OpenVPN 自带了一套CA相关的脚本,乱七八糟的,用起来并没觉得有多easy,不过新版把文件整合了,github: https://github.com/OpenVPN/easy-rsa
Easy-RSA 3.0 今天刚Release。
配置
配置起来比较简单,把下列文件放在同一个目录里即可,或者下载官方的release,直接改名 vars.example 为 vars。
- easyrsa
- openssl-1.0.cnf
- vars
- x509-types
以前的版本,需要修改vars文件,然后 source 加载一下,新版本可以用 –vars=/path/to/vars 或者完全靠命令行参数传参。
vars文件需要配置,可以看文件注释,给一个参考的版本。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Beijing" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "SSKAJE CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "sskaje@gmail.com" set_var EASYRSA_REQ_OU "SSKAJE EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "SSKAJE CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha256" |
初始化PKI
首先需要把pki的目录创建好,以前的版本是会要求执行一个clean-all脚本。
1 2 3 4 5 6 |
$ ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /Users/sskaje/Work/CA/Easy/pki |
创建CA
由于设置了 EASYRSA_DN 为 cn_only,所以创建CA时比较简单。
如果设置成 org 则会要求输入很多项目,或者从 vars 文件里加载。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...................................................................................................................................+++ ........+++ writing new private key to '/Users/sskaje/Work/CA/Easy/pki/private/ca.key.NoYqS71N95' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:SSKAJE CERTIFICATE AUTHORITY CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /Users/sskaje/Work/CA/Easy/pki/ca.crt |
创建DH参数
Diffie hellman参数使用的是 openssl dhparam 创建的,openvpn文档里提到的size只有1024和2048,所以vars文件里的 EASYRSA_KEY_SIZE 我没设成4096。
easyrsa 3 的命令是
1 2 3 4 5 6 7 |
$ ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ... DH parameters of size 2048 created at /Users/sskaje/Work/CA/Easy/pki/dh.pem |
生成证书
生成证书的操作步骤就两步,生成请求文件,根据请求文件签发证书。
easy-rsa 3.0签发证书时要求制定type,可选的值参考x509-types目录下的文件名,包括
- server:TLS服务端,适用于https服务端和vpn服务端
- client:TLS客户端,适用于web浏览器和vpn客户端
- ca:签发子CA证书
gen-req, build-client-full, build-server-full 可以使用 nopass 参数生成不加密的私钥。
生成请求
使用 gen-req 来生成req。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ ./easyrsa gen-req sskaje.me Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ..............................................+++ .+++ writing new private key to '/Users/sskaje/Work/CA/Easy/pki/private/sskaje.me.key.z2IC0ZfUOT' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [sskaje.me]: Keypair and certificate request completed. Your files are: req: /Users/sskaje/Work/CA/Easy/pki/reqs/sskaje.me.req key: /Users/sskaje/Work/CA/Easy/pki/private/sskaje.me.key |
签发证书
签发证书时,需要指定类型,参考前边的说明。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$ ./easyrsa sign-req server sskaje.me Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 365 days: subject= commonName = sskaje.me Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /Users/sskaje/Work/CA/Easy/openssl-1.0.cnf Enter pass phrase for /Users/sskaje/Work/CA/Easy/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'sskaje.me' Certificate is to be certified until Sep 2 11:25:55 2016 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /Users/sskaje/Work/CA/Easy/pki/issued/sskaje.me.crt |
签发req文件
如果req文件是外部创建的,可以使用 import-req 导入,再用 sign-req 签发。
命令参数
1 |
./easyrsa import-req <request_file_path> <short_basename> |
一步创建
可以使用 build-client-full 和 build-server-full 直接完成 gen-req 和 sign-req 的过程。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
$ ./easyrsa build-client-full sskaje Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .......................................................................................................+++ .............................................................+++ writing new private key to '/Users/sskaje/Work/CA/Easy/pki/private/sskaje.key.F8zYtMjGCB' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /Users/sskaje/Work/CA/Easy/openssl-1.0.cnf Enter pass phrase for /Users/sskaje/Work/CA/Easy/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'sskaje' Certificate is to be certified until Sep 2 11:29:59 2016 GMT (365 days) Write out database with 1 new entries Data Base Updated |
撤销证书
使用 revoke 撤销证书,命令格式如下:
1 |
./easyrsa revoke NAME |
生成CRL文件
CRL是证书撤销列表,有些软件会需要,包括OpenVPN。
1 2 3 4 5 6 7 8 9 |
$ ./easyrsa gen-crl Note: using Easy-RSA configuration from: ./vars Using configuration from /Users/sskaje/Work/CA/Easy/openssl-1.0.cnf Enter pass phrase for /Users/sskaje/Work/CA/Easy/pki/private/ca.key: mv: /Users/sskaje/Work/CA/Easy/pki/crl.pem.cAoaNS5A1v: No such file or directory An updated CRL has been created. CRL file: /Users/sskaje/Work/CA/Easy/pki/crl.pem |
导出PKCS 7/PKCS 12
可以使用 export-p7 和 export-p12 生成 PKCS 7/PKCS 12文件。
支持两个参数:noca 和 nokey。
1 2 3 4 5 6 |
$ ./easyrsa export-p7 sskaje Note: using Easy-RSA configuration from: ./vars Successful export of p7 file. Your exported file is at the following location: /Users/sskaje/Work/CA/Easy/pki/issued/sskaje.p7b |
1 2 3 4 5 6 7 8 9 |
$ ./easyrsa export-p12 sskaje Note: using Easy-RSA configuration from: ./vars Enter pass phrase for /Users/sskaje/Work/CA/Easy/pki/private/sskaje.key: Enter Export Password: Verifying - Enter Export Password: Successful export of p12 file. Your exported file is at the following location: /Users/sskaje/Work/CA/Easy/pki/private/sskaje.p12 |
查看证书/查看请求文件
使用 show-cert 和 show-req 查看请求文件,参数是请求时的名字。
更新数据库
1 2 3 4 5 |
$ ./easyrsa update-db Note: using Easy-RSA configuration from: ./vars Using configuration from /Users/sskaje/Work/CA/Easy/openssl-1.0.cnf Enter pass phrase for /Users/sskaje/Work/CA/Easy/pki/private/ca.key: |