Bye Bye Moore

PoCソルジャーな零細事業主が作業メモを残すブログ

easy-rsaで秘密鍵鯖をつくってみる その1:秘密鍵をつくる

実際のところ

$ sudo apt install openvpn easy-rsa

CAを発行

$ sudo su
# mkdir /etc/openvpn/easy-rsa
# cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
# cp /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak
# nano /etc/openvpn/easy-rsa/vars 
$ diff /etc/openvpn/easy-rsa/vars /etc/openvpn/easy-rsa/vars.bak 
64,69c64,69
< export KEY_COUNTRY="JP"
< export KEY_PROVINCE="TOKYO"
< export KEY_CITY="Tokyo"
< export KEY_ORG="Bye Bye Moore"
< export KEY_EMAIL="shuzo1uec@yahoo.com"
< export KEY_OU="MyOrg"
---
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="SanFrancisco"
> export KEY_ORG="Fort-Funston"
> export KEY_EMAIL="me@myhost.mydomain"
> export KEY_OU="MyOrganizationalUnit"

The easyrsa toolkit is a part of OpenVPN installation. It's possible to use OpenSSL "raw" command or PyOpenSSL, but easyrsa is convenient and suitable at least at the concept stage.

$ cd /etc/openvpn/easy-rsa/
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

言われた通り

# . /clean-all

秘密鍵を作ります。

# ./build-ca
Generating a 2048 bit RSA private key
..............+++
....................................................................................................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [Bye Bye Moore]:
Organizational Unit Name (eg, section) [MyOrg]:
Common Name (eg, your name or your server's hostname) [Bye Bye Moore CA]:
Name [EasyRSA]:
Email Address [shuzo1uec@yahoo.com]:

鯖の立ち上げ

# ./build-key-server myservername
Generating a 2048 bit RSA private key
.....................+++
.......................+++
writing new private key to 'myservername.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [Bye Bye Moore]:
Organizational Unit Name (eg, section) [MyOrg]:
Common Name (eg, your name or your server's hostname) [myservername]:
Name [EasyRSA]:
Email Address [shuzo1uec@yahoo.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxx
An optional company name []:XXX
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'TOKYO'
localityName          :PRINTABLE:'Tokyo'
organizationName      :PRINTABLE:'Bye Bye Moore'
organizationalUnitName:PRINTABLE:'MyOrg'
commonName            :PRINTABLE:'myservername'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'shuzo1uec@yahoo.com'
Certificate is to be certified until Sep  4 14:57:47 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

ディフィー・ヘルマン鍵共有を発行します。

# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................................................+..........................+.........................................................................+..........................................................................................................................................................................................................................................................................+..............................................................................................+................................................................................................................................................+......................++*++*

実体を確認しつつ、/etc/openvpnのフォルダに突っ込みます。

# cd keys/
# cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/

参考もと

OpenVPN