#這篇文章只是對已部署服務端,需要對客戶端簽發,做的一次記錄,未包含服務端的簽發。
先新增用戶:
[root@VM-0-4-centos ~]# useradd openvpn_dsm
簽發客戶端證書
[root@VM-0-4-centos client]# pwd
/etc/openvpn/client [root@VM-0-4-centos client]# ./easyrsa gen-req openvpn_dsm nopass Note: using Easy-RSA configuration from: /etc/openvpn/client/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .............................................+++ ..........+++ writing new private key to '/etc/openvpn/client/pki/easy-rsa-21319.aYN22P/tmp.SJRTxO'
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [openvpn_dsm]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/pki/reqs/openvpn_dsm.req key: /etc/openvpn/client/pki/private/openvpn_dsm.key
開始導入客戶端證書到服務端
[root@VM-0-4-centos easy-rsa]# ./easyrsa import-req /etc/openvpn/client/pki/reqs/openvpn_dsm.req openvpn_dsm Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 The request has been successfully imported with a short name of: openvpn_dsm You may now use this name to perform signing operations on this request.
服務端簽署證書
[root@VM-0-4-centos easy-rsa]# ./easyrsa sign client openvpn_dsm Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 36500 days: subject= commonName = openvpn_dsm Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-21944.w1aA2b/tmp.uYOBBz Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'openvpn_dsm' Certificate is to be certified until May 11 14:43:06 2121 GMT (36500 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/server/easy-rsa/pki/issued/openvpn_dsm.crt
客戶端證書現在已經生成了。需要的文件分別是以下路徑:
/etc/openvpn/server/easy-rsa/pki/ca.crt #這個文件是構建服務端的時候生成的 /etc/openvpn/server/easy-rsa/pki/issued/openvpn_dsm.crt /etc/openvpn/client/pki/private/openvpn_dsm.key
現在可以配置OpenVPN客戶端了。
dev tun tls-client #使用TLS加密傳輸,本端為tls-server,Client端為tls-client proto udp remote xxx.xxx.xxx.xxx 1194 pull proto tcp-client script-security 2 comp-lzo #對數據進行壓縮,注意Server和Client一致 reneg-sec 0 cipher AES-256-CBC auth SHA512 auth-user-pass <ca> -----BEGIN CERTIFICATE----- ****中間是加密代碼**** -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ****中間是加密代碼**** -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ****中間是加密代碼**** -----END PRIVATE KEY----- </key>