引用  OpenVPN/easy-rsa

easy-rsa - Simple shell based CA utility

安裝

cd /etc/openvpn/easy-rsa
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar zxvf EasyRSA-unix-v3.0.6.tgz
cd  EasyRSA-v3.0.6

設定

vi vars

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "TW"
set_var EASYRSA_REQ_PROVINCE    "Taipei"
set_var EASYRSA_REQ_CITY        "Taipei"
set_var EASYRSA_REQ_ORG         "SSORC"
set_var EASYRSA_REQ_EMAIL       "cross@ssorc.tw"
set_var EASYRSA_REQ_OU          "SSORC"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       3650
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "SSORC"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

它會初始化目錄底下的 pki 目錄,如果已存在它會說要刪除,但也只是清空 (所以一開始也不需要)

./easyrsa init-pki    

建立 ca

./easyrsa build-ca

建立 server 端的 憑證要求 (csr) 及 private key

./easyrsa gen-req ssorc-server nopass

簽核

./easyrsa sign-req server ssorc-server

在 pki 目錄底下就會有

pki/ca.crt
pki/private/ca.key
pki/private/ssorc-server.key
pki/reqs/ssorc-server.req
pki/issued/ssorc-server.crt

驗證一下

openssl verify -CAfile pki/ca.crt pki/issued/ssorc-server.crt
pki/issued/ssorc-server.crt: OK

簽給 client 端

./easyrsa gen-req ssorc-client nopass
./easyrsa sign-req client ssorc-client
openssl verify -CAfile pki/ca.crt pki/issued/ssorc-client.crt

產生 DH

./easyrsa gen-dh
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/EasyRSA-v3.0.6/pki/dh.pem

產生 CRL (就是 ta.key)

./easyrsa gen-crl
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/EasyRSA-v3.0.6/pki/crl.pem

參考 How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 8  

最後修改日期: 2020 年 02 月 03 日

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。