easy-rsa - Simple shell based CA utility
安裝
cd /etc/openvpn/easy-rsa wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz tar zxvf EasyRSA-unix-v3.0.6.tgz cd EasyRSA-v3.0.6
設定
vi vars
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "TW" set_var EASYRSA_REQ_PROVINCE "Taiwan" set_var EASYRSA_REQ_CITY "Taiwan" set_var EASYRSA_REQ_ORG "SSORC" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "SSORC" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 36500 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "SSORC" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" set_var EASYRSA_DIGEST "sha256"
它會初始化目錄底下的 pki 目錄,如果已存在它會說要刪除,但也只是清空 (所以一開始也不需要)
./easyrsa init-pki
建立 ca
./easyrsa build-ca nopass
建立 server 端的 憑證要求 (csr) 及 private key
./easyrsa gen-req ssorc-server nopass
簽核
./easyrsa sign-req server ssorc-server
或者一次性
./easyrsa build-server-full ssorc-server nopass
在 pki 目錄底下就會有
pki/ca.crt pki/dh.pem pki/private/ca.key pki/private/ssorc-server.key pki/reqs/ssorc-server.req pki/issued/ssorc-server.crt
驗證一下
openssl verify -CAfile pki/ca.crt pki/issued/ssorc-server.crt
pki/issued/ssorc-server.crt: OK
簽給 client 端
./easyrsa gen-req ssorc-client nopass ./easyrsa sign-req client ssorc-client openssl verify -CAfile pki/ca.crt pki/issued/ssorc-client.crt
產生 DH
./easyrsa gen-dh
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/EasyRSA-v3.0.6/pki/dh.pem
產生 CRL (就是 ta.key)
./easyrsa gen-crl
An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/EasyRSA-v3.0.6/pki/crl.pem
參考 How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 8
留言