下載安裝Open***:
用Flashget或者其它任何方式下載Open***的安裝包,然後安裝,記得選上easy-rsa這部分腳本,
用於管理CA的bat腳本。
http://open***.se/files/install_packages/open***-2.0.5-gui-1.0.3-install.exe
安裝完畢後,easy-rsa在C:\Program Files\Open***\目錄下。
下面開始配置:
把easy-rsa目錄下的vars.bat.sample改名爲vars.bat,並且修改其內容:
==================================
set KEY_COUNTRY=CN
set KEY_PROVINCE=Liaoning
set KEY_CITY=Shenyang
set KEY_ORG=Open***
set [email protected]
==================================
其它部分就不用修改了,上面部分修改成你自己的配置。
把easy-rsa下的openssl.cnf.sample改成openssl.cnf。
然後進入cmd.exe
=============================================
Microsoft Windows XP [版本 5.1.2600]
(C) 版權所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>cd “\Program Files\Open***\easy-rsa”
C:\Program Files\Open***\easy-rsa>vars
C:\Program Files\Open***\easy-rsa>clean-all.bat
系統找不到指定的文件。
已複製 1 個文件。
已複製 1 個文件。
C:\Program Files\Open***\easy-rsa>
生成Root CA
格式: build-ca.bat
輸出: keys/ca.crt keys/ca.key
======================================================================
C:\Program Files\Open***\easy-rsa>build-ca.bat
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
……++++++
………++++++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [Open***]:
Organizational Unit Name (eg, section) []:Open*** ORG
Common Name (eg, your name or your server’s hostname) []:Open*** RootCA
Email Address [[email protected]]:
C:\Program Files\Open***\easy-rsa>
生成dh1024.pem文件,Server使用TLS必須使用的一個文件。
格式: build-dh.bat
輸出: keys/dh1024.pem
============================================================================
C:\Program Files\Open***\easy-rsa>build-dh.bat
warning, not much extra random data, consider using the -rand option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
…………………+……………+……..+……………………………
………………………………+………………………+……………
………………………………….+…………………………………
…………………………………..+……………+………………….
……………………………………………………………………..
…………………..+…………………………….+…………………
……………………..+…………………….+………..+……………
…….+…………………….+……………………………………….
……..+….+…………………………………………………………
……………………………………………………………………..
…+….+.+…………………………………….+…………………….
…………………………………………………………..+………..
……………..+……………………………………………..+……..
……………………………………………………..+…+………….
…..+…………………….+………..+………………………………
…………….+………………….+……………………………….+..
…………………………………………………………..+………+.
……+………………………………………………..+…………….
………………………….+..+………………………..+……………
……………………………………….+…………………..+………
……………………………………………………………………..
………………………………………………………………….+…
……………………………..+………….+…………………………
…………………………………………………….+.+……..+…….
……………………………………….+……………………………
…+………………………………………………………………….
…………+…………………………………………..+…………….
………………………+……………………………………+……..+
………+………+……………………………………+…………….+
..+………………………………………………………………..+..
…..+..+………………..+…………………+……………………….
……………………………………………………………………..
………..+………+….+…………………….+………..+…….+.+…..
……………………………………………..+…………….+………
……….+……………………………………………………………
…………….+………………………………………..+……….+….
……………………………………………………………………..
……………..+…………………………………..+………………..
……………………………………………………………………+.
…….+……………………………………………….+..+………….
+…………………………..+…+……………………..+……………
………………………………………………….+………………+..
……………………………………………………………………..
………………………………………………+…………………….
….+…………………..+…………………..+………………………
…………..+………………………………………………………..
……………………………………………….+……………………
………………………………………………………………..+…..
……+…………………………….+………………………………..
……………………………………………+………………+………
…………..+…………………..+…………………………………..
……………………………………………………………………..
…..+………………..+………………………+…………………….
……………………………………………………………………..
………………………………………………………………++*++*++
*
C:\Program Files\Open***\easy-rsa>
下面開始生成Server使用的證書了:
格式: build-key-server.bat <filename>
輸出: keys/<filename>.crt <filename>.csr <filename>.key
================================================================================
C:\Program Files\Open***\easy-rsa>build-key-server.bat server01
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
…………….++++++
…..++++++
writing new private key to ‘keys\server01.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [Open***]:
Organizational Unit Name (eg, section) []:Open*** ORG
Common Name (eg, your name or your server’s hostname) []:Server01
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName 
RINTABLE:’CN’
stateOrProvinceName RINTABLE:’Liaoning’
localityName RINTABLE:’Shenyang’
organizationName RINTABLE:’Open***’
organizationalUnitName:PRINTABLE:’Open*** ORG’
commonName RINTABLE:’Server01′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Feb 9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\Open***\easy-rsa>
下面開始爲client辦法證書:
格式: build-key.bat <filename>
輸出: keys/<filename>.crt keys/<filename>.csr keys/<filename>.key
===========================================================================
C:\Program Files\Open***\easy-rsa>build-key.bat elm
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
……………………………………………..++++++
……………………………………………++++++
writing new private key to ‘keys\elm.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [Open***]:
Organizational Unit Name (eg, section) []:Open*** ORG
Common Name (eg, your name or your server’s hostname) []:ELM
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName RINTABLE:’CN’
stateOrProvinceName RINTABLE:’Liaoning’
localityName RINTABLE:’Shenyang’
organizationName RINTABLE:’Open***’
organizationalUnitName:PRINTABLE:’Open*** ORG’
commonName RINTABLE:’ELM’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Feb 9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\Open***\easy-rsa>
下面生成ta.key文件
格式: open*** –genkey –secret keys/ta.key
輸出: keys/ta.key
=========================================================================
C:\Program Files\Open***\easy-rsa>open*** –genkey –secret keys/ta.key
C:\Program Files\Open***\easy-rsa>
OK,那些keys就搞定了,下面開始寫配置文件。
server01.o***內容:
—————-CUT Here————-
port 1194
proto udp
dev tap
ca ca.crt
cert server01.crt
key server01.key # This file should be kept secret
;crl-verify ***crl.pem
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
————–Cut Here—————–
把配置文件放到C:\Program Files\Open***\config\目錄下。
把easy-rsa\keys\下的 ca.crt server01.crt server01.key ta.key dh1024.pem
複製到server01.o***所在目錄。
Server的配置已經結束,可以啓動Server了,在右下角Open***-gui上點右鍵,然後選擇connected。
需要服務器啓動後自動運行,修改 “控制面板” 下面的 “管理工具” 下的 “服務” 把Open***設置成自動啓動。
Client的配置文件:
————-Cut Here———————
client
dev tap
proto udp
remote 61.1.1.2 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.0.0 255.255.252.0
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
ca ca.crt
cert elm.crt
key elm.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
# Set log file verbosity.
verb 4
————–Cut Here———————
並且把easy-rsa/keys下的ca.crt elm.crt elm.key ta.key一起放到Client的
<OPEN***_HOME>\config目錄下。
Client的配置已經結束,可以連接Server了,在右下角Open***-gui上點右鍵,然後選擇connected。
OK,整個配置就完成了。
需要爲其它用戶頒發證書,只需如下步驟:
進入cmd.exe
cd <OPEN***_HOME>\easy-rsa
vars.bat
build-kye.bat <filename>
Client所需要的文件:
client.o*** (需要修改部分配置)
ca.crt
<fielname>.crt
<filename>.key (<filename>爲 文件名,如: elm 等)
ta.key