6 月 252013
 

在CentOS 6.3最小化环境下安装依赖软件包

[root@localhost openvpn-2.2.2]# yum install gcc make lzo-devel openssl-devel

编译安装OpenVPN 2.2.2

[root@localhost ~]# tar xzf openvpn-2.2.2.tar.gz
[root@localhost ~]# cd openvpn-2.2.2
[root@localhost openvpn-2.2.2]# ./configure --prefix=/usr/local/openvpn
[root@localhost openvpn-2.2.2]# make
[root@localhost openvpn-2.2.2]# make install

openvpn-install-01

生成证书

openvpn-install-02

编辑控制证书生成工具easy-rsa参数的配置文件

[root@localhost 2.0]# vi vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don’t edit this file in place in
# /usr/share/openvpn/easy-rsa —
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA=”`pwd`”

#
# This variable should point to
# the requested executables
#
export OPENSSL=”openssl”
export PKCS11TOOL=”pkcs11-tool”
export GREP=”grep”

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=”$EASY_RSA/keys”

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH=”dummy”
export PKCS11_PIN=”dummy”

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

执行证书环境配置清理工作

[root@localhost 2.0]# source ./vars
**************************************************************
No /root/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.2.2/easy-rsa/2.0/keys

[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all

根据当前系统中安装openssl的版本确定引用openssl配置文件

[root@localhost 2.0]# cp openssl-1.0.0.cnf openssl.cnf

生成CA证书

[root@localhost 2.0]# ./build-ca
 Generating a 1024 bit RSA private key
 .............++++++
 ..++++++
 writing new private key to 'ca.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [US]:CN
 State or Province Name (full name) [CA]:GD
 Locality Name (eg, city) [SanFrancisco]:SHENZHEN
 Organization Name (eg, company) [Fort-Funston]:LINUXCACHE
 Organizational Unit Name (eg, section) [changeme]:LINUXCACHE LABS
 Common Name (eg, your name or your server's hostname) [changeme]:LINUXCACHE CA
 Name [changeme]:
 Email Address [mail@host.domain]:
 [root@localhost 2.0]#

查看已生成的文件

[root@localhost 2.0]# ls keys/
ca.crt  ca.key  index.txt  serial
[root@localhost 2.0]#

生成服务证书

[root@localhost 2.0]# ./build-key-server server
 Generating a 1024 bit RSA private key
 ............++++++
 ...........++++++
 writing new private key to 'server.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [US]:CN
 State or Province Name (full name) [CA]:GD
 Locality Name (eg, city) [SanFrancisco]:SHENZHEN
 Organization Name (eg, company) [Fort-Funston]:LINUXCACHE
 Organizational Unit Name (eg, section) [changeme]:LINUXCACHE LABS
 Common Name (eg, your name or your server's hostname) [server]:LINUXCACHE SERVER
 Name [changeme]:linuxcache
 Email Address [mail@host.domain]:hostmaster@linuxcache.com
Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 Using configuration from /root/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 countryName           :PRINTABLE:'CN'
 stateOrProvinceName   :PRINTABLE:'GD'
 localityName          :PRINTABLE:'SHENZHEN'
 organizationName      :PRINTABLE:'LINUXCACHE'
 organizationalUnitName:PRINTABLE:'LINUXCACHE LABS'
 commonName            :PRINTABLE:'LINUXCACHE SERVER'
 name                  :PRINTABLE:'linuxcache'
 emailAddress          :IA5STRING:'hostmaster@linuxcache.com'
 Certificate is to be certified until Nov 10 06:48:22 2023 GMT (3650 days)
 Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 [root@localhost 2.0]#
[root@localhost 2.0]# ls keys/
 01.pem  ca.key     index.txt.attr  serial      server.crt  server.key
 ca.crt  index.txt  index.txt.old   serial.old  server.csr
 [root@localhost 2.0]#

生成服务器DH文件

[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..............................................................+....................
...................................................................................
..............................+........+...........................................
...................................................................................
.........+....................................................+....................
.....+....+........................................................................
......................+.................+.................+..........+.............
.........+.........................................................................
...................+...............................................................
+.......................+......+......+.......+............+.......................
.............................+......+..............................................
..........+...................................................+....................
..........+....+...................................................+...............
.................................................................+.................
..........................++*++*++*
 [root@localhost 2.0]#

生成客户端证书

修改客户端证书的有效期
Certificate is to be certified until Dec 12 07:01:44 2013 GMT (30 days)

[root@localhost 2.0]# ./build-key client
Generating a 1024 bit RSA private key
…..++++++
….++++++
writing new private key to ‘client.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:GD
Locality Name (eg, city) [SanFrancisco]:SHENZHEN
Organization Name (eg, company) [Fort-Funston]:LINUXCACHE
Organizational Unit Name (eg, section) [changeme]:LINUXCACHE LABS
Common Name (eg, your name or your server’s hostname) [client]:CLIENT
Name [changeme]:linuxcache-client
Email Address [mail@host.domain]:client@linuxcache.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’GD’
localityName          :PRINTABLE:’SHENZHEN’
organizationName      :PRINTABLE:’LINUXCACHE’
organizationalUnitName:PRINTABLE:’LINUXCACHE LABS’
commonName            :PRINTABLE:’CLIENT’
name                  :PRINTABLE:’linuxcache-client’
emailAddress          :IA5STRING:’client@linuxcache.com’
Certificate is to be certified until Nov 10 06:54:04 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#

[root@localhost 2.0]# ls keys/
01.pem  ca.key      client.key  index.txt.attr      serial      server.csr
02.pem  client.crt  dh1024.pem  index.txt.attr.old  serial.old  server.key
ca.crt  client.csr  index.txt   index.txt.old       server.crt
[root@localhost 2.0]#

openvpn-install-03

 

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据