侧边栏壁纸
博主头像
木东 blog 博主等级

  • 累计撰写 59 篇文章
  • 累计创建 52 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录
远程访问

openvpn证书到期更换

木东
木东
2025-01-12 / 0 评论 / 0 点赞 / 46 阅读 / 0 字 / 正在检测是否收录...
温馨提示:
部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

准备

准备easyrsa命令,github地址: https://github.com/OpenVPN/easy-rsa

wget https://github.com/OpenVPN/easy-rsa/archive/refs/tags/v3.1.5.tar.gz
tar xf easy-rsa-3.1.5.tar.gz
cd easy-rsa/
cp -r easyrsa3 /etc/openvpn/
cd /etc/openvpn/easyrsa3
chmod +x easyrsa

ca证书

初始化pki

./easyrsa init-pki

执行命令后会在目录下生成一个pki的目录

修改 pki 目录下的 vars 文件,主要修改证书有效期为10年

vim pki/vars
...
# In how many days should the root CA key expire?
#
#set_var EASYRSA_CA_EXPIRE	3650

# In how many days should certificates expire?
#
set_var EASYRSA_CERT_EXPIRE	3650
...

默认ca证书有效期为10年,默认服务端证书有效期为825天。

打开set_var EASYRSA_CERT_EXPIRE 参数前面的注释,并修改825为3650

创建ca根证书:

./easyrsa build-ca

输入密码、通用名

Enter New CA Key Passphrase:		## 设置密码 P@ssw1rd
Re-Enter New CA Key Passphrase:		## 再次输入密码
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:	## common随便定义,openvpn

服务端证书

创建服务器端证书

./easyrsa gen-req server nopass

也可以使用 ./easyrsa build-server-full server nopass,未测试

输入通用名

Common Name (eg: your user, host, or server name) [server]:		## gw11

根据网上资料所说,这个通用名和ca的最好不要重复

签名服务端证书

./easyrsa sign server server

  Confirm request details:		## yes
Enter pass phrase for /xxx/EasyRSA-3.1.0/pki/private/ca.key:	## ca的密码:P@ssw1rd

创建Diffie-Hellman

./easyrsa gen-dh

服务端证书文件路径:

pki\ca.crt		## ca根证书
pki\dh.pem		## dh算法证书
pki\issued\server.crt	## 服务端公钥
pki\private\server.key	## 服务端私钥

重启服务端:

# 把证书放到服务端openvpn目录下
cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/

# 修改openvpn配置文件
vim server.conf

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
;dh dh.pem
dh dh.pem

# 重启服务端
systemctl restart openvpn

客户端证书

./easyrsa build-client-full gw31 nopass
Enter pass phrase for /xxx/EasyRSA-3.1.0/pki/private/ca.key:	## ca的密码:P@ssw1rd

客户端证书文件路径:

pki\issued\gw31.crt	## 客户端公钥
pki\private\gw31.key	## 客户端私钥

重启客户端

# 把证书放到客户端openvpn目录下
cp pki/ca.crt pki/issued/gw31.crt pki/private/gw31.key /etc/openvpn/

# 修改openvpn配置文件
vim client.conf

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert gw31.crt
key gw31.key

# 重启客户端
systemctl restart openvpn
0
openvpn
版权归属: 木东
本文链接: http://blog.op81.com/archives/5INZF8Ov
许可协议: 本文使用《署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》协议授权

评论区