openvpn创建证书步骤

2019-03-22

easy-rsa - Simple shell based CA utility,

1、下载easyrsa3.
wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
或者
git clone https://github.com/OpenVPN/easy-rsa.git
2、或者用yum安装
yum install epel-release
lsb_release -a

yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
yum install -y openvpn easy-rsa

3、client.crt和server.crt的ca是一样的。
复制两份easyrsa
cp -av /opt/openvpn/easyrsa3 /opt/easyrsa3/server
cp -av /opt/openvpn/easyrsa3 /opt/easyrsa3/client

4、vars变量文件,并不是必须的./easyrsa3 --vars=FILE
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only" # cn_only只显示Common Name

set_var EASYRSA_DN "org" # org 下面的参数才会生效
set_var EASYRSA_REQ_COUNTRY "CN" #国家
set_var EASYRSA_REQ_PROVINCE "BEIJING" #省份
set_var EASYRSA_REQ_CITY "BEIJING" #城市
set_var EASYRSA_REQ_ORG "OpenVPN CERTIFICATE AUTHORITY" #组织
set_var EASYRSA_REQ_EMAIL "9239604@qq.com" #管理员邮箱
set_var EASYRSA_REQ_OU "OpenVPN EASY CA" #部门
set_var EASYRSA_KEY_SIZE 2048 #key长度
set_var EASYRSA_ALGO rsa #key 类型
set_var EASYRSA_CA_EXPIRE 7000
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "OpenVPN CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
5、创建ca.crt和server.crt证书
cd /opt/easyrsa3/server
#初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书,如果存在pki会将目录以前创建的ca清理
./easyrsa init-pki
#根证书密码要记住, 给server端和客户端证书签名的时候会用到
./easyrsa build-ca
#创建新的CA,不使用密码
./easyrsa build-ca nopass
#创建server.csr,服务端不要设密码,不然启动服务还要输入密码
./easyrsa gen-req server nopass
#签发server.crt,对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码
./easyrsa sign server server
#创建Diffie-Hellman,时间会有点长,耐心等待 dh.pem
./easyrsa gen-dh
#创建吊销列表crl.pem(./revoke-full client1)
./easyrsa gen-crl
#生成ta.key ,主要用于防御Dos、UDP 淹没等二义攻击,命令中的第三个参数keys/ta.key表示生成的文件路径。
openvpn --genkey --secret keys/ta.key

6、生成客户端证书,假设用户名为client1
cd /opt/easyrsa3/client/
./easyrsa init-pki #建立一个空的pki结构,生成一系列的文件和目录
You are about to remove the EASYRSA_PKI at: /etc/openvpn/easyrsa3/pki
and initialize a fresh PKI here. Confirm removal:
./easyrsa gen-req client1 nopass
./easyrsa gen-req tomcat nopass
回到制作server证书时的那个easyrsa3目录,导入client端证书,准备用server的ca签名
cd /opt/easyrsa3/server
./easyrsa import-req /opt/easyrsa3/client/pki/reqs/client1.req client1
./easyrsa sign client client1

7、整理ca.crt/server.crt/client1.crt
mkdir -p /etc/openvpn/keys
cp /opt/easyrsa3/server/pki/ca.crt /etc/openvpn/keys
cp /opt/easyrsa3/server/pki/private/server.crt /etc/openvpn/keys
cp /opt/easyrsa3/server/pki/issued/server.crt /etc/openvpn/keys
cp /opt/easyrsa3/server/pki/dh.pem /etc/openvpn/keys
cp /opt/easyrsa3/server/pki/crl.pem /etc/openvpn/keys

8、打包客户证书发给用户
生成客户端配置文件client1.ovpn
vi /opt/easyrsa3/client/client1.ovpn

mkdir -p /etc/openvpn/client_keys
cp /opt/easy-rsa3/server/pki/ca.crt /etc/openvpn/client_keys
cp /opt/easy-rsa3/server/pki/issued/client.crt /etc/openvpn/client_keys
cp /opt/easy-rsa3/client/pki/private/client.key /etc/openvpn/client_keys

tar zcf client1.gz ca.crt client1.crt client1.key client1.ovpn
ca.key和client1.csr对客户端应该没用。

分类:Linux操作系统 | 标签: |

相关日志

评论被关闭!