Next: Client 安裝與設定 Up: Open VPN Previous: 前言 Contents DYWANG_HOME
[root@dyw219 ~]# yum install openvpn easy-rsa
[root@dyw219 ~]# mkdir -p /etc/openvpn/easy-rsa/keys [root@dyw219 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
[root@dyw219 ~]# vim /etc/openvpn/easy-rsa/vars [root@dyw219 ~]# grep '^export KEY_COUNTRY' -A6 /etc/openvpn/easy-rsa/vars export KEY_COUNTRY="TW" export KEY_PROVINCE="Taiwan" export KEY_CITY="Taichung" export KEY_ORG="CYUT" export KEY_EMAIL="dywang@csie.cyut.edu.tw" export KEY_OU="CSIE"
[root@dyw219 ~]# cd /etc/openvpn/easy-rsa/ [root@dyw219 easy-rsa]# cp openssl-1.0.0.cnf openssl.cnf [root@dyw219 easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys [root@dyw219 easy-rsa]# ./clean-all
[root@dyw219 easy-rsa]# ./build-ca Generating a 2048 bit RSA private key .................................+++ .............................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]: State or Province Name (full name) [Taiwan]: Locality Name (eg, city) [Taichung]: Organization Name (eg, company) [CYUT]: Organizational Unit Name (eg, section) [CSIE]: Common Name (eg, your name or your server's hostname) [CYUT CA]: Name [EasyRSA]: Email Address [dywang@csie.cyut.edu.tw]:
[root@dyw219 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key ......................................+++ ..............+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]: State or Province Name (full name) [Taiwan]: Locality Name (eg, city) [Taichung]: Organization Name (eg, company) [CYUT]: Organizational Unit Name (eg, section) [CSIE]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [dywang@csie.cyut.edu.tw]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:jdne&Gsw83A An optional company name []:^C [root@dyw219 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key ............................................................................ ............................................................................+++ ......+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]: State or Province Name (full name) [Taiwan]: Locality Name (eg, city) [Taichung]: Organization Name (eg, company) [CYUT]: Organizational Unit Name (eg, section) [CSIE]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [dywang@csie.cyut.edu.tw]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'Taiwan' localityName :PRINTABLE:'Taichung' organizationName :PRINTABLE:'CYUT' organizationalUnitName:PRINTABLE:'CSIE' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'dywang@csie.cyut.edu.tw' Certificate is to be certified until Apr 22 01:07:30 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@dyw219 easy-rsa]# ./build-key client Generating a 2048 bit RSA private key ..................+++ .............+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]: State or Province Name (full name) [Taiwan]: Locality Name (eg, city) [Taichung]: Organization Name (eg, company) [CYUT]: Organizational Unit Name (eg, section) [CSIE]: Common Name (eg, your name or your server's hostname) [client]: Name [EasyRSA]: Email Address [dywang@csie.cyut.edu.tw]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'Taiwan' localityName :PRINTABLE:'Taichung' organizationName :PRINTABLE:'CYUT' organizationalUnitName:PRINTABLE:'CSIE' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'dywang@csie.cyut.edu.tw' Certificate is to be certified until Apr 22 01:09:59 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@dyw219 easy-rsa]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...............................+.
[root@dyw219 easy-rsa]# cd /etc/openvpn/easy-rsa/keys/ [root@dyw219 keys]# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/