On Thu, Aug 24, 2017 at 08:15:25PM +0200, Kosa Attila wrote:
> On Thu, Aug 24, 2017 at 06:00:19PM +0200, Szima Gábor wrote:
> >
> > Tudtok ajánlani egy jó step-by-step leírást OpenVPN cert hosszabbításról?
> > Gugliztam párat, de eddig mindegyik javaslat hibára futott
> > (SSL3_GET_SERVER_CERTIFICATE:certificate verify failed).
> >
> > A lényeg: lassacskán lejáró szerver/kliens cert-eket szeretném megújítani.
>
> http://kosaek.hu/halozat.pdf
Rajottem, hogy nehany dologban valtoztattam azota :) Itt vannak a
parancsok:
openssl req -set_serial 00 -passout "pass:CA_jelszo" -x509 -config CA.cnf
-newkey rsa:4096 -sha256 -days 3650 -out ca.crt -outform PEM
touch index.txt
echo 01 > serial.txt
openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -keyout
servercert.key -out servercert.csr -outform PEM
openssl ca -passin "pass:CA_jelszo" -config CA.cnf -policy signing_policy
-extensions signing_req -out servercert.crt -infiles servercert.csr
openssl rsa -in servercert.key -out servercert.key.nopass
openssl req -nodes -newkey rsa:2048 -sha256 -config vpn-kliens-001 -keyout
vpn-kliens-001.key -out vpn-kliens-001.csr -outform PEM
openssl ca -passin "pass:CA_jelszo" -config CA.cnf -policy signing_policy
-extensions signing_req -days 365 -out vpn-kliens-001.crt -infiles
vpn-kliens-001.csr
openssl rsa -in vpn-kliens-001.key -out vpn-kliens-001.key.nopass
openvpn --genkey --secret ta.key
openssl dhparam -out dh2048.pem 2048
A CA.cnf fajl:
####################################################################
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the
cert
email_in_dn = no # Don't concat the email in the
DN
copy_extensions = copy # Required to copy SANs from
CSR to cert
base_dir = .
certificate = $base_dir/ca.crt # The CA certifcate
private_key = $base_dir/ca.key # The CA private key
new_certs_dir = $base_dir # Location for new
certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial
number
unique_subject = no # Set to 'no' to allow
creation of
# several certificates with
same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = ca.key
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Megye
localityName = Locality Name (eg, city)
localityName_default = Varosnev
organizationName = Organization Name (eg, company)
organizationName_default = Cegnev Kft.
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Cegnev Kft. CA
emailAddress = Email Address
emailAddress_default = i...@cegnev.hu
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature,
keyEncipherment
####################################################################
A server.cnf fajl:
####################################################################
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
prompt = no
####################################################################
[ server_distinguished_name ]
countryName = HU
stateOrProvinceName = Megye
localityName = Varosnev
organizationName = Cegnev Kft.
commonName = openvpn.cegnev.hu
emailAddress = i...@cegnev.hu
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alternate_names
nsCertType = server, client, email
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = alias1.cegnev.hu
DNS.2 = alias2.cegnev.hu
DNS.3 = alias3.cegnev.hu
####################################################################
A vpn-kliens-001 fajl:
####################################################################
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
distinguished_name = client_distinguished_name
req_extensions = client_req_extensions
string_mask = utf8only
prompt = no
####################################################################
[ client_distinguished_name ]
countryName = HU
stateOrProvinceName = Megye
localityName = Varosnev
organizationName = Cegnev Kft.
commonName = vpn-kliens-001
emailAddress = i...@cegnev.hu
####################################################################
[ client_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth
keyUsage = digitalSignature, keyEncipherment
nsCertType = client, email
nsComment = "OpenSSL Generated Certificate"
####################################################################
A letrejovo fajlok kozul a kovetkezokre van szukseg, a tobbit
torolheted:
- CA.cnf
- ca.crt
- ca.key
- index.txt
- serial.txt
- servercert.crt
- servercert.key.nopass
- server.cnf
- vpn-kliens-001
- vpn-kliens-001.crt
- vpn-kliens-001.key.nopass
Az openvpn server.conf fajlba ezek az opciok kellenek (a
tanusitvanyok hasznalatahoz):
ca ca.crt
cert servercert.crt
key servercert.key.nopass
dh dh2048.pem
tls-auth ta.key 0
Az openvpn kliens konfiguracios fajljaba ezek az opciok kellenek
(a tanusitvanyok hasznalatahoz):
ca ca.crt
cert vpn-kliens-001.crt
key vpn-kliens-001.key.nopass
tls-auth ta.key 1
ns-cert-type server
--
Udvozlettel
Zsiga
_________________________________________________
linux lista - linux@mlf.linux.rulez.org
http://mlf.linux.rulez.org/mailman/listinfo/linux
