是这样的,之前一直是用一键安装脚本在 centos7 上安装 ocserv 并用密码登录
最近想试一下自己手动配置用证书登录,但是看了官方文档和各种教程,还是不太明白自己的情况应该怎样生成证书,手头就是一台搬瓦工,刚重新安装系统
1 下面有域名的地方我就直接写 ip 地址?
2 好像是说自签发的证书登录的时候会提示不信任?现在有哪些机构可以免费签发?
3 如果我可以接受每次弹出不受信任,我只要生成哪些证书就够了?
4 官网上没有看到对于这些文件的目录有什么要求,但是各种教程上都不一致,有关系吗?
5 是每个用户分别生成一个证书还是共用?应该怎么把证书导入 iOS 的客户端?
谢谢各位大大
Generating the CA
$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
$ certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
Generating a local server certificate
The following example generates the server key and certificate pair. The key generated is an RSA one, but different types can be used by specifying the ’ ecdsa ’ or ’ dsa ’ options to certtool.
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "VPN server"
dns_name = "
www.example.com"
dns_name = "
vpn1.example.com"
#ip_address = "1.2.3.4"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
From this point the clients need ca-cert.pem to be able to securely connect to the server.
Note that it is a better practice to use two separate RSA keys, one with the signing_key option and another with the encryption_key.
Generating an external CA-signed server certificate
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "My server"
dns_name = "
www.example.com"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-request --load-privkey server-key.pem --template server.tmpl --outfile server-cert.csr
At this point you need to provide the server-cert.csr to your CA, and they will send you the server certificate.
Generating the client certificates
Note that it is recommended to leave detailed personal information out of the certificate as it is sent in clear during TLS authentication. The following process generates a certificate and converts it to PKCS #12 that is protected by a PIN and most clients are able to import (the 3DES cipher is used in the example because it is supported by far more devices than AES).
$ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
unit = "admins"
expiration_days = 365
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
$ certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
Revoking a client certificate
To revoke the previous client certificate, i.e., preventing the user from accessing the VPN resources prior to its certificate expiration, use:
$ cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem
After that you may want to notify ocserv of the new CRL by using the HUP signal, or wait for it to reload it.
When there are no revoked certificates an empty revocation list should be generated as follows.
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.