZOtFfy2k2MgtV8un8Vb0mjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E
+BAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQBhc8it
+QnXI79GjhgbS08qM3dfEhXG5vASegtMTstDq2UALoABL38eVIEPRD6jJTaoOhH/N
+hhSz/B0EyDP9Zneqm1It6rK/WTjJsQ6yN8MyPhEymFCjl6q4XiO2g9faV5e1MCju
+KknkQuYfMk+4PBR7FyQ4cGSjIcgeZVnUZpxMBdMjG5f21JypzxJCd6U9tIr1XgB9
+6f85IxMNalu21Dbr2bZqL/FCfFnXJFR/sRtjyo5nKNHYjFDVTl7nP7lTWzsfo4yG
+HpYH3F7gMeX7wj6LjVIhPhzrrSTNRFwdaijM2OsOaHlrw34Jsn4yfcl7+o9GeV7h
+rcbMGLIE+Vp6u8ot
+-----END CERTIFICATE-----

etc/openvpn/easy-rsa/pki/index.txt

@@ -0,0 +1,2 @@
+V	280109172635Z		F11C11E27C13A18E3D8BFD00106D3EA9	unknown	/CN=server
+V	280109172635Z		1AD495E082C3D1972625515573003DFE	unknown	/CN=emy-laptop

etc/openvpn/easy-rsa/pki/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = no

etc/openvpn/easy-rsa/pki/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = no

etc/openvpn/easy-rsa/pki/index.txt.old

@@ -0,0 +1 @@
+V	280109172635Z		F11C11E27C13A18E3D8BFD00106D3EA9	unknown	/CN=server

etc/openvpn/easy-rsa/pki/inline/emy-laptop.inline

@@ -0,0 +1,144 @@
+# Easy-RSA Type: client
+# Name: emy-laptop
+
+<cert>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1a:d4:95:e0:82:c3:d1:97:26:25:51:55:73:00:3d:fe
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct  6 17:26:35 2025 GMT
+            Not After : Jan  9 17:26:35 2028 GMT
+        Subject: CN=emy-laptop
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:5c:37:61:fa:ac:b0:8a:93:3d:b4:9a:3b:5c:
+                    92:85:da:27:6e:06:d5:c8:3e:fd:a5:68:68:94:7f:
+                    74:c8:b0:b2:8d:f8:d5:b8:17:1f:af:b3:18:23:c3:
+                    09:a0:7c:20:f9:67:67:4c:18:e4:ba:a3:16:b9:8d:
+                    7c:cd:ea:86:0e:42:24:00:db:cb:84:c7:7d:b9:5e:
+                    9c:2c:3d:7e:84:2f:cd:31:72:39:c4:be:ea:53:ce:
+                    62:95:fc:c3:12:ee:e8:28:6c:81:82:17:61:59:c7:
+                    cd:81:58:ad:13:f3:08:d0:99:62:65:e1:34:0e:e0:
+                    00:77:96:45:63:f8:b6:c1:7e:4f:2e:f9:fd:00:4c:
+                    d3:c1:51:0f:d5:44:9c:40:22:64:be:3b:7c:b0:4c:
+                    71:52:05:57:a1:02:f5:b0:95:10:03:c9:be:48:2c:
+                    f6:79:d4:46:1f:33:1a:67:c3:de:02:a0:06:50:74:
+                    20:0b:32:62:ab:28:1b:e9:37:5c:22:b7:81:03:0e:
+                    0d:a6:e9:2d:4a:30:e0:3a:48:6e:93:55:15:30:fd:
+                    fe:9e:03:26:45:ff:05:4c:d0:f9:ad:74:7c:c5:7b:
+                    5e:91:71:a3:96:a2:d3:94:81:80:50:7c:4d:d5:01:
+                    ec:0f:72:15:4c:f9:58:79:70:70:9b:aa:a5:2b:4e:
+                    e3:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                34:04:A6:AE:98:9D:F5:BA:A9:32:EA:B3:70:7E:4D:02:BE:61:A2:5A
+            X509v3 Authority Key Identifier: 
+                keyid:DD:16:A1:D4:82:18:14:B3:83:75:17:4D:83:67:93:FB:4D:F2:58:B7
+                DirName:/CN=Easy-RSA CA
+                serial:77:82:0D:A8:64:EB:45:7F:2D:A4:D8:C8:2D:57:CB:A7:F1:56:F4:9A
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        64:e4:69:7d:d8:2e:8d:20:fd:b2:59:5e:f8:13:41:85:a2:d3:
+        01:2e:84:d7:8c:50:d0:42:fd:c7:e6:3b:5c:b7:fc:77:a6:93:
+        92:54:63:ed:6e:90:24:c4:93:e6:d1:fb:ee:65:7e:4b:98:fb:
+        44:41:0f:7d:a3:5c:cd:44:69:8c:f9:69:0e:4c:77:1e:cb:0b:
+        13:08:22:f4:93:51:89:da:0d:a4:60:e8:6c:3c:a9:7a:a6:6d:
+        92:d1:33:5c:30:bc:43:54:67:85:ae:26:4f:17:d4:40:da:d4:
+        32:96:30:ef:8b:30:7c:04:36:b8:a8:e5:a3:46:97:99:77:c3:
+        77:1e:5c:12:f3:f6:db:b3:49:3a:d7:e9:02:3f:67:58:9a:54:
+        6f:1a:c2:59:52:8c:4a:5f:bd:41:02:d7:ef:99:75:06:64:6b:
+        6a:68:94:f5:3e:04:67:a8:3e:1f:c0:8b:97:e4:cf:72:04:a9:
+        dd:53:24:b9:62:10:90:c3:ab:e1:f4:c5:4e:f5:e5:de:27:85:
+        11:54:8e:11:68:f8:1c:d0:d5:0a:af:a0:64:27:76:0b:51:67:
+        09:4a:d7:21:ee:b4:44:87:34:e6:73:00:e0:64:92:52:ab:6f:
+        1e:8d:de:84:e9:fb:d9:a5:b8:52:48:6f:01:6c:ed:7b:de:8d:
+        b7:9d:9a:56
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIQGtSV4ILD0ZcmJVFVcwA9/jANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNTEwMDYxNzI2MzVaFw0yODAxMDkx
+NzI2MzVaMBUxEzARBgNVBAMMCmVteS1sYXB0b3AwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDkXDdh+qywipM9tJo7XJKF2iduBtXIPv2laGiUf3TIsLKN
++NW4Fx+vsxgjwwmgfCD5Z2dMGOS6oxa5jXzN6oYOQiQA28uEx325XpwsPX6EL80x
+cjnEvupTzmKV/MMS7ugobIGCF2FZx82BWK0T8wjQmWJl4TQO4AB3lkVj+LbBfk8u
++f0ATNPBUQ/VRJxAImS+O3ywTHFSBVehAvWwlRADyb5ILPZ51EYfMxpnw94CoAZQ
+dCALMmKrKBvpN1wit4EDDg2m6S1KMOA6SG6TVRUw/f6eAyZF/wVM0PmtdHzFe16R
+caOWotOUgYBQfE3VAewPchVM+Vh5cHCbqqUrTuOJAgMBAAGjgaIwgZ8wCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUNASmrpid9bqpMuqzcH5NAr5holowUQYDVR0jBEowSIAU
+3Rah1IIYFLODdRdNg2eT+03yWLehGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB
+ghR3gg2oZOtFfy2k2MgtV8un8Vb0mjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV
+HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGTkaX3YLo0g/bJZXvgTQYWi0wEu
+hNeMUNBC/cfmO1y3/Hemk5JUY+1ukCTEk+bR++5lfkuY+0RBD32jXM1EaYz5aQ5M
+dx7LCxMIIvSTUYnaDaRg6Gw8qXqmbZLRM1wwvENUZ4WuJk8X1EDa1DKWMO+LMHwE
+Nrio5aNGl5l3w3ceXBLz9tuzSTrX6QI/Z1iaVG8awllSjEpfvUEC1++ZdQZka2po
+lPU+BGeoPh/Ai5fkz3IEqd1TJLliEJDDq+H0xU715d4nhRFUjhFo+BzQ1QqvoGQn
+dgtRZwlK1yHutESHNOZzAOBkklKrbx6N3oTp+9mluFJIbwFs7XvejbedmlY=
+-----END CERTIFICATE-----
+</cert>
+
+<key>
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkXDdh+qywipM9
+tJo7XJKF2iduBtXIPv2laGiUf3TIsLKN+NW4Fx+vsxgjwwmgfCD5Z2dMGOS6oxa5
+jXzN6oYOQiQA28uEx325XpwsPX6EL80xcjnEvupTzmKV/MMS7ugobIGCF2FZx82B
+WK0T8wjQmWJl4TQO4AB3lkVj+LbBfk8u+f0ATNPBUQ/VRJxAImS+O3ywTHFSBVeh
+AvWwlRADyb5ILPZ51EYfMxpnw94CoAZQdCALMmKrKBvpN1wit4EDDg2m6S1KMOA6
+SG6TVRUw/f6eAyZF/wVM0PmtdHzFe16RcaOWotOUgYBQfE3VAewPchVM+Vh5cHCb
+qqUrTuOJAgMBAAECggEAZtN3RLEhbWUYo+JcyHoIqCjxNEPzo3VptT9sR+GUboHS
+BMeVRI11ASJ9riy2ewMpvePnyYY0CC5Dn02scvQ1ZNo3aAOQgrtpSzzkya7u9wqn
+NKqghI0K6q22Cp+EH1RgSUOClVd9yHWFfca2OJNo1rUab5GWZVRMIY0Stc9aS4mA
+lFG7aw5LJ7NP+Jh4E9XFjzr9IyraV+7h+G0qAZLE8qsA4j8vbtlApojAf9cKPFCc
+MYUeqVjqNx+fBb7E3t13+ffCG2Y/DNinxFMpV7kN7t+fYubZovZsZXdFEYatHCP5
+fMKDwBQYUfmK/pQmDip/HhlOJ8t11uQxQ5UPe3GKeQKBgQD9j9IOunGIPcN5xhZW
+36Y/ZqD/e9hjnqc3LKwFwcElPaXphA/zv1m83tesr+uMRNJIJ1FL+tVv8QtcIGrC
+Ha7oYlbK1mAN6HrVa8tvNZ0wEwRTgdyVtwRnCgBm2ONp7IGW2wX9oK89C3vwky4p
+c1Pm9QLKGqIQryFyolIJcJmgLwKBgQDmjlvB9DolWASKfNRJrVRigoFhX8JXWETv
+clEwzGGX1AmrzyFIE4fQMpYdZk3C2hyTuKlgXqZyXvlRr7rvFxMe0WcEMC7zUgd6
+YFMifgVL6rE/PXpgy6JdMwMBaaP6yxYUz1FbyL0WixZq1bllBm5Z+Xu7RLfNS71a
+urWqLXPRxwKBgQCYOazBXNtmELZ3OB4XP6O+Mm37k61geVIoRLBtsFm1cuJVZAxz
+qHBGfH581QyTpImd+cTL2aYj01GfmHKfYVStfMRgd/0ovGZqFJIIjOZ2gyQ4wiDc
+3QhOl+mP1SwKXouaNpnNH5e1DVz2HFY9WliHspZfIUgkvg9Vk++ubSQ9zwKBgGCR
+XAl+/CPMHArNgjVh7ihctUhNzZ68EBOi9DLWSEJJw8s8tJn15DrmFU43HXbx2Gpf
+PEJrIphhA1idnFSse4u69cUhUWkFALDXS7r0wc8sfBUa8Pk+EcGrriSXVOGk0pjg
+xRkGmXypwTf6UO7ppKr2/kZP4BSTFrq73X9sDkjdAoGBAPpMwaZ8MpLia/WBP7+z
+1A3zUKIjUFysmtacYEUEIRvgivfWkQpCpFjrJN0hwrib2Agzl7fGRpD9tu6/iDFo
+y1ZsWNb5x3StniIFHR+zgWU9+Gd3XMBw4uivWi0cppaYBi8ndNlY59OOL1o8rldJ
+RjRKcYht2Pscsbze8xPJVLt8
+-----END PRIVATE KEY-----
+</key>
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUd4INqGTrRX8tpNjILVfLp/FW9JowDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDA2MTcyNjM1WhcNMzUx
+MDA0MTcyNjM1WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAL0DDWBsUoqQdvX8UytBHfSZYUmPL/dvyYQt/STT
+7cZKsl0OqV2EzqhGJYPmPHcKiBoeEoqaBsHnLa/c6PbGWrvztFXHotYOMW0Jigv2
+KKotB2GT9k7mhrOcUMuu6J6SossJtlekebQkIBXj7N31m+Zs/k5kayeaScg8cCYW
+o7SwP2afUZ7vSsxisAgEnKsq0fousPguGdT5Ooh0TAUEKl/PR69pGMaXD1MQl5wv
+dcJV3X2GhcXpJbAGuhBjcZB/LCFjtlQ+9IDvhcN4rhWNa0LsMoL3sPh/dsdt0G2c
+bxc4+OuLQ42eWcAV0RsTMGofTULcRuXcA3XvTRllgCWplbUCAwEAAaOBkDCBjTAM
+BgNVHRMEBTADAQH/MB0GA1UdDgQWBBTdFqHUghgUs4N1F02DZ5P7TfJYtzBRBgNV
+HSMESjBIgBTdFqHUghgUs4N1F02DZ5P7TfJYt6EapBgwFjEUMBIGA1UEAwwLRWFz
+eS1SU0EgQ0GCFHeCDahk60V/LaTYyC1Xy6fxVvSaMAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAP0X9x4SQFXaR7FEYwjAQ+uX1EtWQP+GhA3MKQI7scQL6
+TxMc/103x7Ty3Sb0tbG9iOMb5v9rXqiLFyzxqZAh4yiLnsJDwe/OlozfkVcGhXcl
+L67q56je+D/PptD6UoWBYvLPPdu8DNaa/0aVsyE0hXIrjnNYNz8Kb9YXLmbxp051
+/5GxpMdonyEOIxQv40lITDH0Ynlx0QiPF0bqDYT5nsMGx8gRTStKL+WMQGi0CHGe
+PoyOFdR0JdJcR6vvr8b+32fHeIZrpwTrqUoUJuR0HtFrhhIF7es9bmw3px1mMd1M
+OJ+fp9iYT1JcKtB6WeV+TOTkfsFzdg+EIqG4os+ZzA==
+-----END CERTIFICATE-----
+</ca>
+

etc/openvpn/easy-rsa/pki/inline/server.inline

@@ -0,0 +1,147 @@
+# Easy-RSA Type: server
+# Name: server
+
+<cert>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f1:1c:11:e2:7c:13:a1:8e:3d:8b:fd:00:10:6d:3e:a9
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct  6 17:26:35 2025 GMT
+            Not After : Jan  9 17:26:35 2028 GMT
+        Subject: CN=server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bb:2e:ae:5e:e6:9d:d0:ec:e1:63:6d:c8:a8:a5:
+                    08:5f:cb:60:b9:8d:14:59:18:22:46:11:cb:ef:fa:
+                    06:a9:40:05:ef:86:7b:a6:96:1e:45:f0:e2:5e:d1:
+                    86:b5:95:e0:a9:1c:bd:c2:82:4e:c0:58:af:29:c3:
+                    69:fd:c3:a1:33:ad:eb:a0:d4:ea:54:73:1c:f3:a1:
+                    9c:4a:01:02:c9:20:84:11:8c:59:0d:9b:c7:78:4a:
+                    fa:31:d7:85:19:28:05:b0:29:18:3d:73:9e:a6:af:
+                    db:4d:1a:9c:d0:a7:9d:0a:88:a3:fe:54:60:f3:97:
+                    f2:e8:c1:ca:49:8b:6a:ce:40:47:b4:0d:16:37:1d:
+                    d2:23:9b:3a:5a:dc:cb:9f:2e:dc:c9:07:6c:e7:bc:
+                    bb:f9:11:73:1b:e2:18:23:be:07:4a:9e:d0:19:b8:
+                    a1:75:15:64:cb:b2:df:0a:a0:24:5e:5d:0f:31:ad:
+                    38:5d:43:4a:25:4d:f0:22:a1:ad:eb:46:df:d9:7f:
+                    bf:d0:63:50:af:a3:a8:27:98:24:bb:ac:e9:b6:e5:
+                    df:a9:08:b9:04:c0:41:83:7c:0b:8d:cb:68:24:51:
+                    d6:8c:15:21:53:f8:f5:b4:b0:3e:1c:ef:33:43:f0:
+                    ff:df:81:2d:fb:b5:00:52:c3:e7:08:d2:41:13:96:
+                    02:4b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                0F:D3:A1:AB:04:98:97:E8:C0:56:11:18:8D:17:EB:BA:F9:4D:D4:83
+            X509v3 Authority Key Identifier: 
+                keyid:DD:16:A1:D4:82:18:14:B3:83:75:17:4D:83:67:93:FB:4D:F2:58:B7
+                DirName:/CN=Easy-RSA CA
+                serial:77:82:0D:A8:64:EB:45:7F:2D:A4:D8:C8:2D:57:CB:A7:F1:56:F4:9A
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        61:73:c8:ad:42:75:c8:ef:d1:a3:86:06:d2:d3:ca:8c:dd:d7:
+        c4:85:71:b9:bc:04:9e:82:d3:13:b2:d0:ea:d9:40:0b:a0:00:
+        4b:df:c7:95:20:43:d1:0f:a8:c9:4d:aa:0e:84:7f:cd:86:14:
+        b3:fc:1d:04:c8:33:fd:66:77:aa:9b:52:2d:ea:b2:bf:59:38:
+        c9:b1:0e:b2:37:c3:32:3e:11:32:98:50:a3:97:aa:b8:5e:23:
+        b6:83:d7:da:57:97:b5:30:28:ee:2a:49:e4:42:e6:1f:32:4f:
+        b8:3c:14:7b:17:24:38:70:64:a3:21:c8:1e:65:59:d4:66:9c:
+        4c:05:d3:23:1b:97:f6:d4:9c:a9:cf:12:42:77:a5:3d:b4:8a:
+        f5:5e:00:7d:e9:ff:39:23:13:0d:6a:5b:b6:d4:36:eb:d9:b6:
+        6a:2f:f1:42:7c:59:d7:24:54:7f:b1:1b:63:ca:8e:67:28:d1:
+        d8:8c:50:d5:4e:5e:e7:3f:b9:53:5b:3b:1f:a3:8c:86:1e:96:
+        07:dc:5e:e0:31:e5:fb:c2:3e:8b:8d:52:21:3e:1c:eb:ad:24:
+        cd:44:5c:1d:6a:28:cc:d8:eb:0e:68:79:6b:c3:7e:09:b2:7e:
+        32:7d:c9:7b:fa:8f:46:79:5e:e1:ad:c6:cc:18:b2:04:f9:5a:
+        7a:bb:ca:2d
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIRAPEcEeJ8E6GOPYv9ABBtPqkwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDA2MTcyNjM1WhcNMjgwMTA5
+MTcyNjM1WjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC7Lq5e5p3Q7OFjbciopQhfy2C5jRRZGCJGEcvv+gapQAXvhnum
+lh5F8OJe0Ya1leCpHL3Cgk7AWK8pw2n9w6Ezreug1OpUcxzzoZxKAQLJIIQRjFkN
+m8d4Svox14UZKAWwKRg9c56mr9tNGpzQp50KiKP+VGDzl/LowcpJi2rOQEe0DRY3
+HdIjmzpa3MufLtzJB2znvLv5EXMb4hgjvgdKntAZuKF1FWTLst8KoCReXQ8xrThd
+Q0olTfAioa3rRt/Zf7/QY1Cvo6gnmCS7rOm25d+pCLkEwEGDfAuNy2gkUdaMFSFT
++PW0sD4c7zND8P/fgS37tQBSw+cI0kETlgJLAgMBAAGjgbUwgbIwCQYDVR0TBAIw
+ADAdBgNVHQ4EFgQUD9OhqwSYl+jAVhEYjRfruvlN1IMwUQYDVR0jBEowSIAU3Rah
+1IIYFLODdRdNg2eT+03yWLehGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR3
+gg2oZOtFfy2k2MgtV8un8Vb0mjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E
+BAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQBhc8it
+QnXI79GjhgbS08qM3dfEhXG5vASegtMTstDq2UALoABL38eVIEPRD6jJTaoOhH/N
+hhSz/B0EyDP9Zneqm1It6rK/WTjJsQ6yN8MyPhEymFCjl6q4XiO2g9faV5e1MCju
+KknkQuYfMk+4PBR7FyQ4cGSjIcgeZVnUZpxMBdMjG5f21JypzxJCd6U9tIr1XgB9
+6f85IxMNalu21Dbr2bZqL/FCfFnXJFR/sRtjyo5nKNHYjFDVTl7nP7lTWzsfo4yG
+HpYH3F7gMeX7wj6LjVIhPhzrrSTNRFwdaijM2OsOaHlrw34Jsn4yfcl7+o9GeV7h
+rcbMGLIE+Vp6u8ot
+-----END CERTIFICATE-----
+</cert>
+
+<key>
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7Lq5e5p3Q7OFj
+bciopQhfy2C5jRRZGCJGEcvv+gapQAXvhnumlh5F8OJe0Ya1leCpHL3Cgk7AWK8p
+w2n9w6Ezreug1OpUcxzzoZxKAQLJIIQRjFkNm8d4Svox14UZKAWwKRg9c56mr9tN
+GpzQp50KiKP+VGDzl/LowcpJi2rOQEe0DRY3HdIjmzpa3MufLtzJB2znvLv5EXMb
+4hgjvgdKntAZuKF1FWTLst8KoCReXQ8xrThdQ0olTfAioa3rRt/Zf7/QY1Cvo6gn
+mCS7rOm25d+pCLkEwEGDfAuNy2gkUdaMFSFT+PW0sD4c7zND8P/fgS37tQBSw+cI
+0kETlgJLAgMBAAECggEAEng7YccvsKXZt43loX5nTSHW8Xgnly2idCIywAMpFRo+
+0QZcEnFNm2khbRRk+RXzjRGg8nMZLNw+AcjzycO77EraV+GqcvAeMzaxzTuRosw/
+5oYKuM+zkahpoka52Lmc62eiqgL2l0v9lPtt7cjG3iXiyKhayK59nCntuUQLIz6u
+kSCTV8+d0e59VOfH9U/D3GXBTEwmdgweIATwEI+iToitX5fHtv6vgxkUiKpQW5mr
+ovRKhRGbPvwc9WO3qTEiT+5RZaVpjRX1rMYejnllQo5jFLFqZ2r9wWfjiWTvLAAr
+0tlI6qXve+UMd+69Fwq04KNFWgoT1UtYMu3pCrPegQKBgQDnGj38p8Edkinl2Np3
+xcT7asVGcOOfTiG2LhxjvpdLE7HbhJiOB/MAIfO6LbuHHrvDBSUAdAp5H1JzOIvR
+F9piTCb66NdGW0TNNfjPDoBTP5vhMHwGB1p9A4Ysueob8HVJWKNV+8gchyNIqHqh
+62cztcjBKo4ujOEM2m6awV4cYwKBgQDPWSFe5vidtFIBgNtJTVZN1PUSbkro2lbs
+RSqEkRRAxg/ZVeXUjo6NjW5mWdMMtE6QL+nBukrbIme/yM4WlnrrgsPd+mKVlEII
+H7XmVSIYKC43xwTexGOOl5hagFugnoKdjMNap4RffgY9rTqfr22PwHbXi9ET4f/g
+el3lvh/i+QKBgHaOsuAr21llQ5NDtYgecFiexMfHYC64sXi5nRzaiNkeKG86Td0H
+XPVjdZq8nWjLLn305K+f2EOc+vpbNvc0qnclJBYyX0YbymcQWi02/kQ27KwQ6H9b
+RGO/7BSD6AMfT7wp+dlBir5/4W0D6a2pi08u4eefAkQFR+sFIBrKOpKLAoGBAMef
+QOB0L9DsxLLL0tKMkVVXfCYlZxss8diAcoG0hzIhPSr5Zs6v/JBNJIeHXQfzI1vv
+tPYdG2pDgm0Cr17Ruz+34kh4gacOWFAn72D0f2GQdYafpZGus0aZrkUbJJvLX2a9
+GWrSsj+ZPfrtJu6L30gxfHjiFAU3ZLhCNtozo9FJAoGBAMKDchAFjYTsz1+bqdCd
+k5hOGJzIIbOpnrL3aPhzrzyc1G+QS7D5rxAL5AxlQgFlU/Z3c6t57jsKv0CqC4dg
+KkyxTdvRr8NZ2piMdAbJ6PeF2qRjmThGHT/K9Y/LyeQ0DJrppJ+IkwmNR9jtMmDq
+gRCWnkwSGjoAPmcA4eGMGpRD
+-----END PRIVATE KEY-----
+</key>
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUd4INqGTrRX8tpNjILVfLp/FW9JowDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDA2MTcyNjM1WhcNMzUx
+MDA0MTcyNjM1WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAL0DDWBsUoqQdvX8UytBHfSZYUmPL/dvyYQt/STT
+7cZKsl0OqV2EzqhGJYPmPHcKiBoeEoqaBsHnLa/c6PbGWrvztFXHotYOMW0Jigv2
+KKotB2GT9k7mhrOcUMuu6J6SossJtlekebQkIBXj7N31m+Zs/k5kayeaScg8cCYW
+o7SwP2afUZ7vSsxisAgEnKsq0fousPguGdT5Ooh0TAUEKl/PR69pGMaXD1MQl5wv
+dcJV3X2GhcXpJbAGuhBjcZB/LCFjtlQ+9IDvhcN4rhWNa0LsMoL3sPh/dsdt0G2c
+bxc4+OuLQ42eWcAV0RsTMGofTULcRuXcA3XvTRllgCWplbUCAwEAAaOBkDCBjTAM
+BgNVHRMEBTADAQH/MB0GA1UdDgQWBBTdFqHUghgUs4N1F02DZ5P7TfJYtzBRBgNV
+HSMESjBIgBTdFqHUghgUs4N1F02DZ5P7TfJYt6EapBgwFjEUMBIGA1UEAwwLRWFz
+eS1SU0EgQ0GCFHeCDahk60V/LaTYyC1Xy6fxVvSaMAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAP0X9x4SQFXaR7FEYwjAQ+uX1EtWQP+GhA3MKQI7scQL6
+TxMc/103x7Ty3Sb0tbG9iOMb5v9rXqiLFyzxqZAh4yiLnsJDwe/OlozfkVcGhXcl
+L67q56je+D/PptD6UoWBYvLPPdu8DNaa/0aVsyE0hXIrjnNYNz8Kb9YXLmbxp051
+/5GxpMdonyEOIxQv40lITDH0Ynlx0QiPF0bqDYT5nsMGx8gRTStKL+WMQGi0CHGe
+PoyOFdR0JdJcR6vvr8b+32fHeIZrpwTrqUoUJuR0HtFrhhIF7es9bmw3px1mMd1M
+OJ+fp9iYT1JcKtB6WeV+TOTkfsFzdg+EIqG4os+ZzA==
+-----END CERTIFICATE-----
+</ca>
+

etc/openvpn/easy-rsa/pki/issued/emy-laptop.crt

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1a:d4:95:e0:82:c3:d1:97:26:25:51:55:73:00:3d:fe
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct  6 17:26:35 2025 GMT
+            Not After : Jan  9 17:26:35 2028 GMT
+        Subject: CN=emy-laptop
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:5c:37:61:fa:ac:b0:8a:93:3d:b4:9a:3b:5c:
+                    92:85:da:27:6e:06:d5:c8:3e:fd:a5:68:68:94:7f:
+                    74:c8:b0:b2:8d:f8:d5:b8:17:1f:af:b3:18:23:c3:
+                    09:a0:7c:20:f9:67:67:4c:18:e4:ba:a3:16:b9:8d:
+                    7c:cd:ea:86:0e:42:24:00:db:cb:84:c7:7d:b9:5e:
+                    9c:2c:3d:7e:84:2f:cd:31:72:39:c4:be:ea:53:ce:
+                    62:95:fc:c3:12:ee:e8:28:6c:81:82:17:61:59:c7:
+                    cd:81:58:ad:13:f3:08:d0:99:62:65:e1:34:0e:e0:
+                    00:77:96:45:63:f8:b6:c1:7e:4f:2e:f9:fd:00:4c:
+                    d3:c1:51:0f:d5:44:9c:40:22:64:be:3b:7c:b0:4c:
+                    71:52:05:57:a1:02:f5:b0:95:10:03:c9:be:48:2c:
+                    f6:79:d4:46:1f:33:1a:67:c3:de:02:a0:06:50:74:
+                    20:0b:32:62:ab:28:1b:e9:37:5c:22:b7:81:03:0e:
+                    0d:a6:e9:2d:4a:30:e0:3a:48:6e:93:55:15:30:fd:
+                    fe:9e:03:26:45:ff:05:4c:d0:f9:ad:74:7c:c5:7b:
+                    5e:91:71:a3:96:a2:d3:94:81:80:50:7c:4d:d5:01:
+                    ec:0f:72:15:4c:f9:58:79:70:70:9b:aa:a5:2b:4e:
+                    e3:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                34:04:A6:AE:98:9D:F5:BA:A9:32:EA:B3:70:7E:4D:02:BE:61:A2:5A
+            X509v3 Authority Key Identifier: 
+                keyid:DD:16:A1:D4:82:18:14:B3:83:75:17:4D:83:67:93:FB:4D:F2:58:B7
+                DirName:/CN=Easy-RSA CA
+                serial:77:82:0D:A8:64:EB:45:7F:2D:A4:D8:C8:2D:57:CB:A7:F1:56:F4:9A
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        64:e4:69:7d:d8:2e:8d:20:fd:b2:59:5e:f8:13:41:85:a2:d3:
+        01:2e:84:d7:8c:50:d0:42:fd:c7:e6:3b:5c:b7:fc:77:a6:93:
+        92:54:63:ed:6e:90:24:c4:93:e6:d1:fb:ee:65:7e:4b:98:fb:
+        44:41:0f:7d:a3:5c:cd:44:69:8c:f9:69:0e:4c:77:1e:cb:0b:
+        13:08:22:f4:93:51:89:da:0d:a4:60:e8:6c:3c:a9:7a:a6:6d:
+        92:d1:33:5c:30:bc:43:54:67:85:ae:26:4f:17:d4:40:da:d4:
+        32:96:30:ef:8b:30:7c:04:36:b8:a8:e5:a3:46:97:99:77:c3:
+        77:1e:5c:12:f3:f6:db:b3:49:3a:d7:e9:02:3f:67:58:9a:54:
+        6f:1a:c2:59:52:8c:4a:5f:bd:41:02:d7:ef:99:75:06:64:6b:
+        6a:68:94:f5:3e:04:67:a8:3e:1f:c0:8b:97:e4:cf:72:04:a9:
+        dd:53:24:b9:62:10:90:c3:ab:e1:f4:c5:4e:f5:e5:de:27:85:
+        11:54:8e:11:68:f8:1c:d0:d5:0a:af:a0:64:27:76:0b:51:67:
+        09:4a:d7:21:ee:b4:44:87:34:e6:73:00:e0:64:92:52:ab:6f:
+        1e:8d:de:84:e9:fb:d9:a5:b8:52:48:6f:01:6c:ed:7b:de:8d:
+        b7:9d:9a:56
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIQGtSV4ILD0ZcmJVFVcwA9/jANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNTEwMDYxNzI2MzVaFw0yODAxMDkx
+NzI2MzVaMBUxEzARBgNVBAMMCmVteS1sYXB0b3AwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDkXDdh+qywipM9tJo7XJKF2iduBtXIPv2laGiUf3TIsLKN
++NW4Fx+vsxgjwwmgfCD5Z2dMGOS6oxa5jXzN6oYOQiQA28uEx325XpwsPX6EL80x
+cjnEvupTzmKV/MMS7ugobIGCF2FZx82BWK0T8wjQmWJl4TQO4AB3lkVj+LbBfk8u
++f0ATNPBUQ/VRJxAImS+O3ywTHFSBVehAvWwlRADyb5ILPZ51EYfMxpnw94CoAZQ
+dCALMmKrKBvpN1wit4EDDg2m6S1KMOA6SG6TVRUw/f6eAyZF/wVM0PmtdHzFe16R
+caOWotOUgYBQfE3VAewPchVM+Vh5cHCbqqUrTuOJAgMBAAGjgaIwgZ8wCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUNASmrpid9bqpMuqzcH5NAr5holowUQYDVR0jBEowSIAU
+3Rah1IIYFLODdRdNg2eT+03yWLehGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB
+ghR3gg2oZOtFfy2k2MgtV8un8Vb0mjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV
+HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGTkaX3YLo0g/bJZXvgTQYWi0wEu
+hNeMUNBC/cfmO1y3/Hemk5JUY+1ukCTEk+bR++5lfkuY+0RBD32jXM1EaYz5aQ5M
+dx7LCxMIIvSTUYnaDaRg6Gw8qXqmbZLRM1wwvENUZ4WuJk8X1EDa1DKWMO+LMHwE
+Nrio5aNGl5l3w3ceXBLz9tuzSTrX6QI/Z1iaVG8awllSjEpfvUEC1++ZdQZka2po
+lPU+BGeoPh/Ai5fkz3IEqd1TJLliEJDDq+H0xU715d4nhRFUjhFo+BzQ1QqvoGQn
+dgtRZwlK1yHutESHNOZzAOBkklKrbx6N3oTp+9mluFJIbwFs7XvejbedmlY=
+-----END CERTIFICATE-----

etc/openvpn/easy-rsa/pki/issued/server.crt

@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f1:1c:11:e2:7c:13:a1:8e:3d:8b:fd:00:10:6d:3e:a9
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct  6 17:26:35 2025 GMT
+            Not After : Jan  9 17:26:35 2028 GMT
+        Subject: CN=server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bb:2e:ae:5e:e6:9d:d0:ec:e1:63:6d:c8:a8:a5:
+                    08:5f:cb:60:b9:8d:14:59:18:22:46:11:cb:ef:fa:
+                    06:a9:40:05:ef:86:7b:a6:96:1e:45:f0:e2:5e:d1:
+                    86:b5:95:e0:a9:1c:bd:c2:82:4e:c0:58:af:29:c3:
+                    69:fd:c3:a1:33:ad:eb:a0:d4:ea:54:73:1c:f3:a1:
+                    9c:4a:01:02:c9:20:84:11:8c:59:0d:9b:c7:78:4a:
+                    fa:31:d7:85:19:28:05:b0:29:18:3d:73:9e:a6:af:
+                    db:4d:1a:9c:d0:a7:9d:0a:88:a3:fe:54:60:f3:97:
+                    f2:e8:c1:ca:49:8b:6a:ce:40:47:b4:0d:16:37:1d:
+                    d2:23:9b:3a:5a:dc:cb:9f:2e:dc:c9:07:6c:e7:bc:
+                    bb:f9:11:73:1b:e2:18:23:be:07:4a:9e:d0:19:b8:
+                    a1:75:15:64:cb:b2:df:0a:a0:24:5e:5d:0f:31:ad:
+                    38:5d:43:4a:25:4d:f0:22:a1:ad:eb:46:df:d9:7f:
+                    bf:d0:63:50:af:a3:a8:27:98:24:bb:ac:e9:b6:e5:
+                    df:a9:08:b9:04:c0:41:83:7c:0b:8d:cb:68:24:51:
+                    d6:8c:15:21:53:f8:f5:b4:b0:3e:1c:ef:33:43:f0:
+                    ff:df:81:2d:fb:b5:00:52:c3:e7:08:d2:41:13:96:
+                    02:4b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                0F:D3:A1:AB:04:98:97:E8:C0:56:11:18:8D:17:EB:BA:F9:4D:D4:83
+            X509v3 Authority Key Identifier: 
+                keyid:DD:16:A1:D4:82:18:14:B3:83:75:17:4D:83:67:93:FB:4D:F2:58:B7
+                DirName:/CN=Easy-RSA CA
+                serial:77:82:0D:A8:64:EB:45:7F:2D:A4:D8:C8:2D:57:CB:A7:F1:56:F4:9A
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        61:73:c8:ad:42:75:c8:ef:d1:a3:86:06:d2:d3:ca:8c:dd:d7:
+        c4:85:71:b9:bc:04:9e:82:d3:13:b2:d0:ea:d9:40:0b:a0:00:
+        4b:df:c7:95:20:43:d1:0f:a8:c9:4d:aa:0e:84:7f:cd:86:14:
+        b3:fc:1d:04:c8:33:fd:66:77:aa:9b:52:2d:ea:b2:bf:59:38:
+        c9:b1:0e:b2:37:c3:32:3e:11:32:98:50:a3:97:aa:b8:5e:23:
+        b6:83:d7:da:57:97:b5:30:28:ee:2a:49:e4:42:e6:1f:32:4f:
+        b8:3c:14:7b:17:24:38:70:64:a3:21:c8:1e:65:59:d4:66:9c:
+        4c:05:d3:23:1b:97:f6:d4:9c:a9:cf:12:42:77:a5:3d:b4:8a:
+        f5:5e:00:7d:e9:ff:39:23:13:0d:6a:5b:b6:d4:36:eb:d9:b6:
+        6a:2f:f1:42:7c:59:d7:24:54:7f:b1:1b:63:ca:8e:67:28:d1:
+        d8:8c:50:d5:4e:5e:e7:3f:b9:53:5b:3b:1f:a3:8c:86:1e:96:
+        07:dc:5e:e0:31:e5:fb:c2:3e:8b:8d:52:21:3e:1c:eb:ad:24:
+        cd:44:5c:1d:6a:28:cc:d8:eb:0e:68:79:6b:c3:7e:09:b2:7e:
+        32:7d:c9:7b:fa:8f:46:79:5e:e1:ad:c6:cc:18:b2:04:f9:5a:
+        7a:bb:ca:2d
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIRAPEcEeJ8E6GOPYv9ABBtPqkwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUxMDA2MTcyNjM1WhcNMjgwMTA5
+MTcyNjM1WjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC7Lq5e5p3Q7OFjbciopQhfy2C5jRRZGCJGEcvv+gapQAXvhnum
+lh5F8OJe0Ya1leCpHL3Cgk7AWK8pw2n9w6Ezreug1OpUcxzzoZxKAQLJIIQRjFkN
+m8d4Svox14UZKAWwKRg9c56mr9tNGpzQp50KiKP+VGDzl/LowcpJi2rOQEe0DRY3
+HdIjmzpa3MufLtzJB2znvLv5EXMb4hgjvgdKntAZuKF1FWTLst8KoCReXQ8xrThd
+Q0olTfAioa3rRt/Zf7/QY1Cvo6gnmCS7rOm25d+pCLkEwEGDfAuNy2gkUdaMFSFT
++PW0sD4c7zND8P/fgS37tQBSw+cI0kETlgJLAgMBAAGjgbUwgbIwCQYDVR0TBAIw
+ADAdBgNVHQ4EFgQUD9OhqwSYl+jAVhEYjRfruvlN1IMwUQYDVR0jBEowSIAU3Rah
+1IIYFLODdRdNg2eT+03yWLehGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR3
+gg2oZOtFfy2k2MgtV8un8Vb0mjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E
+BAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQBhc8it
+QnXI79GjhgbS08qM3dfEhXG5vASegtMTstDq2UALoABL38eVIEPRD6jJTaoOhH/N
+hhSz/B0EyDP9Zneqm1It6rK/WTjJsQ6yN8MyPhEymFCjl6q4XiO2g9faV5e1MCju
+KknkQuYfMk+4PBR7FyQ4cGSjIcgeZVnUZpxMBdMjG5f21JypzxJCd6U9tIr1XgB9
+6f85IxMNalu21Dbr2bZqL/FCfFnXJFR/sRtjyo5nKNHYjFDVTl7nP7lTWzsfo4yG
+HpYH3F7gMeX7wj6LjVIhPhzrrSTNRFwdaijM2OsOaHlrw34Jsn4yfcl7+o9GeV7h
+rcbMGLIE+Vp6u8ot
+-----END CERTIFICATE-----

etc/openvpn/easy-rsa/pki/openssl-easyrsa.cnf

@@ -0,0 +1,149 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::EASYRSA_PKI	# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
+
+certificate	= $dir/ca.crt		# The CA certificate
+serial		= $dir/serial		# The current serial number
+crl		= $dir/crl.pem		# The current CRL
+private_key	= $dir/private/ca.key	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= basic_exts		# The extensions to add to the cert
+
+# A placeholder to handle the --copy-ext feature:
+#%COPY_EXTS%	# Do NOT remove or change this line as --copy-ext support requires it
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions	= crl_ext
+
+default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
+default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
+
+# Note: preserve=no|yes, does nothing for EasyRSA.
+# Use sign-req command option 'preserve' instead.
+preserve	= no			# keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject	= no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+serialNumber	= optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits		= $ENV::EASYRSA_KEY_SIZE
+default_keyfile	= privkey.pem
+default_md		= $ENV::EASYRSA_DIGEST
+distinguished_name	= $ENV::EASYRSA_DN
+x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= $ENV::EASYRSA_REQ_CN
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::EASYRSA_REQ_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::EASYRSA_REQ_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::EASYRSA_REQ_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::EASYRSA_REQ_ORG
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= $ENV::EASYRSA_REQ_OU
+
+commonName			= Common Name (eg: your user, host, or server name)
+commonName_max			= 64
+commonName_default		= $ENV::EASYRSA_REQ_CN
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::EASYRSA_REQ_EMAIL
+emailAddress_max		= 64
+
+serialNumber		= Serial-number (eg, device serial-number)
+serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
+#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

etc/openvpn/easy-rsa/pki/private/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9Aw1gbFKKkHb1
+/FMrQR30mWFJjy/3b8mELf0k0+3GSrJdDqldhM6oRiWD5jx3CogaHhKKmgbB5y2v
+3Oj2xlq787RVx6LWDjFtCYoL9iiqLQdhk/ZO5oaznFDLruiekqLLCbZXpHm0JCAV
+4+zd9ZvmbP5OZGsnmknIPHAmFqO0sD9mn1Ge70rMYrAIBJyrKtH6LrD4LhnU+TqI
+dEwFBCpfz0evaRjGlw9TEJecL3XCVd19hoXF6SWwBroQY3GQfywhY7ZUPvSA74XD
+eK4VjWtC7DKC97D4f3bHbdBtnG8XOPjri0ONnlnAFdEbEzBqH01C3Ebl3AN1700Z
+ZYAlqZW1AgMBAAECggEAAjc2Ma5rZEjvwA/yaKQlhf/DSnG1gfzLO7OvTz51v9iR
+0THyDdDX/FSALZTmGg4jTM0T8hB+qki7uh9IktX968yeTVAfCkvVy/2r4tqCnQYU
+m1H49fFRXGslblHRU8SLyH4HZ20b6R7wSllm5i4yIugdrg0SzX7LRR/iP6wNxLk0
+AW25S/YzDP5CeL1qEbN2fwFbOcLSaLDPZk7JDhLCUbJQAgDZ7gt/LApQV78w0/GM
+MeE50uHTGBtsWNE/oa9dWptjXW2Ee5poTwQHeBWXA/29gMV0oGBXx41J3ttX7TP4
+U1TL9hIgiLW3WEOGOJv0x0pYdxrG443AfnTnJ4GxGQKBgQD0fZGZUJMEd8lKoWzL
+eP/MIYTO7rUMrdUqtOVPDjck6LpYHfXCpi1jFL2t+L1GOjpjBoB8+RGn5V4tzZUH
+H5X+Qu9jxJa7PH5/um/XBaGEFJWxij3R97hakrBW58YBGXpKCp02raQcBCXlPG0z
+D30mjB9y+3oRH/nNJRt0VXzazQKBgQDF6OTTJvU4hVAugIoNTftOVVa/7Pdeye53
+QODB3R8H0AJKWZlYqQ82mkx0KA7xbH27zRr1r+KUOUiC2bmwhhJnHBqHGvv56hc/
+tXL6Lfmy1nKpyav+Ny/bgxvNnReQYZSFSrAjvrV6hMnVDO1OCISIGZSsHJ5t2h54
+eHJ++PZ2iQKBgQDlB/BqD/n5OIF/gSLapTnzLv8rnqBKBVnojNc3LJjp4X4W59H+
+iw9/fsGFhLtCW2+wrjmVWPl6L7r+61QM/UDUlD2PV2zgb3YND0iPxD2e7m2giGEL
+HaU8a6f3cV2iUAyn6bOGsjlG6Xfae7XMHFlfz+nyG7Qo8Kxgyb8jRqYUjQKBgQDB
+UEbLVZ9r8RQsCBRRAJ37mvIckIvkg9wxkia4VpPr3quOEkzuRFx+2mLZhxNpkK6U
+FblCyOXKINYKMj/mBF/PZa0n0RzVtWm2Kje/1c60eDISVNJyg1d01HEA+3Q77ITV
+WeoJUEwV+8TmHTVi5oEGK+6D24SJCuh+hjBYhDjB+QKBgG76WcH8uKX3gngZ6MO7
+qc9TwArnQiXnUjfFh0NijUaqUI/rJF8JEAdK7b6+IRgTK0JjiWS5oFYm9a12y7XP
+TgotywoVy0OkI1Risv9ZqQB1ZnDwUqNr72cfPWGAypA2x3pJUeWNedT49/FCBpSE
+8vBCo8Pva2XXJMg6dLNnJ/cn
+-----END PRIVATE KEY-----

etc/openvpn/easy-rsa/pki/private/emy-laptop.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkXDdh+qywipM9
+tJo7XJKF2iduBtXIPv2laGiUf3TIsLKN+NW4Fx+vsxgjwwmgfCD5Z2dMGOS6oxa5
+jXzN6oYOQiQA28uEx325XpwsPX6EL80xcjnEvupTzmKV/MMS7ugobIGCF2FZx82B
+WK0T8wjQmWJl4TQO4AB3lkVj+LbBfk8u+f0ATNPBUQ/VRJxAImS+O3ywTHFSBVeh
+AvWwlRADyb5ILPZ51EYfMxpnw94CoAZQdCALMmKrKBvpN1wit4EDDg2m6S1KMOA6
+SG6TVRUw/f6eAyZF/wVM0PmtdHzFe16RcaOWotOUgYBQfE3VAewPchVM+Vh5cHCb
+qqUrTuOJAgMBAAECggEAZtN3RLEhbWUYo+JcyHoIqCjxNEPzo3VptT9sR+GUboHS
+BMeVRI11ASJ9riy2ewMpvePnyYY0CC5Dn02scvQ1ZNo3aAOQgrtpSzzkya7u9wqn
+NKqghI0K6q22Cp+EH1RgSUOClVd9yHWFfca2OJNo1rUab5GWZVRMIY0Stc9aS4mA
+lFG7aw5LJ7NP+Jh4E9XFjzr9IyraV+7h+G0qAZLE8qsA4j8vbtlApojAf9cKPFCc
+MYUeqVjqNx+fBb7E3t13+ffCG2Y/DNinxFMpV7kN7t+fYubZovZsZXdFEYatHCP5
+fMKDwBQYUfmK/pQmDip/HhlOJ8t11uQxQ5UPe3GKeQKBgQD9j9IOunGIPcN5xhZW
+36Y/ZqD/e9hjnqc3LKwFwcElPaXphA/zv1m83tesr+uMRNJIJ1FL+tVv8QtcIGrC
+Ha7oYlbK1mAN6HrVa8tvNZ0wEwRTgdyVtwRnCgBm2ONp7IGW2wX9oK89C3vwky4p
+c1Pm9QLKGqIQryFyolIJcJmgLwKBgQDmjlvB9DolWASKfNRJrVRigoFhX8JXWETv
+clEwzGGX1AmrzyFIE4fQMpYdZk3C2hyTuKlgXqZyXvlRr7rvFxMe0WcEMC7zUgd6
+YFMifgVL6rE/PXpgy6JdMwMBaaP6yxYUz1FbyL0WixZq1bllBm5Z+Xu7RLfNS71a
+urWqLXPRxwKBgQCYOazBXNtmELZ3OB4XP6O+Mm37k61geVIoRLBtsFm1cuJVZAxz
+qHBGfH581QyTpImd+cTL2aYj01GfmHKfYVStfMRgd/0ovGZqFJIIjOZ2gyQ4wiDc
+3QhOl+mP1SwKXouaNpnNH5e1DVz2HFY9WliHspZfIUgkvg9Vk++ubSQ9zwKBgGCR
+XAl+/CPMHArNgjVh7ihctUhNzZ68EBOi9DLWSEJJw8s8tJn15DrmFU43HXbx2Gpf
+PEJrIphhA1idnFSse4u69cUhUWkFALDXS7r0wc8sfBUa8Pk+EcGrriSXVOGk0pjg
+xRkGmXypwTf6UO7ppKr2/kZP4BSTFrq73X9sDkjdAoGBAPpMwaZ8MpLia/WBP7+z
+1A3zUKIjUFysmtacYEUEIRvgivfWkQpCpFjrJN0hwrib2Agzl7fGRpD9tu6/iDFo
+y1ZsWNb5x3StniIFHR+zgWU9+Gd3XMBw4uivWi0cppaYBi8ndNlY59OOL1o8rldJ
+RjRKcYht2Pscsbze8xPJVLt8
+-----END PRIVATE KEY-----

etc/openvpn/easy-rsa/pki/private/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7Lq5e5p3Q7OFj
+bciopQhfy2C5jRRZGCJGEcvv+gapQAXvhnumlh5F8OJe0Ya1leCpHL3Cgk7AWK8p
+w2n9w6Ezreug1OpUcxzzoZxKAQLJIIQRjFkNm8d4Svox14UZKAWwKRg9c56mr9tN
+GpzQp50KiKP+VGDzl/LowcpJi2rOQEe0DRY3HdIjmzpa3MufLtzJB2znvLv5EXMb
+4hgjvgdKntAZuKF1FWTLst8KoCReXQ8xrThdQ0olTfAioa3rRt/Zf7/QY1Cvo6gn
+mCS7rOm25d+pCLkEwEGDfAuNy2gkUdaMFSFT+PW0sD4c7zND8P/fgS37tQBSw+cI
+0kETlgJLAgMBAAECggEAEng7YccvsKXZt43loX5nTSHW8Xgnly2idCIywAMpFRo+
+0QZcEnFNm2khbRRk+RXzjRGg8nMZLNw+AcjzycO77EraV+GqcvAeMzaxzTuRosw/
+5oYKuM+zkahpoka52Lmc62eiqgL2l0v9lPtt7cjG3iXiyKhayK59nCntuUQLIz6u
+kSCTV8+d0e59VOfH9U/D3GXBTEwmdgweIATwEI+iToitX5fHtv6vgxkUiKpQW5mr
+ovRKhRGbPvwc9WO3qTEiT+5RZaVpjRX1rMYejnllQo5jFLFqZ2r9wWfjiWTvLAAr
+0tlI6qXve+UMd+69Fwq04KNFWgoT1UtYMu3pCrPegQKBgQDnGj38p8Edkinl2Np3
+xcT7asVGcOOfTiG2LhxjvpdLE7HbhJiOB/MAIfO6LbuHHrvDBSUAdAp5H1JzOIvR
+F9piTCb66NdGW0TNNfjPDoBTP5vhMHwGB1p9A4Ysueob8HVJWKNV+8gchyNIqHqh
+62cztcjBKo4ujOEM2m6awV4cYwKBgQDPWSFe5vidtFIBgNtJTVZN1PUSbkro2lbs
+RSqEkRRAxg/ZVeXUjo6NjW5mWdMMtE6QL+nBukrbIme/yM4WlnrrgsPd+mKVlEII
+H7XmVSIYKC43xwTexGOOl5hagFugnoKdjMNap4RffgY9rTqfr22PwHbXi9ET4f/g
+el3lvh/i+QKBgHaOsuAr21llQ5NDtYgecFiexMfHYC64sXi5nRzaiNkeKG86Td0H
+XPVjdZq8nWjLLn305K+f2EOc+vpbNvc0qnclJBYyX0YbymcQWi02/kQ27KwQ6H9b
+RGO/7BSD6AMfT7wp+dlBir5/4W0D6a2pi08u4eefAkQFR+sFIBrKOpKLAoGBAMef
+QOB0L9DsxLLL0tKMkVVXfCYlZxss8diAcoG0hzIhPSr5Zs6v/JBNJIeHXQfzI1vv
+tPYdG2pDgm0Cr17Ruz+34kh4gacOWFAn72D0f2GQdYafpZGus0aZrkUbJJvLX2a9
+GWrSsj+ZPfrtJu6L30gxfHjiFAU3ZLhCNtozo9FJAoGBAMKDchAFjYTsz1+bqdCd
+k5hOGJzIIbOpnrL3aPhzrzyc1G+QS7D5rxAL5AxlQgFlU/Z3c6t57jsKv0CqC4dg
+KkyxTdvRr8NZ2piMdAbJ6PeF2qRjmThGHT/K9Y/LyeQ0DJrppJ+IkwmNR9jtMmDq
+gRCWnkwSGjoAPmcA4eGMGpRD
+-----END PRIVATE KEY-----

etc/openvpn/easy-rsa/pki/reqs/emy-laptop.req

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWjCCAUICAQAwFTETMBEGA1UEAwwKZW15LWxhcHRvcDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAORcN2H6rLCKkz20mjtckoXaJ24G1cg+/aVoaJR/
+dMiwso341bgXH6+zGCPDCaB8IPlnZ0wY5LqjFrmNfM3qhg5CJADby4THfblenCw9
+foQvzTFyOcS+6lPOYpX8wxLu6ChsgYIXYVnHzYFYrRPzCNCZYmXhNA7gAHeWRWP4
+tsF+Ty75/QBM08FRD9VEnEAiZL47fLBMcVIFV6EC9bCVEAPJvkgs9nnURh8zGmfD
+3gKgBlB0IAsyYqsoG+k3XCK3gQMODabpLUow4DpIbpNVFTD9/p4DJkX/BUzQ+a10
+fMV7XpFxo5ai05SBgFB8TdUB7A9yFUz5WHlwcJuqpStO44kCAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQAp3yWupAC5IN3xA54s63ORX6AsguqfesOMmKk0Sc3JINbW
+dSbTCKyD2S7h6gjuinNrXPE8tM7W6ljtOLH0sfOpCK74PrNv6SIOOxjfxwwQf4Z1
+f+iE6QFzm5coJfh2RZpRQQsnUDssiaLDSWERXYNrDBca5Yh5GCJA4jOnh6nlATzK
+Mpx5YKmDGIEOTX+mLfrYZgI9Lz41T0+85+AOK3IIuX5M01tS86D1MXYiWGR/kD0y
+MtR7R5AcnN02eHaWK2md6OFZFq9iPxd1A7sQ+fSS9h5clHaRH6P0ZlcMRm05yEQx
+PdaW6H5ts3/f/HKqvf6B9DwT3LeIsYK49SJfxiiw
+-----END CERTIFICATE REQUEST-----

etc/openvpn/easy-rsa/pki/reqs/server.req

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuy6uXuad0OzhY23IqKUIX8tguY0UWRgiRhHL7/oGqUAF
+74Z7ppYeRfDiXtGGtZXgqRy9woJOwFivKcNp/cOhM63roNTqVHMc86GcSgECySCE
+EYxZDZvHeEr6MdeFGSgFsCkYPXOepq/bTRqc0KedCoij/lRg85fy6MHKSYtqzkBH
+tA0WNx3SI5s6WtzLny7cyQds57y7+RFzG+IYI74HSp7QGbihdRVky7LfCqAkXl0P
+Ma04XUNKJU3wIqGt60bf2X+/0GNQr6OoJ5gku6zptuXfqQi5BMBBg3wLjctoJFHW
+jBUhU/j1tLA+HO8zQ/D/34Et+7UAUsPnCNJBE5YCSwIDAQABoAAwDQYJKoZIhvcN
+AQELBQADggEBAGVTygl1lsBn+4Ikpr1VDcpSdHf+pLdsr7humX7JczvrtGglHS+t
+d7UFGms8YAULkpmHbufoykodcqW7+AqWiojEjblffw+spktuiySDuRTkNweUHNet
+8+3IHgzeRCVnGtzjAjBD/DsME78B8eJ9QdjhjJZfjnsU8mz/2G5BxBjxntL5VURt
+fhViQmHHgSLrNwHWQnhVC7PpjQukX2zzKeCtrJg8yRWmgkdooJwcjpiigz4IHHVg
+Ujx5oSP49rJ4+/gd+EsdDqTIH8JeVCfX7FXXfxlVZYPwCbAW5tl9mwp9+AZXyQC8
+hDOwaUZ92zM7pz+OHEt0wA4fR0Nv/RFGYOQ=
+-----END CERTIFICATE REQUEST-----

etc/openvpn/easy-rsa/pki/serial

@@ -0,0 +1 @@
+1AD495E082C3D1972625515573003DFF

etc/openvpn/easy-rsa/pki/serial.old

@@ -0,0 +1 @@
+1ad495e082c3d1972625515573003dfe

etc/openvpn/easy-rsa/vars.example

@@ -0,0 +1,231 @@
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your package manager, do not edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades do not wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file "vars" if you want it to be used as a configuration file. If you
+# do not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without
+# the need to copy and edit the "vars" file.
+#
+# All of the editable settings are shown commented and start with the command
+# "set_var" -- this means any set_var command that is uncommented has been
+# modified by the user. If you are happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows  *MUST* use forward slashes, or optionally double-escaped
+# backslashes (single forward slashes are recommended.) This means your path
+# to the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DO NOT EDIT THIS SECTION
+#
+# Easy-RSA 3.x does not source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+	echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
+	echo "no longer necessary and is disallowed. See the section called" >&2
+	echo "*How to use this file* near the top comments for more details." >&2
+	return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable is used as the base location of configuration files needed by
+# easyrsa.  More specific variables for specific files (eg: EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
+#
+#set_var EASYRSA	"${0%/*}"
+
+# If your OpenSSL command is not in the system PATH, you will need to define
+# the path here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+#
+#set_var EASYRSA_OPENSSL	"openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory.
+# By default, this will be "$PWD/pki" (ie: the "pki" subdirectory of the
+# directory you are currently in).
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly!  Interactive mode will prompt before acting.
+#
+#set_var EASYRSA_PKI		"$PWD/pki"
+
+# Define directory for temporary subdirectories.
+#
+#set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
+
+# Define X509 DN mode.
+#
+# This is used to adjust which elements are included in the Subject field
+# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the
+# Organizational fields, listed further below, are not used.
+#
+# Choices are:
+#   cn_only  - Use just a commonName value.
+#   org      - Use the "traditional" format:
+#              Country/Province/City/Org/Org.Unit/email/commonName
+#
+#set_var EASYRSA_DN	"cn_only"
+
+# Organizational fields (used with "org" mode and ignored in "cn_only" mode).
+# These are the default values for fields which will be placed in the
+# certificate.  Do not leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email).
+#
+# NOTE: The following characters are not supported
+#       in these "Organizational fields" by Easy-RSA:
+#       back-tick (`)
+#
+#set_var EASYRSA_REQ_COUNTRY	"US"
+#set_var EASYRSA_REQ_PROVINCE	"California"
+#set_var EASYRSA_REQ_CITY	"San Francisco"
+#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL	"me@example.net"
+#set_var EASYRSA_REQ_OU		"My Organizational Unit"
+
+# Preserve the Distinguished Name field order
+# of the certificate signing request
+# *Only* effective in --dn-mode=org
+#
+#set_var EASYRSA_PRESERVE_DN	1
+
+# Set no password mode - This will create the entire PKI without passwords.
+# This can be better managed by choosing which entity private keys should be
+# encrypted with the following command line options:
+# Global option '--no-pass' or command option 'nopass'.
+#
+#set_var EASYRSA_NO_PASS	1
+
+# Choose a size in bits for your keypairs. The recommended value is 2048.
+# Using 2048-bit keys is considered more than sufficient for many years into
+# the future. Larger keysizes will slow down TLS negotiation and make key/DH
+# param generation take much longer. Values up to 4096 should be accepted by
+# most software. Only used when the crypto alg is rsa, see below.
+#
+#set_var EASYRSA_KEY_SIZE	2048
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+#  * rsa
+#  * ec
+#  * ed
+#
+#set_var EASYRSA_ALGO		rsa
+
+# Define the named curve, used in ec & ed modes:
+#
+#set_var EASYRSA_CURVE		secp384r1
+
+# In how many days should the root CA key expire?
+#
+#set_var EASYRSA_CA_EXPIRE	3650
+
+# In how many days should certificates expire?
+#
+#set_var EASYRSA_CERT_EXPIRE	825
+
+# How many days until the next CRL publish date?  Note that the CRL can still
+# be parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+#
+#set_var EASYRSA_CRL_DAYS	180
+
+# Random serial numbers by default.
+# Set to 'no' for the old incremental serial numbers.
+#
+#set_var EASYRSA_RAND_SN	"yes"
+
+# Cut-off window for checking expiring certificates.
+#
+#set_var EASYRSA_PRE_EXPIRY_WINDOW	90
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no").
+# The default is "no", to discourage use of deprecated extensions.
+# If you require this feature to use with --ns-cert-type, set this to "yes".
+# This support should be replaced with the more modern --remote-cert-tls
+# feature.  If you do not use --ns-cert-type in your configs, it is safe,
+# and recommended, to leave this defined to "no".
+# When set to "yes", server-signed certs get the nsCertType=server attribute
+# and also get any NS_COMMENT defined below in the nsComment field.
+#
+#set_var EASYRSA_NS_SUPPORT	"no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+#
+#set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command.  The symptom will be
+# some form of a "command not found" error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you are doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named "COMMON" is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the "x509-types" dir.  You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"
+
+# Non-functional
+# If you want to generate KDC certificates, you need to set the realm here.
+#
+#set_var EASYRSA_KDC_REALM      "CHANGEME.EXAMPLE.COM"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-easyrsa.cnf
+# from the EASYRSA_PKI or EASYRSA dir, in that order. NOTE that this file is
+# Easy-RSA specific and you cannot just use a standard config file, so this is
+# an advanced feature.
+#
+#set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+#
+#set_var EASYRSA_DIGEST		"sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+#
+#set_var EASYRSA_BATCH		""

etc/openvpn/easy-rsa/x509-types/COMMON

@@ -0,0 +1,12 @@
+# X509 extensions added to every signed cert
+
+# This file is included for every cert signed, and by default does nothing.
+# It could be used to add values every cert should have, such as a CDP as
+# demonstrated in the following example:
+
+#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
+
+# The authority information access extension gives details about how to access
+# certain information relating to the CA.
+
+#authorityInfoAccess = caIssuers;URI:http://example.net/pki/my_ca.crt

etc/openvpn/easy-rsa/x509-types/ca

@@ -0,0 +1,12 @@
+# X509 extensions for a ca
+
+# Note that basicConstraints will be overridden by Easy-RSA when defining a
+# CA_PATH_LEN for CA path length limits. You could also do this here
+# manually as in the following example in place of the existing line:
+#
+# basicConstraints = CA:TRUE, pathlen:1
+
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign, keyCertSign

etc/openvpn/easy-rsa/x509-types/client

@@ -0,0 +1,7 @@
+# X509 extensions for a client
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature

etc/openvpn/easy-rsa/x509-types/code-signing

@@ -0,0 +1,7 @@
+# X509 extensions for a client
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = codeSigning
+keyUsage = digitalSignature

etc/openvpn/easy-rsa/x509-types/email

@@ -0,0 +1,7 @@
+# X509 extensions for email
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = emailProtection
+keyUsage = digitalSignature,keyEncipherment,nonRepudiation

etc/openvpn/easy-rsa/x509-types/kdc

@@ -0,0 +1,21 @@
+# X509 extensions for a KDC server certificate
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}

etc/openvpn/easy-rsa/x509-types/server

@@ -0,0 +1,7 @@
+# X509 extensions for a server
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature,keyEncipherment

etc/openvpn/easy-rsa/x509-types/serverClient

@@ -0,0 +1,7 @@
+# X509 extensions for a client/server
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth,clientAuth
+keyUsage = digitalSignature,keyEncipherment