easy-rsa 3 创建证书文件

Posted 2023-03-19

参考技术A Easy-RSA 3 Quickstart README

cat vars |grep -v '#' |sed '/^$/d'

OpenV$P$N服务器添加客户端

OpenV$P$N签发客户端证书
因关键词限制，请自行修改V$P$N

OpenV$P$N客户

• OpenV$P$N添加客户端实质上就是对客户端签发证书文件及配置文件

准备客户端证书环境

• 拷贝整个easy-rsa目录过来准本生成证书

cp -r /usr/share/easy-rsa/ /etc/openv$p$n/easy-rsa-client

• 拷贝模板文件过来以备不时之需

cp /usr/share/doc/easy-rsa/vars.example /etc/openv$p$n/easy-rsa-client/3/vars

• vars中的内容可按需修改
  CA证书信息相关内容

#set_var EASYRSA_REQ_COUNTRY	"US"
#set_var EASYRSA_REQ_PROVINCE	"California"
#set_var EASYRSA_REQ_CITY	"San Francisco"
#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL	"me@example.net"
#set_var EASYRSA_REQ_OU		"My Organizational Unit"

证书时效相关内容

# In how many days should the root CA key expire?
#set_var EASYRSA_CA_EXPIRE	3650
# In how many days should certificates expire?
#set_var EASYRSA_CERT_EXPIRE	825
# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS	180

生成证书申请所需目录pki和文件

• 进入为客户端准备的easy-rsa目录

cd /etc/openv$p$n/easy-rsa-client/3/

• 使用easy-rsa脚本生成所需目录和文件

 ./easyrsa init-pki

./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-client/3.0.8/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openv$p$n/easy-rsa-client/3/pki

创建客户证书申请文件

• 使用easyrsa脚本，通过gen-req命令给用户或主机sunmy生成证书申请文件

./easyrsa gen-req sunmy nopass

• nopass 不要求密码

[root@C8-200 3]# ./easyrsa gen-req sunmy nopass

Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
........................................................................................................................................................+++++
.......................................................+++++
writing new private key to '/etc/openv$p$n/easy-rsa-client/3/pki/easy-rsa-1440.IhZr97/tmp.GDI7yT'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [sunmy]:

Keypair and certificate request completed. Your files are:
req: /etc/openv$p$n/easy-rsa-client/3/pki/reqs/sunmy.req ## 证书申请文件
key: /etc/openv$p$n/easy-rsa-client/3/pki/private/sunmy.key ## 私钥文件

• 不适用nopass，被询问密码，可以对生成的请求文件添加密码

[root@C8-200 3]# ./easyrsa gen-req sunwh

Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
.....................................+++++
........................................................................................................+++++
writing new private key to '/etc/openv$p$n/easy-rsa-client/3/pki/easy-rsa-1467.8BrORw/tmp.5I48DH'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [sunwh]:

Keypair and certificate request completed. Your files are:
req: /etc/openv$p$n/easy-rsa-client/3/pki/reqs/sunwh.req ## 证书申请文件
key: /etc/openv$p$n/easy-rsa-client/3/pki/private/sunwh.key ## 私钥文件

• 生成的两个文件会自动分开存放在如下目录

/etc/openv$p$n/easy-rsa-client/3/pki/reqs/## 用户证书申请文件
/etc/openv$p$n/easy-rsa-client/3/pki/private/## 用户私钥文件

以后再次为用户生成证书请求文件都放在对应目录中。

服务器签发客户端证书文件

导入客户端请求文件

• 进入到OpenV$P$N服务器CA文件夹

cd /etc/openv$p$n/easy-rsa-sever/3/

• 将客户端证书请求文件复制到CA的工作目录
  • 使用easyrsa脚本命令import-import-req导入生成的证书请求文件

./easyrsa import-req /etc/openv$p$n/easy-rsa-client/3/pki/reqs/sunmy.req sunmy

• 也可以直接cp请求文件到/etc/openv$p$n/easy-rsa-sever/3/pki/reqs/ 目录下

cp /etc/openv$p$n/easy-rsa-client/3/pki/reqs/sunmy.req /etc/openv$p$n/easy-rsa-sever/3/pki/reqs/sunmy.req

根据实际需求修改vars配置文件

#修改给客户端颁发的证书的有效期
[root@centos8 3]#vim vars
#建议修改给客户端颁发证书的有效期,可适当减少,比如:90天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 90

签发客户端证书文件

• 使用OpenV$P$N服务器CAserver目录下的easyrsa脚本，
• 脚本easyrsa签发sign以客户端client的类型为sunmy用户/主机的证书文件

./easyrsa sign client sunmy

原理也是利用生成的用户请求文件生成证书文件

[root@C8-200 3]# pwd
/etc/openv$p$n/easy-rsa-sever/3
[root@C8-200 3]# ./easyrsa sign client sunmy

Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-sever/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = sunmy


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openv$p$n/easy-rsa-sever/3/pki/easy-rsa-1522.rFgvH8/tmp.pYL51l
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'sunmy'
Certificate is to be certified until Aug 14 09:59:07 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openv$p$n/easy-rsa-sever/3/pki/issued/sunmy.crt

拷贝客户端私钥与证书文件到OpenV$P$N服务器指定目录

• 为用户创建客户端文件夹

mkdir /etc/openv$p$n/client/sunmy/

• 找到并复制用户的证书文件和私钥以及ca证书到哭护短用户目录下

find /etc/openv$p$n/ \\( -name "sunmy.key" -o -name "sunmy.crt" -o -name "ca.crt" \\) -exec cp {} /etc/openv$p$n/client/sunmy \\;

• find组合条件用 ( ) 括号括起来，注意前后都需要留有空格
• find扩展-exec将查询到的结果作为后续命令的参数，
• {}标识所有查询到的结果

准备 OpenV$P$N 客户端配置文件

查看客户端模板文件配置内容

/usr/share/doc/openv$p$n/sample/sample-config-files/client.conf

[root@C8-200 3]# grep '^[[:alpha:]]'.* /usr/share/doc/openv$p$n/sample/sample-config-files/client.conf 
client ## 声明自己的身份为客户端
dev tun ## 豚骨隧道网络
proto udp ## 默认使用udp，这个需要改成和服务器一样的tcp
remote my-server-1 1194 ## 远程端口1194
resolv-retry infinite ## 可以写OpenV$P$N服务器的域名
nobind ## 客户端不绑定端口
persist-key 
persist-tun
ca ca.crt ## OPenV$P$N服务器ca证书
cert client.crt ## 用户客户端证书
key client.key ## 用户客户端私钥
remote-cert-tls server ## 采用服务器证书校验方式
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

编辑并生成客户端配置文件

cat > /etc/openv$p$n/client/sunmy/sunmy.ov$p$n << SUN
client
dev tun
proto tcp ##改成tcp喽
remote 10.0.0.200 1194 #生产中为OpenV$P$N公网IP
resolv-retry infinite
nobind
#persist-key ## 注释掉喽
#persist-tun ## 注释掉喽
ca ca.crt ## 当前目录中的文件
cert sunmy.crt ## 当前目录中的文件
key sunmy.key ## 当前目录中的文件
remote-cert-tls server
#tls-auth ta.key 1 ## 注释掉喽
cipher AES-256-CBC
verb 3 #此值不能随意指定,否则无法通信
compress lz4-v2 #此项在OpenV$P$N2.4.X版本使用,需要和服务器端保持一致,如不
指定,默认使用comp-lz压缩
SUN

最后检查以下准备好的用户配置文件和证书相关内容

/etc/openv$p$n/client/sunmy/

[root@C8-200 3]# ll /etc/openv$p$n/client/sunmy/
total 20
-rw------- 1 root root 1172 May 11 18:24 ca.crt
-rw------- 1 root root 4451 May 11 18:24 sunmy.crt
-rw------- 1 root root 1704 May 11 18:24 sunmy.key
-rw-r--r-- 1 root root  556 May 11 18:56 sunmy.ov$p$n

将以上内容打包发送给用户即可