Easy-rsa 新增客户端证书步骤

#这篇文章只是对已部署服务端，需要对客户端签发，做的一次记录，未包含服务端的签发。

先新增用户：

[root@VM-0-4-centos ~]# useradd openvpn_dsm

签发客户端证书

[root@VM-0-4-centos client]# pwd
/etc/openvpn/client
[root@VM-0-4-centos client]# ./easyrsa gen-req openvpn_dsm nopass

Note: using Easy-RSA configuration from: /etc/openvpn/client/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.............................................+++
..........+++
writing new private key to '/etc/openvpn/client/pki/easy-rsa-21319.aYN22P/tmp.SJRTxO'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [openvpn_dsm]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/pki/reqs/openvpn_dsm.req
key: /etc/openvpn/client/pki/private/openvpn_dsm.key

 

开始导入客户端证书到服务端

[root@VM-0-4-centos easy-rsa]# ./easyrsa import-req /etc/openvpn/client/pki/reqs/openvpn_dsm.req openvpn_dsm

Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: openvpn_dsm
You may now use this name to perform signing operations on this request.

 

 

服务端签署证书

[root@VM-0-4-centos easy-rsa]# ./easyrsa sign client openvpn_dsm

Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 36500 days:

subject=
    commonName                = openvpn_dsm


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-21944.w1aA2b/tmp.uYOBBz
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn_dsm'
Certificate is to be certified until May 11 14:43:06 2121 GMT (36500 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/server/easy-rsa/pki/issued/openvpn_dsm.crt

 

客户端证书现在已经生成了。需要的文件分别是以下路径：

/etc/openvpn/server/easy-rsa/pki/ca.crt #这个文件是构建服务端的时候生成的
/etc/openvpn/server/easy-rsa/pki/issued/openvpn_dsm.crt
/etc/openvpn/client/pki/private/openvpn_dsm.key

 

现在可以配置OpenVPN客户端了。

dev tun
tls-client #使用TLS加密传输，本端为tls-server，Client端为tls-client
proto udp
remote xxx.xxx.xxx.xxx 1194

pull

proto tcp-client

script-security 2

comp-lzo #对数据进行压缩，注意Server和Client一致

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
****中间是加密代码****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
****中间是加密代码****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
****中间是加密代码****
-----END PRIVATE KEY-----
</key>