On Thu, Aug 24, 2017 at 08:15:25PM +0200, Kosa Attila wrote: > On Thu, Aug 24, 2017 at 06:00:19PM +0200, Szima Gábor wrote: > > > > Tudtok ajánlani egy jó step-by-step leírást OpenVPN cert hosszabbításról? > > Gugliztam párat, de eddig mindegyik javaslat hibára futott > > (SSL3_GET_SERVER_CERTIFICATE:certificate verify failed). > > > > A lényeg: lassacskán lejáró szerver/kliens cert-eket szeretném megújítani. > > http://kosaek.hu/halozat.pdf
Rajottem, hogy nehany dologban valtoztattam azota :) Itt vannak a parancsok: openssl req -set_serial 00 -passout "pass:CA_jelszo" -x509 -config CA.cnf -newkey rsa:4096 -sha256 -days 3650 -out ca.crt -outform PEM touch index.txt echo 01 > serial.txt openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -keyout servercert.key -out servercert.csr -outform PEM openssl ca -passin "pass:CA_jelszo" -config CA.cnf -policy signing_policy -extensions signing_req -out servercert.crt -infiles servercert.csr openssl rsa -in servercert.key -out servercert.key.nopass openssl req -nodes -newkey rsa:2048 -sha256 -config vpn-kliens-001 -keyout vpn-kliens-001.key -out vpn-kliens-001.csr -outform PEM openssl ca -passin "pass:CA_jelszo" -config CA.cnf -policy signing_policy -extensions signing_req -days 365 -out vpn-kliens-001.crt -infiles vpn-kliens-001.csr openssl rsa -in vpn-kliens-001.key -out vpn-kliens-001.key.nopass openvpn --genkey --secret ta.key openssl dhparam -out dh2048.pem 2048 A CA.cnf fajl: #################################################################### HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section [ CA_default ] default_days = 365 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering x509_extensions = ca_extensions # The extensions to add to the cert email_in_dn = no # Don't concat the email in the DN copy_extensions = copy # Required to copy SANs from CSR to cert base_dir = . certificate = $base_dir/ca.crt # The CA certifcate private_key = $base_dir/ca.key # The CA private key new_certs_dir = $base_dir # Location for new certs after signing database = $base_dir/index.txt # Database index file serial = $base_dir/serial.txt # The current serial number unique_subject = no # Set to 'no' to allow creation of # several certificates with same subject. #################################################################### [ req ] default_bits = 4096 default_keyfile = ca.key distinguished_name = ca_distinguished_name x509_extensions = ca_extensions string_mask = utf8only #################################################################### [ ca_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = HU stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Megye localityName = Locality Name (eg, city) localityName_default = Varosnev organizationName = Organization Name (eg, company) organizationName_default = Cegnev Kft. commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = Cegnev Kft. CA emailAddress = Email Address emailAddress_default = i...@cegnev.hu #################################################################### [ ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:true keyUsage = keyCertSign, cRLSign #################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ signing_req ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE #keyUsage = nonRepudiation, digitalSignature, keyEncipherment #################################################################### A server.cnf fajl: #################################################################### HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 2048 distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only prompt = no #################################################################### [ server_distinguished_name ] countryName = HU stateOrProvinceName = Megye localityName = Varosnev organizationName = Cegnev Kft. commonName = openvpn.cegnev.hu emailAddress = i...@cegnev.hu #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alternate_names nsCertType = server, client, email nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = alias1.cegnev.hu DNS.2 = alias2.cegnev.hu DNS.3 = alias3.cegnev.hu #################################################################### A vpn-kliens-001 fajl: #################################################################### HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 2048 distinguished_name = client_distinguished_name req_extensions = client_req_extensions string_mask = utf8only prompt = no #################################################################### [ client_distinguished_name ] countryName = HU stateOrProvinceName = Megye localityName = Varosnev organizationName = Cegnev Kft. commonName = vpn-kliens-001 emailAddress = i...@cegnev.hu #################################################################### [ client_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE extendedKeyUsage = clientAuth keyUsage = digitalSignature, keyEncipherment nsCertType = client, email nsComment = "OpenSSL Generated Certificate" #################################################################### A letrejovo fajlok kozul a kovetkezokre van szukseg, a tobbit torolheted: - CA.cnf - ca.crt - ca.key - index.txt - serial.txt - servercert.crt - servercert.key.nopass - server.cnf - vpn-kliens-001 - vpn-kliens-001.crt - vpn-kliens-001.key.nopass Az openvpn server.conf fajlba ezek az opciok kellenek (a tanusitvanyok hasznalatahoz): ca ca.crt cert servercert.crt key servercert.key.nopass dh dh2048.pem tls-auth ta.key 0 Az openvpn kliens konfiguracios fajljaba ezek az opciok kellenek (a tanusitvanyok hasznalatahoz): ca ca.crt cert vpn-kliens-001.crt key vpn-kliens-001.key.nopass tls-auth ta.key 1 ns-cert-type server -- Udvozlettel Zsiga _________________________________________________ linux lista - linux@mlf.linux.rulez.org http://mlf.linux.rulez.org/mailman/listinfo/linux