这是一个创建于 2723 天前的主题,其中的信息可能已经有所发展或是发生改变。
是这样的,之前一直是用一键安装脚本在 centos7 上安装 ocserv 并用密码登录
最近想试一下自己手动配置用证书登录,但是看了官方文档和各种教程,还是不太明白自己的情况应该怎样生成证书,手头就是一台搬瓦工,刚重新安装系统
1 下面有域名的地方我就直接写 ip 地址?
2 好像是说自签发的证书登录的时候会提示不信任?现在有哪些机构可以免费签发?
3 如果我可以接受每次弹出不受信任,我只要生成哪些证书就够了?
4 官网上没有看到对于这些文件的目录有什么要求,但是各种教程上都不一致,有关系吗?
5 是每个用户分别生成一个证书还是共用?应该怎么把证书导入 iOS 的客户端?
谢谢各位大大
Generating the CA
$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
$ certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
Generating a local server certificate
The following example generates the server key and certificate pair. The key generated is an RSA one, but different types can be used by specifying the ’ ecdsa ’ or ’ dsa ’ options to certtool.
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "VPN server"
dns_name = "www.example.com"
dns_name = "vpn1.example.com"
#ip_address = "1.2.3.4"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
From this point the clients need ca-cert.pem to be able to securely connect to the server.
Note that it is a better practice to use two separate RSA keys, one with the signing_key option and another with the encryption_key.
Generating an external CA-signed server certificate
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "My server"
dns_name = "www.example.com"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-request --load-privkey server-key.pem --template server.tmpl --outfile server-cert.csr
At this point you need to provide the server-cert.csr to your CA, and they will send you the server certificate.
Generating the client certificates
Note that it is recommended to leave detailed personal information out of the certificate as it is sent in clear during TLS authentication. The following process generates a certificate and converts it to PKCS #12 that is protected by a PIN and most clients are able to import (the 3DES cipher is used in the example because it is supported by far more devices than AES).
$ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
unit = "admins"
expiration_days = 365
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
$ certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
Revoking a client certificate
To revoke the previous client certificate, i.e., preventing the user from accessing the VPN resources prior to its certificate expiration, use:
$ cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem
After that you may want to notify ocserv of the new CRL by using the HUP signal, or wait for it to reload it.
When there are no revoked certificates an empty revocation list should be generated as follows.
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem
最近想试一下自己手动配置用证书登录,但是看了官方文档和各种教程,还是不太明白自己的情况应该怎样生成证书,手头就是一台搬瓦工,刚重新安装系统
1 下面有域名的地方我就直接写 ip 地址?
2 好像是说自签发的证书登录的时候会提示不信任?现在有哪些机构可以免费签发?
3 如果我可以接受每次弹出不受信任,我只要生成哪些证书就够了?
4 官网上没有看到对于这些文件的目录有什么要求,但是各种教程上都不一致,有关系吗?
5 是每个用户分别生成一个证书还是共用?应该怎么把证书导入 iOS 的客户端?
谢谢各位大大
Generating the CA
$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
$ certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
Generating a local server certificate
The following example generates the server key and certificate pair. The key generated is an RSA one, but different types can be used by specifying the ’ ecdsa ’ or ’ dsa ’ options to certtool.
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "VPN server"
dns_name = "www.example.com"
dns_name = "vpn1.example.com"
#ip_address = "1.2.3.4"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
From this point the clients need ca-cert.pem to be able to securely connect to the server.
Note that it is a better practice to use two separate RSA keys, one with the signing_key option and another with the encryption_key.
Generating an external CA-signed server certificate
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "My server"
dns_name = "www.example.com"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-request --load-privkey server-key.pem --template server.tmpl --outfile server-cert.csr
At this point you need to provide the server-cert.csr to your CA, and they will send you the server certificate.
Generating the client certificates
Note that it is recommended to leave detailed personal information out of the certificate as it is sent in clear during TLS authentication. The following process generates a certificate and converts it to PKCS #12 that is protected by a PIN and most clients are able to import (the 3DES cipher is used in the example because it is supported by far more devices than AES).
$ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
unit = "admins"
expiration_days = 365
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
$ certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
Revoking a client certificate
To revoke the previous client certificate, i.e., preventing the user from accessing the VPN resources prior to its certificate expiration, use:
$ cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem
After that you may want to notify ocserv of the new CRL by using the HUP signal, or wait for it to reload it.
When there are no revoked certificates an empty revocation list should be generated as follows.
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem
 |
1
ss098 2016-11-18 22:23:36 +08:00  1
如果你想生成一个不被信任的自签证书: https://www.qiyichao.cn/paper/8 刚从我笔记里翻出来然后 Post 上去的,能解答你关于部署的问题。
你想使用被信任的证书,和申请 SSL 证书是一样的,这方面的资料比较多,腾讯和阿里家都有免费签发的 SSL 证书(这两家需要注意的是你的私钥他们也有)。拿到证书以后,只要按照自签的路径将被信任的证书放到合适的位置就可以了。 在这里证书的目的是为了证明服务器的地址是正确的,所以所有的用户可以公用一张证书。 |
 |
2
hhp OP @ss098 感谢!
不过还有个疑问, Radius 也是需要自己安装配置的还是系统自带的?网上看到的都没有提到要安装这个 radcli |
|
3
ss098 2016-11-19 11:23:59 +08:00 1
@hhp 如果你不需要一个中心化的验证机制,采用普通的文件形式存储密码, Radius 可以不安装,这是自己另外需要部署的事情。
|
|
6
ss098 2016-11-19 11:28:36 +08:00
|
Select Language