OpenVPN and certificate ramblings

Home
Photography
Projects
About me
Robots
Publications
Friends' pages:
Chris
Jeff
John
Minu
Raeed
Email me:
alex AT joni.ro


Share

Just some infos for me to remember what to do when certificates expire.

de la /root/sslCA/citeste.ma citire:

schimbat modul de generare certificate pe easyrsa
(bazat partial pe: https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/ )
(s-au schimbat comenzile fata de docu de mai sus)

Mod de folosire:

1. Initializare/creare certificate authority (CA):

cd /usr/local/share/easy-rsa/
easyrsa init-pki                        # atentie sterge directorul pki/ cu toate certificatele deja create
easyrsa build-ca                        # creaza un nou CA (parametri sunt definiti in vars CACountry=RO, etc)
                                        # va intreba parola pentru ca.crt 

creaza:
/usr/local/share/easy-rsa/pki/ca.crt            # certificatul autoritatii de emitere certificate - valabil 10 ani (PUBLIC)
/usr/local/share/easy-rsa/pki/private/ca.key    # cheia certificatului CA (PRIVATE)

easyrsa gen-dh                          # creem parametri Diffie-Hellman (in vars e specificat pe cati biti - 2048 parca)
creaza:
/usr/local/share/easy-rsa/pki/dh.pem            # parametri DH (PUBLIC)

2. Creare certificat server:
easyrsa build-server-full server        # server=numele serverului, va cere o parola pentru server.pem, apoi va cere parola pentru ca.crt

creaza asa:
pki/issued/server.crt                           #certificatul de server (se distribuie / PUBLIC)
pki/reqs/server.req                             #requestul de certificat server (sta doar pe server / PRIVAT)
pki/private/server.key                          #cheia de certificat server (sta doar pe server / PRIVAT) !Atentie e cryptata, nu va functiona fara parola

ca sa o decriptam:
    openssl req -in pki/private/server.key -out pki/private/server-decrypted.key        #va cere parola de la pasul 2 la inceput

3. Creare certificat user(i):
easyrsa build-client-full aj_laptop     # aj_laptop=numele clientului, va cere o parola pentru aj_laptop.pem, apoi va cere parola pentru ca.crt 

creaza asa:
pki/issued/aj_laptop.crt                        #certificatul de client (se distribuie / PUBLIC)
pki/reqs/aj_laptop.req                          #requestul de certificat client (sta doar pe server / PRIVAT)
pki/private/aj_laptop.key                       #cheia de certificat client (sta doar pe server / PRIVAT) !Atentie e cryptata, nu va functiona fara parola

ca sa o decriptam:
    openssl req -in pki/private/aj_laptop.key -out pki/private/aj_laptop-decrypted.key  #va cere parola de la pasul 3 la inceput

4. Folosire fisiere:

4.1 la openvpn server
in fisierul /usr/local/etc/openvpn/openvpn.conf :
        ca /usr/local/share/easy-rsa/pki/ca.crt
        cert /usr/local/share/easy-rsa/pki/issued/server.crt
        key /usr/local/share/easy-rsa/pki/private/server-decrypted.key  # This file should be kept secret ! varianta necriptata, altfel nu porneste openvpn ca n-are cine sa dea parola
        dh /usr/local/share/easy-rsa/pki/dh.pem

apoi restart serviciu openvpn
        service openvpn restart

la openvpn clienti:
in fisierul C:\Program Files\OpenVPN\configs\aj-laptop.ovpn

        continutul de la /usr/local/share/easy-rsa/pki/ca.crt






[æ]