yum install epel-release
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
yum install -y open***
yum install -y easy-rsa
cp -R /usr/share/easy-rsa/ /etc/open***/
cp /usr/share/doc/open***-2.4.6-1/sample/sample-config-files/server.conf /etc/open***/
cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/open***/easy-rsa/3.0/vars
修改第45、65、76、84-89、97、105、113、117、134、139、171、180、192行:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "HB"
set_var EASYRSA_REQ_CITY "WH"
set_var EASYRSA_REQ_ORG "Open×××"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "Open××× EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7000
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "Open××× CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
cd /etc/open***/easy-rsa/3.0
./easyrsa init-pki
./easyrsa build-ca
設置ca密碼(輸入兩次):ca.com
hostname:ca
./easyrsa gen-dh
open*** --genkey --secret ta.key
cp -r ta.key /etc/open***/
創建服務端證書,生成請求,使用gen-req來生成req
./easyrsa gen-req server
設置server密碼(輸入兩次):openserver.com
簽發證書,簽約服務端證書
./easyrsa sign-req server server
yes
passwd
生成windows客戶端用戶:
./easyrsa build-client-full web1
passwd
#注意:生成客戶端用戶的時候會提示設置密碼
#可以直按回車密碼爲空、也可以設置輸入密碼(如設置密碼,客戶端連接時需輸入密碼)
ll /usr/share/easy-rsa/3/pki/private/
ll /usr/share/easy-rsa/3/pki/
ll /usr/share/easy-rsa/3/pki/issued
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
systemctl start open***@server
客戶端需要的證書:web1.crt、web1.key、ca.crt、ta.key
mkdir -p /etc/open***/client
cp -r /etc/open***/easy-rsa/3.0/pki/issued/web1.crt /etc/open***/client/
cp -r /etc/open***/easy-rsa/3.0/pki/private/web1.key /etc/open***/client/
cp -r /etc/open***/easy-rsa/3.0/pki/ca.crt /etc/open***/client/
cp -r /etc/open***/ta.key /etc/open***/client/
撤銷命令revoke
cd /etc/open***/easy-rsa/3.0
./easyrsa revoke web1
./easyrsa gen-crl
systemctl restart open***@server
cp vars.example vars
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign server server #簽約服務端證書
./easyrsa gen-dh #創建Diffie-Hellman
./easyrsa init-pki
./easyrsa gen-req orangleliu
cd /etc/open***/easy-rsa/easyrsa3/
./easyrsa import-req /home/client/easy-rsa/easyrsa3/pki/reqs/orangleliu.req orangleliu #導入req
./easyrsa sign client orangleliu
`