Easy-rsa 新增客户端证书步骤
#这篇文章只是对已部署服务端,需要对客户端签发,做的一次记录,未包含服务端的签发。
先新增用户:
[root@VM-0-4-centos ~]# useradd openvpn_dsm
签发客户端证书
[root@VM-0-4-centos client]# pwd
/etc/openvpn/client
[root@VM-0-4-centos client]# ./easyrsa gen-req openvpn_dsm nopass
Note: using Easy-RSA configuration from: /etc/openvpn/client/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............................................+++
..........+++
writing new private key to '/etc/openvpn/client/pki/easy-rsa-21319.aYN22P/tmp.SJRTxO'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [openvpn_dsm]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/pki/reqs/openvpn_dsm.req
key: /etc/openvpn/client/pki/private/openvpn_dsm.key
开始导入客户端证书到服务端
[root@VM-0-4-centos easy-rsa]# ./easyrsa import-req /etc/openvpn/client/pki/reqs/openvpn_dsm.req openvpn_dsm Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 The request has been successfully imported with a short name of: openvpn_dsm You may now use this name to perform signing operations on this request.
服务端签署证书
[root@VM-0-4-centos easy-rsa]# ./easyrsa sign client openvpn_dsm Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 36500 days: subject= commonName = openvpn_dsm Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-21944.w1aA2b/tmp.uYOBBz Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'openvpn_dsm' Certificate is to be certified until May 11 14:43:06 2121 GMT (36500 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/server/easy-rsa/pki/issued/openvpn_dsm.crt
客户端证书现在已经生成了。需要的文件分别是以下路径:
/etc/openvpn/server/easy-rsa/pki/ca.crt #这个文件是构建服务端的时候生成的 /etc/openvpn/server/easy-rsa/pki/issued/openvpn_dsm.crt /etc/openvpn/client/pki/private/openvpn_dsm.key
现在可以配置OpenVPN客户端了。
dev tun tls-client #使用TLS加密传输,本端为tls-server,Client端为tls-client proto udp remote xxx.xxx.xxx.xxx 1194 pull proto tcp-client script-security 2 comp-lzo #对数据进行压缩,注意Server和Client一致 reneg-sec 0 cipher AES-256-CBC auth SHA512 auth-user-pass <ca> -----BEGIN CERTIFICATE----- ****中间是加密代码**** -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ****中间是加密代码**** -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ****中间是加密代码**** -----END PRIVATE KEY----- </key>