自搭測試1:關於cert,key文件
服務器端是必須叫ca.crt的,然而客戶端卻可以改名爲其他名稱
客戶端
| client dev tap0 proto tcp remote 123.123.123.123 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 ca xjp.crt cert aaa.crt key aaa.key |
aaa.crt,aaa.key是下載下來後改名的文件
改名,沒有影響
換句話說,服務器端,客戶端的cert,key可以看成公鑰與私鑰的對應,一端配置公鑰,另一端當然要配置私鑰了
自搭測試2:關於ta.key
open*** --genkey --secret ta.key
如果執行該命令的話,需要將ta.key丟到/etc/open***目錄下,同時放到客戶端目錄下才行open***配置文件增加:
tls-auth ta.key 1
服務端的配置,注意服務端是ta.key 0 客戶端是1,若不這麼寫,則報錯,無法連接
| port 1194 proto tcp dev tap0 ca ca.crt cert gamewaveBJ.crt key gamewaveBJ.key dh dh1024.pem server-bridge 192.168.9.0 255.255.255.0 192.168.9.200 192.168.9.250 push "route 192.168.9.0 255.255.255.0" client-to-client duplicate-cn keepalive 10 120 tls-auth ta.key 0 comp-lzo user nobody group nobody persist-key persist-tun status open***-status.log verb 3 |
重啓服務器
沒找到這個文件,重啓失敗了
| [root@normal open***]# /etc/init.d/open*** restart Shutting down open***: [ OK ] Starting open***: [FAILED] |
|
[root@normal open***]# open*** --genkey --secret ta.key
|
|
[root@normal open***]# /etc/init.d/open*** restart
Shutting down open***: [ OK ] Starting open***: [ OK ] |
客戶端
由於缺乏ta.key,無法啓動
將ta.key 拷貝到config目錄下,啓動成功
| client dev tap0 proto tcp remote 27.111.215.31 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3 ca xjp.crt cert aaa.crt key aaa.key |
自搭測試3:增加密碼訪問機制
| [root@normal 2.0]# ./build-key --pass client3 Generating a 1024 bit RSA private key .......................................................++++++ .........++++++ writing new private key to 'client3.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- |
自搭測試4:pkitool和build-key 區別
pkitool不需要來回確認
build-key需要反覆進行確認
|
[root@normal 2.0]# ./build-key --pass client3
Generating a 1024 bit RSA private key .........................................................++++++ ....++++++ writing new private key to 'client3.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [check]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client3]: Name []: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'check' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' commonName :PRINTABLE:'client3' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 28 07:44:24 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
| [root@normal 2.0]# ./pkitool --pass a4 Generating a 1024 bit RSA private key ................++++++ ..........................++++++ writing new private key to 'a4.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'check' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' commonName :PRINTABLE:'a4' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 28 07:44:39 2023 GMT (3650 days) Write out database with 1 new entries Data Base Updated |
官方不追加後綴時提示:也是提倡使用pkitool
| [edit vars with your site-specific info] source ./vars ./clean-all ./build-dh -> takes a long time, consider backgrounding ./pkitool --initca ./pkitool --server myserver ./pkitool client1 ./pkitool --pass client2 Typical usage for adding client cert to existing PKI: source ./vars ./pkitool client-new |
自搭測試5:log
| 服務端配置增加 log /var/log/open***.log
|
|
[root@normal open***]# tail -50 /var/log/open***.log
Wed Jan 30 16:36:52 2013 Open*** 2.2.0 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jun 6 2011 Wed Jan 30 16:36:52 2013 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to Wed Jan 30 16:36:52 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts ....
Wed Jan 30 16:38:09 2013 client1/123.123.123.135:1158 Connection reset, restarting [-1]
Wed Jan 30 16:38:09 2013 client1/123.123.123.135:1158 SIGUSR1[soft,connection-reset] received, client-instance restarting Wed Jan 30 16:38:09 2013 TCP/UDP: Closing socket |