Changes between Version 3 and Version 4 of TipAndDoc/network/vpn/openvpn


Ignore:
Timestamp:
Nov 15, 2009 11:05:07 PM (14 years ago)
Author:
mitty
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • TipAndDoc/network/vpn/openvpn

    v3 v4  
    4747 * openssl.cnfに対する編集([3#file2])のため、Apache用SSL証明書と同様に作成した鍵・証明書を用いると、サーバ側で「VERIFY ERROR: depth=0, error=unsupported certificate purpose: 」というエラーになり接続が維持されない。 
    4848 
     49 ==== マスタCA証明書と鍵を生成する ==== 
     50 * http://freescitech.net/2/wiki/?OpenVPN%202%20HOWTO%20%E6%97%A5%E6%9C%AC%E8%AA%9E%E8%A8%B3#abd6e0dc に従って作成する 
     51 
     52 * sudo cp -av /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa 
     53 * sudo vim /etc/openvpn/easy-rsa/vars 
     54 * sudo su - 
     55 * /etc/openvpn/easy-rsa# . ./vars 
     56 * /etc/openvpn/easy-rsa# ./clean-all 
     57 * /etc/openvpn/easy-rsa# ./build-ca 
     58{{{ 
     59Country Name (2 letter code) [JP]: 
     60State or Province Name (full name) [Ibaraki]: 
     61Locality Name (eg, city) [Tsukuba]: 
     62Organization Name (eg, company) [mitty.jp]:OpenVPN CA 
     63Organizational Unit Name (eg, section) []: 
     64Common Name (eg, your name or your server's hostname) [mitty.jp CA]:OpenVPN CA 
     65Email Address [root (X) mitty.jp]: 
     66}}} 
     67 * /etc/openvpn/easy-rsa# ./build-key-server server 
     68{{{ 
     69Country Name (2 letter code) [JP]: 
     70State or Province Name (full name) [Ibaraki]: 
     71Locality Name (eg, city) [Tsukuba]: 
     72Organization Name (eg, company) [mitty.jp]: 
     73Organizational Unit Name (eg, section) []:OpenVPN Server 
     74Common Name (eg, your name or your server's hostname) [server]:server.mitty.jp 
     75Email Address [root (X) mitty.jp]: 
     76 
     77Please enter the following 'extra' attributes 
     78to be sent with your certificate request 
     79A challenge password []: 
     80An optional company name []: 
     81Using configuration from /etc/openvpn/easy-rsa/openssl.cnf 
     82Check that the request matches the signature 
     83Signature ok 
     84The Subject's Distinguished Name is as follows 
     85countryName           :PRINTABLE:'JP' 
     86stateOrProvinceName   :PRINTABLE:'Ibaraki' 
     87localityName          :PRINTABLE:'Tsukuba' 
     88organizationName      :PRINTABLE:'mitty.jp' 
     89organizationalUnitName:PRINTABLE:'OpenVPN Server' 
     90commonName            :PRINTABLE:'server.mitty.jp' 
     91emailAddress          :IA5STRING:'root (X) mitty.jp' 
     92Certificate is to be certified until Nov 13 13:43:33 2019 GMT (3650 days) 
     93Sign the certificate? [y/n]:y 
     94 
     95 
     961 out of 1 certificate requests certified, commit? [y/n]y 
     97Write out database with 1 new entries 
     98Data Base Updated 
     99}}} 
     100 * /etc/openvpn/easy-rsa# ./build-key client 
     101{{{ 
     102Country Name (2 letter code) [JP]: 
     103State or Province Name (full name) [Ibaraki]: 
     104Locality Name (eg, city) [Tsukuba]: 
     105Organization Name (eg, company) [mitty.jp]: 
     106Organizational Unit Name (eg, section) []:OpenVPN Client 
     107Common Name (eg, your name or your server's hostname) [client]:client.mitty.jp 
     108Email Address [root (X) mitty.jp]: 
     109 
     110Please enter the following 'extra' attributes 
     111to be sent with your certificate request 
     112A challenge password []: 
     113An optional company name []: 
     114Using configuration from /etc/openvpn/easy-rsa/openssl.cnf 
     115Check that the request matches the signature 
     116Signature ok 
     117The Subject's Distinguished Name is as follows 
     118countryName           :PRINTABLE:'JP' 
     119stateOrProvinceName   :PRINTABLE:'Ibaraki' 
     120localityName          :PRINTABLE:'Tsukuba' 
     121organizationName      :PRINTABLE:'mitty.jp' 
     122organizationalUnitName:PRINTABLE:'OpenVPN Client' 
     123commonName            :PRINTABLE:'client.mitty.jp' 
     124emailAddress          :IA5STRING:'root (X) mitty.jp' 
     125Certificate is to be certified until Nov 13 13:44:25 2019 GMT (3650 days) 
     126Sign the certificate? [y/n]:y 
     127 
     128 
     1291 out of 1 certificate requests certified, commit? [y/n]y 
     130Write out database with 1 new entries 
     131Data Base Updated 
     132}}} 
     133 * /etc/openvpn/easy-rsa# ./build-dh 
     134 
     135 * sudo ls -l /etc/openvpn/easy-rsa/keys/ 
     136{{{ 
     137-rw-r--r-- 1 root root 3928 2009-11-15 22:43 01.pem 
     138-rw-r--r-- 1 root root 3810 2009-11-15 22:44 02.pem 
     139-rw-r--r-- 1 root root 1208 2009-11-15 22:42 ca.crt 
     140-rw------- 1 root root  887 2009-11-15 22:42 ca.key 
     141-rw-r--r-- 1 root root 3810 2009-11-15 22:44 client.crt 
     142-rw-r--r-- 1 root root  712 2009-11-15 22:44 client.csr 
     143-rw------- 1 root root  887 2009-11-15 22:44 client.key 
     144-rw-r--r-- 1 root root  245 2009-11-15 22:45 dh1024.pem 
     145-rw-r--r-- 1 root root  260 2009-11-15 22:44 index.txt 
     146-rw-r--r-- 1 root root   20 2009-11-15 22:44 index.txt.attr 
     147-rw-r--r-- 1 root root   21 2009-11-15 22:43 index.txt.attr.old 
     148-rw-r--r-- 1 root root  130 2009-11-15 22:43 index.txt.old 
     149-rw-r--r-- 1 root root    3 2009-11-15 22:44 serial 
     150-rw-r--r-- 1 root root    3 2009-11-15 22:43 serial.old 
     151-rw-r--r-- 1 root root 3928 2009-11-15 22:43 server.crt 
     152-rw-r--r-- 1 root root  712 2009-11-15 22:43 server.csr 
     153-rw------- 1 root root  887 2009-11-15 22:43 server.key 
     154}}} 
     155 
    49156 * sudo mv ca.crt dh1024.pem server.* /etc/openvpn/ 
    50157{{{