Bye Bye Moore

猫マンション建築の野望を胸に零細事業主として資本主義の荒波に漕ぎ出したアラサー男の技術メモ

easy-rsaで秘密鍵鯖をつくってみる その1:秘密鍵をつくる

実際のところ

$ sudo apt install openvpn easy-rsa

CAを発行

$ sudo su
# mkdir /etc/openvpn/easy-rsa
# cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
# cp /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak
# nano /etc/openvpn/easy-rsa/vars 
$ diff /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak 
64,69c64,69
< export KEY_COUNTRY="JP"
< export KEY_PROVINCE="TOKYO"
< export KEY_CITY="Tokyo"
< export KEY_ORG="Bye Bye Moore"
< export KEY_EMAIL="shuzo1uec@yahoo.com"
< export KEY_OU="MyOrg"
---
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="SanFrancisco"
> export KEY_ORG="Fort-Funston"
> export KEY_EMAIL="me@myhost.mydomain"
> export KEY_OU="MyOrganizationalUnit"

The easyrsa toolkit is a part of OpenVPN installation. It's possible to use OpenSSL "raw" command or PyOpenSSL, but easyrsa is convenient and suitable at least at the concept stage.

$ cd /etc/openvpn/easy-rsa/
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

言われた通り

# . /clean-all

秘密鍵を作ります。

# ./build-ca
Generating a 2048 bit RSA private key
..............+++
....................................................................................................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [Bye Bye Moore]:
Organizational Unit Name (eg, section) [MyOrg]:
Common Name (eg, your name or your server's hostname) [Bye Bye Moore CA]:
Name [EasyRSA]:
Email Address [shuzo1uec@yahoo.com]:

鯖の立ち上げ

# ./build-key-server myservername
Generating a 2048 bit RSA private key
.....................+++
.......................+++
writing new private key to 'myservername.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [Bye Bye Moore]:
Organizational Unit Name (eg, section) [MyOrg]:
Common Name (eg, your name or your server's hostname) [myservername]:
Name [EasyRSA]:
Email Address [shuzo1uec@yahoo.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxx
An optional company name []:XXX
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'TOKYO'
localityName          :PRINTABLE:'Tokyo'
organizationName      :PRINTABLE:'Bye Bye Moore'
organizationalUnitName:PRINTABLE:'MyOrg'
commonName            :PRINTABLE:'myservername'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'shuzo1uec@yahoo.com'
Certificate is to be certified until Sep  4 14:57:47 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

ディフィー・ヘルマン鍵共有を発行します。

# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................................................+..........................+.........................................................................+..........................................................................................................................................................................................................................................................................+..............................................................................................+................................................................................................................................................+......................++*++*

実体を確認しつつ、/etc/openvpnのフォルダに突っ込みます。

# cd keys/
# cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/

参考もと

OpenVPN