CAを発行
$ sudo su
# mkdir /etc/openvpn/easy-rsa
# cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
# cp /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak
# nano /etc/openvpn/easy-rsa/vars
$ diff /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak
64,69c64,69
< export KEY_COUNTRY="JP"
< export KEY_PROVINCE="TOKYO"
< export KEY_CITY="Tokyo"
< export KEY_ORG="Bye Bye Moore"
< export KEY_EMAIL="shuzo1uec@yahoo.com"
< export KEY_OU="MyOrg"
---
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="SanFrancisco"
> export KEY_ORG="Fort-Funston"
> export KEY_EMAIL="me@myhost.mydomain"
> export KEY_OU="MyOrganizationalUnit"
The easyrsa toolkit is a part of OpenVPN installation. It's possible to use OpenSSL "raw" command or PyOpenSSL, but easyrsa is convenient and suitable at least at the concept stage.
$ cd /etc/openvpn/easy-rsa/
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
言われた通り
# . /clean-all
秘密鍵を作ります。
# ./build-ca
Generating a 2048 bit RSA private key
..............+++
....................................................................................................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [Bye Bye Moore]:
Organizational Unit Name (eg, section) [MyOrg]:
Common Name (eg, your name or your server's hostname) [Bye Bye Moore CA]:
Name [EasyRSA]:
Email Address [shuzo1uec@yahoo.com]:
鯖の立ち上げ
# ./build-key-server myservername
Generating a 2048 bit RSA private key
.....................+++
.......................+++
writing new private key to 'myservername.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [Bye Bye Moore]:
Organizational Unit Name (eg, section) [MyOrg]:
Common Name (eg, your name or your server's hostname) [myservername]:
Name [EasyRSA]:
Email Address [shuzo1uec@yahoo.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxx
An optional company name []:XXX
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'TOKYO'
localityName :PRINTABLE:'Tokyo'
organizationName :PRINTABLE:'Bye Bye Moore'
organizationalUnitName:PRINTABLE:'MyOrg'
commonName :PRINTABLE:'myservername'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'shuzo1uec@yahoo.com'
Certificate is to be certified until Sep 4 14:57:47 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
ディフィー・ヘルマン鍵共有を発行します。
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................................................+..........................+.........................................................................+..........................................................................................................................................................................................................................................................................+..............................................................................................+................................................................................................................................................+......................++*++*
実体を確認しつつ、/etc/openvpnのフォルダに突っ込みます。
# cd keys/
# cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/