tech:notes_pki_easyrsa_openvpn
Notes PKI EasyRSA OpenVPN
Voir :
sudo apt-get install easy-rsa make-cadir vpnpki cd vpnpki
vars
export KEY_COUNTRY="FR" export KEY_PROVINCE="FR" export KEY_CITY="Paris" export KEY_ORG="Acme" export KEY_EMAIL="nospam@me.fr" export KEY_OU="Acme"
(sur les versions plus récentes ?) vars
set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512"
source ./vars ./clean-all unlink clean-all ln -s openssl-1.0.0.cnf openssl.cnf
./build-dh
./build-ca
Les “Common Name” doivent être unique
“A challenge password” doit être laissé vide (pas de mdp nécessaire pour revoquer le cerificat)
./build-key-server nom_serveur_fqdn
Pour Nginx notamment
cat keys/nom_serveur_fqdn.crt keys/ca.crt > /etc/nginx/ssl/nom_serveur_fqdn.crt+chain
./build-key --batch nom_client
Création du fichier crl.pem (Crash si crl.pem a une taille zero)
export KEY_CN='' export KEY_ALTNAMES='' openssl ca -gencrl -out keys/crl.pem -config openssl-1.0.0.cnf unset KEY_CN KEY_ALTNAMES
#export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_CONFIG="$EASY_RSA/openssl.cnf" source vars ./clean-all #initialize root ca; give it a cert with cn=rootca KEY_CN=rootca KEY_NAME=rootca ./pkitool --initca rootca #build intermediate ca, with name interca KEY_CN=interca KEY_NAME=interca ./pkitool --inter interca #now copy vars for intermediate ca cp vars inter_ca_vars #... and edit them for use for endpoints (clients/servers): nano inter_ca_vars nano inter_ca_vars #edit place where keys are stored # intermediate ca has separate key directory export KEY_DIR="$EASY_RSA/intercakeys" #edit to set up end user certs export KEY_CN=EndPoint export KEY_NAME=EndPoint export KEY_OU=host.domain_endpoint_division source ./inter_ca_vars ./clean-all ./build-dh # generates several files in /etc/openvpn/easy-rsa/intercakeys: # export-ca.crt ./inherit-inter /home/jibe/tmp/pki/keys interca ./pkitool --server openvpnserver
Using Common Name: openvpnserver Error Loading extension section server 139680895010448:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:x509v3/v3_utl.c:370: 139680895010448:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:x509v3/v3_conf.c:146:name=subjectAltName,section= 139680895010448:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:x509v3/v3_conf.c:97:name=subjectAltName, value=
tech/notes_pki_easyrsa_openvpn.txt · Dernière modification : de Jean-Baptiste