|
楼主 |
发表于 2021-10-1 15:22:05
|
显示全部楼层
4、生成服务端的密钥文件
8 |5 C5 J$ R) G* O; m2 Y使用当前目录的 build-key-server 命令创建
( u! u" x1 u( }[root@VPN-A 2.0]# ./build-key-server server <--后面的是 server 是指定的文件名: K, D5 q0 `) A! m
注意:这个名字定义好后,以后都会需要调用到的。6 P" x. Z0 F- ^1 O
[root@VPN-A 2.0]# ./build-key-server server
# K" s" q, i8 _: GGenerating a 1024 bit RSA private key
1 i O E8 w+ n7 B) K5 o......++++++* W; [; K6 f/ Q0 Q3 [
...................................................++++++7 z9 U( }( W2 i: J: s. Q! |
writing new private key to 'server.key'
0 N, v u8 i0 Y: i0 ~% I* y; b# O-----
" ^! `. A+ Y2 ` V: s9 }0 O0 Y; `You are about to be asked to enter information that will be incorporated
1 x; t9 g( O3 J6 M8 X9 v3 b- Zinto your certificate request.9 E, D h& L5 c3 Y
What you are about to enter is what is called a Distinguished Name or a DN.; d/ X# G" }- |, z" w( Q1 w
There are quite a few fields but you can leave some blank
; t7 e, x8 z3 ]For some fields there will be a default value,
+ S) N7 B4 G. v" TIf you enter '.', the field will be left blank.2 a2 V% @8 h: C# n3 R1 M V
-----
6 g4 B2 ]- F/ F: tCountry Name (2 letter code) [CN]: <--默认按“回车”即可
5 N [# G/ A; w+ rState or Province Name (full name) [GD]: <--默认按“回车”即可
/ d# K: G! y0 ] _1 d) r* u qLocality Name (eg, city) [ShenZhen]: <--默认按“回车”即可 x( d9 E: }- C' z) o7 t2 k
Organization Name (eg, company) [SYS]: <--默认按“回车”即可
6 j2 U' E5 w" \" K0 V. Q6 KOrganizational Unit Name (eg, section) [tear]: <--默认按“回车”即可
& `) t, X2 L% Z( w" HCommon Name (eg, your name or your server's hostname) [server]: <--默认按“回车”即可
3 e* J" P/ U* J% K4 M" O1 `Name [tear]: <--默认按“回车”即可& e) t0 Z" T& A, ^' o
Email Address [tear@sys.local]: <--默认按“回车”即可1 ]$ q' n4 w( ]- G: N: O5 ]
Please enter the following 'extra' attributes, q0 ?8 |3 a" @, `0 s! N a
to be sent with your certificate request. L( G* b- q4 T' D; u9 @
A challenge password []:123456 <--要给一个密码,这个密码是在你发起证书请求的密码,这里4 g1 B/ _# N2 \. T, J2 |* \9 W
设置为:123456,根据自己的要求更改。
' N8 w6 k0 X0 w1 MAn optional company name []:sys <--一个可选的公司名
6 r5 M( }, _, ^, }Using configuration from /home/tear/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
6 `* T( {- [; G JCheck that the request matches the signature' [1 O6 [4 ~8 `6 T9 [
Signature ok3 Z# ^9 h1 H' S1 x$ d- n
The Subject's Distinguished Name is as follows
" r! k s: o( x6 B% qcountryName RINTABLE:'CN'
' k0 w2 C, I- B* V; dstateOrProvinceName RINTABLE:'GD'4 y; F4 }; K! a" k' v& z
localityName RINTABLE:'ShenZhen'
+ h# i+ L+ v# C; q. _- n/ b! [organizationName RINTABLE:'SYS'
! }: N6 A/ V3 a( Z9 |organizationalUnitNameRINTABLE:'tear'
( J# w ~/ x1 P6 D2 Y. TcommonName RINTABLE:'server'
; g2 N4 Q9 c6 ^1 H" M& F- dname RINTABLE:'tear'' v \" p0 i& W9 W; p
emailAddress :IA5STRING:'tear@sys.local'
' s$ y, S( H9 W; m( Q. z, HCertificate is to be certified until Aug 12 07:17:54 2026 GMT (3650 days)
9 L& I8 H, _8 S+ `* z0 xSign the certificate? [y/n]:y <--输入 y
* ^' e0 }! c3 `, b% j3 P0 ^! J
/ G4 K+ h/ ~5 ^1 out of 1 certificate requests certified, commit? [y/n]y <--输入 y' m# C" B( Y, Y* `+ `! Q
Write out database with 1 new entries6 A; P; |4 | s6 S7 q3 C" |
Data Base Updated <--有这个提示为成功2 T Y7 Q8 m- W' D
查看所生成的证书文件:$ c% q' l$ w; @, G9 U
[root@VPN-A 2.0]# ls keys/2 w, N5 w6 M" a+ C
01.pem ca.key index.txt.attr serial server.crt server.key
. A9 G4 s" i0 n- jca.crt index.txt index.txt.old serial.old server.csr& U9 ?3 T" q, R. V7 g
5、生成客户端证书和 key 文件
( y8 j" Q' ?) j注意:客户端证书可以给不同的用户生成不同的证书和密钥文件,那样以后方便管理。6 [, n) S6 p7 k; v# Q# B8 Q
使用当前目录下的 build-key 命令
* ~! W# Z" |% l* E+ } @+ f0 L& F[root@VPN-A 2.0]# ./build-key tear <--在工作当中,这个其实就是使用者的名字( S. T5 t3 S& A3 ~% X6 j
Generating a 1024 bit RSA private key' E8 e" l9 ~* ^# B9 b7 J9 H
.....++++++- l( f) _+ c: N% d* O1 ^
.................................++++++3 r! V- \- k# ?9 V% Q) @* n5 E
writing new private key to 'tear.key'/ [# ]/ I2 n; v* u3 C2 A
-----8 O* U6 s/ o, x; H* q; w/ [3 z
You are about to be asked to enter information that will be incorporated- x1 ]1 p2 o4 q! y, B6 B
into your certificate request.2 D1 I8 @4 a& {/ Q: Y
What you are about to enter is what is called a Distinguished Name or a DN.) y) v1 k) ? S( s1 A: U# R( ]! t* V
There are quite a few fields but you can leave some blank
3 G" a) B& w1 X6 \& X4 ZFor some fields there will be a default value,( f: b# ]; k. |& G1 A- U) k
If you enter '.', the field will be left blank.6 E. ~+ l+ O9 f, x( R% r$ @$ }9 ~( [
-----& `* W' d" c; W; n
Country Name (2 letter code) [CN]: <--默认按“回车”即可
) g! b8 t6 a8 D- d0 T9 vState or Province Name (full name) [GD]: <--默认按“回车”即可) k! b) U9 s- Y. Y( t/ ~
Locality Name (eg, city) [ShenZhen]: <--默认按“回车”即可
% i# W$ [( H8 H, u; UOrganization Name (eg, company) [SYS]: <--默认按“回车”即可
7 ?% e" S# | J8 X+ fOrganizational Unit Name (eg, section) [tear]: <--默认按“回车”即可# j1 f: t3 l1 B1 J
Common Name (eg, your name or your server's hostname) [tear]: <--默认按“回车”即可
H, U& l3 q- C8 D6 zName [tear]: <--默认按“回车”即可
5 @; _' G. b# |3 vEmail Address [tear@sys.local]: <--默认按“回车”即可
( c) t, K" i/ I2 c3 c# @: u$ OPlease enter the following 'extra' attributes) R4 O8 c8 V8 p$ Z' T2 d8 |
to be sent with your certificate request
- t/ |5 g6 D. g! V( n) MA challenge password []:123456 <--要给一个密码,这个密码是在你发起证书请求的密码,这里. P, S0 v! a6 o- ~! _5 e+ M! j3 _4 ^) G
设置为:123456,根据自己的要求更改。
. x' y9 P( |4 x5 YAn optional company name []:tear <--默认按“回车”即可
6 ]4 H j* y* G0 \; pUsing configuration from /home/tear/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
! n# W) b; `$ HCheck that the request matches the signature) {3 C/ l" w) | u
Signature ok" N+ y* s+ A& l$ W9 ]- q9 Q
The Subject's Distinguished Name is as follows
% m& ~4 O/ t4 g6 S! n! O! j0 YcountryName RINTABLE:'CN'; P4 R0 c& ~4 o* W
stateOrProvinceName RINTABLE:'GD'
* f# J& E9 b1 {/ s& N+ ]" VlocalityName RINTABLE:'ShenZhen'
0 D! X+ u' T; i6 O, ^, A, `organizationName :PRINTABLE:'SYS'
! C" L0 }4 W1 @" [organizationalUnitName:PRINTABLE:'tear') P5 ]. n1 n9 d# [
commonName :PRINTABLE:'tear'" s$ F; w9 ?- p
name :PRINTABLE:'tear'6 I, K8 f( y, z' c/ f4 | r- ]! H
emailAddress :IA5STRING:'tear@sys.local'
. z3 b$ B; I) F$ P7 W6 xCertificate is to be certified until Aug 12 07:26:44 2026 GMT (3650 days)
" Y3 @% S: Q o k& gSign the certificate? [y/n]:y <--输入 y9 Q. I. A! ?& ~
7 E( i1 J7 v! G( n3 z1 out of 1 certificate requests certified, commit? [y/n]y <--输入 y% {0 h9 c1 L/ K6 I( o& j5 K1 |
Write out database with 1 new entries
7 G K! F6 X9 T, x7 q; k8 tData Base Updated/ z+ d; e# N% d) F5 A) o
[root@VPN-A 2.0]# ls keys/; I- V; [" j e M0 s
01.pem ca.crt index.txt index.txt.attr.old serial server.crt server.key tear.csr2 f# M6 Z( i: F
02.pem ca.key index.txt.attr index.txt.old serial.old server.csr tear.crt tear.key
7 ?8 l0 Y0 z3 T4 |' [9 c# w: {# [# Q& u生成了 tear 用户的三个文件。' m3 ~, B, \% e$ j* i- R: V0 A
此时,就一共有两个证书及密钥分别是:公用的 CA 证书、服务端的证书、客户端的证书。
. n6 C) e; [+ F) A需要注意的是:如果使用 build-key 来创建用户的证书,那么这个用户只需要提供证书就可进行拨号连接,不需要密码。
- b3 n; h: _# O; j) @) r$ D: S下面创建一个需要使用证书和密码认证的用户证书及密钥文件。: M- h" j( Z! c0 d+ v: x2 W
使用当前目录下的 build-key-pass 命令:
( Z+ N. U8 U7 |; R[root@VPN-A 2.0]# ./build-key-pass tom0 V# S3 G3 R# a, w9 G& z
Generating a 1024 bit RSA private key
7 m" d8 Y% d; W7 ]. K: O# a o. L.........................................++++++
' v, }; a0 d4 Q& N2 k! V....++++++
, C( G( i+ e- u; i% \writing new private key to 'tom.key'! ~: H3 y; ~) o7 j9 G* I+ K
Enter PEM pass phrase: <--输入用户密码,当拨号时就会需要密码
6 o7 [6 C0 h8 t$ c0 T6 JVerifying - Enter PEM pass phrase: <--再次输入用户密码: J# l" N1 r! R: K! F
-----
5 |5 t+ E# ?' x' r* V# qYou are about to be asked to enter information that will be incorporated
8 b, y: h( v: [& `6 b3 p3 d/ k: tinto your certificate request." T- @1 E, ~5 X; ]) |. H3 P( i
What you are about to enter is what is called a Distinguished Name or a DN.
! L3 V r6 B* G$ XThere are quite a few fields but you can leave some blank, H+ E) r" G: H9 f7 U, {
For some fields there will be a default value," i6 S7 G* H* _% h+ L" L
If you enter '.', the field will be left blank.0 I8 R ~; p$ j
-----2 L: S& ^9 S/ Q& `; T$ m
Country Name (2 letter code) [CN]: <--默认按“回车”即可' J% k; o7 Q# r$ F" }
State or Province Name (full name) [GD]: <--默认按“回车”即可
, m k9 r$ ^7 V; GLocality Name (eg, city) [ShenZhen]: <--默认按“回车”即可
+ n) J) C* l. A K7 f* ~% y2 IOrganization Name (eg, company) [SYS]: <--默认按“回车”即可, H4 N6 d2 x: H0 I* h* @
Organizational Unit Name (eg, section) [tear]: <--默认按“回车”即可: a- d' y f; v# s- m" H" f1 G; E9 L, w! t
Common Name (eg, your name or your server's hostname) [tom]: <--默认按“回车”即可9 s3 y! H3 V8 K1 n" `
Name [tear]: <--默认按“回车”即可
7 u- |# z6 X( B2 L& yEmail Address [tear@sys.local]: <--默认按“回车”即可# O. Y5 M8 v9 w
Please enter the following 'extra' attributes# r$ n0 R5 F% f9 ?
to be sent with your certificate request
$ M, s1 _( F* l2 {A challenge password []:123456 <--要给一个密码,这个密码是在你发起证书请求的密码,这里
' o1 D$ S0 f. E! i 设置为:123456,根据自己的要求更改。
7 S {( Z1 E8 ^6 I2 cAn optional company name []:sys <--默认按“回车”即可
0 U2 n9 H! t" d6 d% rUsing configuration from /home/tear/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf7 A+ S K( q6 H" t0 R5 i
Check that the request matches the signature$ l8 x" ~$ m! R; N" T7 K
Signature ok3 \" w8 w& S/ h# i: v: ^/ g! w
The Subject's Distinguished Name is as follows
# M( j0 _7 M5 {7 J$ d+ g1 qcountryName :PRINTABLE:'CN'
! m# p0 o8 [0 c" j$ ^9 q( `) PstateOrProvinceName :PRINTABLE:'GD'( Y( K/ T9 B# f* `+ h0 h
localityName :PRINTABLE:'ShenZhen'# b+ d1 m( U. T, ^% Y
organizationName :PRINTABLE:'SYS'2 I% a, u B! t
organizationalUnitName:PRINTABLE:'tear'% C9 f& D9 `7 w& u' s
commonName :PRINTABLE:'tom'
c( ]! Y/ O* t: }/ f# {name :PRINTABLE:'tear'
1 t% v( |3 i2 l4 h6 ?2 ?1 ^emailAddress :IA5STRING:'tear@sys.local'
5 q9 X% M% e- N' @2 {Certificate is to be certified until Aug 12 07:46:15 2026 GMT (3650 days)
4 b5 p0 ?% P! s" ?Sign the certificate? [y/n]:y <--输入 y
% w; {! s$ O" n& T5 K4 |% b. n
# @2 s( `7 c( s1 out of 1 certificate requests certified, commit? [y/n]y <--输入 y& a4 c# i7 u: z `5 D) e& I
Write out database with 1 new entries# B/ [2 m9 B% |# x( l
Data Base Updated
U+ Z2 P5 V1 \. W, Q# c[root@VPN-A 2.0]# ls keys/
4 M- a8 h2 L! i9 A2 I01.pem ca.crt index.txt.attr serial server.csr tear.csr tom.csr
) q" _; n5 z, D; y9 } R' Y02.pem ca.key index.txt.attr.old serial.old server.key tear.key tom.key G6 S4 p& I8 ~! f* l
03.pem index.txt index.txt.old server.crt tear.crt tom.crt, r6 u0 R# u x z/ Y+ @& b, G
1 Y1 n' c9 s0 d8 N8 V
|
|