実際のところ
$ sudo apt install openvpn easy-rsa
CAを発行
$ sudo su # mkdir /etc/openvpn/easy-rsa # cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ # cp /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak # nano /etc/openvpn/easy-rsa/vars
$ diff /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak 64,69c64,69 < export KEY_COUNTRY="JP" < export KEY_PROVINCE="TOKYO" < export KEY_CITY="Tokyo" < export KEY_ORG="Bye Bye Moore" < export KEY_EMAIL="shuzo1uec@yahoo.com" < export KEY_OU="MyOrg" --- > export KEY_COUNTRY="US" > export KEY_PROVINCE="CA" > export KEY_CITY="SanFrancisco" > export KEY_ORG="Fort-Funston" > export KEY_EMAIL="me@myhost.mydomain" > export KEY_OU="MyOrganizationalUnit"
The easyrsa toolkit is a part of OpenVPN installation. It's possible to use OpenSSL "raw" command or PyOpenSSL, but easyrsa is convenient and suitable at least at the concept stage.
$ cd /etc/openvpn/easy-rsa/ $ source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
言われた通り
# . /clean-all
秘密鍵を作ります。
# ./build-ca Generating a 2048 bit RSA private key ..............+++ ....................................................................................................................................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [TOKYO]: Locality Name (eg, city) [Tokyo]: Organization Name (eg, company) [Bye Bye Moore]: Organizational Unit Name (eg, section) [MyOrg]: Common Name (eg, your name or your server's hostname) [Bye Bye Moore CA]: Name [EasyRSA]: Email Address [shuzo1uec@yahoo.com]:
鯖の立ち上げ
# ./build-key-server myservername Generating a 2048 bit RSA private key .....................+++ .......................+++ writing new private key to 'myservername.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [TOKYO]: Locality Name (eg, city) [Tokyo]: Organization Name (eg, company) [Bye Bye Moore]: Organizational Unit Name (eg, section) [MyOrg]: Common Name (eg, your name or your server's hostname) [myservername]: Name [EasyRSA]: Email Address [shuzo1uec@yahoo.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:xxx An optional company name []:XXX Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'TOKYO' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'Bye Bye Moore' organizationalUnitName:PRINTABLE:'MyOrg' commonName :PRINTABLE:'myservername' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'shuzo1uec@yahoo.com' Certificate is to be certified until Sep 4 14:57:47 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
ディフィー・ヘルマン鍵共有を発行します。
# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .....................................................................+..........................+.........................................................................+..........................................................................................................................................................................................................................................................................+..............................................................................................+................................................................................................................................................+......................++*++*
実体を確認しつつ、/etc/openvpnのフォルダに突っ込みます。
# cd keys/ # cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/