# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="cn" export KEY_PROVINCE="zhejiang" export KEY_CITY="hangzhou" export KEY_ORG="xxx" export KEY_EMAIL="xxx@163.com" export KEY_OU="DevelopmentDepartment" # X509 Subject Field export KEY_NAME="xxx" # PKCS11 Smart Card # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_PIN=1234 # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # You will also need to make sure your OpenVPN server config has the duplicate-cn option set # export KEY_CN="CommonName" export KEY_CN="xxx"
让 vars 生效
1
source ./vars
清空原证书
1
./clean-all
1.3、生成根证书和密钥
命令
1
./build-ca
证书文件: ca.crt ca.key
1 2
ls keys/ # ca.crt ca.key index.txt serial
1.4、生成服务端证书和密钥
命令
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
1
./build-key-server khalidlife-server
证书文件: khalidlife-server.crt khalidlife-server.key
1 2
ls keys/ 01.pem ca.crt ca.key index.txt index.txt.attr index.txt.old khalidlife-server.crt khalidlife-server.csr khalidlife-server.key serial serial.old
1.5、生成客户端证书和密钥
命令
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
1
./build-key khalidlife-client
证书文件: khalidlife-client.crt khalidlife-client.key
1 2 3
ls keys/ 01.pem ca.crt index.txt index.txt.attr.old khalidlife-client.crt khalidlife-client.key khalidlife-server.csr serial 02.pem ca.key index.txt.attr index.txt.old khalidlife-client.csr khalidlife-server.crt khalidlife-server.key serial.old
ca keys/ca.crt cert keys/khalidlife-server.crt key keys/khalidlife-server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 dh keys/dh2048.pem
3. 修改vpn的ip地址
1 2
#server 10.8.0.0 255.255.255.0 server 10.1.0.0 255.255.255.0
微信