使用easyrsa來製做證書

1、基於easy_rsa 2.x製做證書：

    連接：http://www.javashuo.com/article/p-cymxddnp-go.html  最後附錄部分。

下載密鑰製做工具easy_rsa 2：

         wget https://github.com/Open×××/easy-rsa/archive/release/2.x.zip

解壓easy_rsa並拷貝到/etc/open***：

         unzip 2.x.zip

         mv easy-rsa-release-2.x/ /etc/open***/

編輯easy-rsa的vars文件，設定相關變量信息：

         cd /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0

         vim vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="Beijing"

export KEY_CITY="Beijing"

export KEY_ORG="APICloud"

export KEY_EMAIL="ADMIN@APICloud.COM"

export KEY_OU="***.apicloud.com"

         編輯完以後，保存退出。

將剛纔編輯的vars文件，執行以下命令：

         source vars 

         ./clean-all

         ./build-ca

建立服務器的證書和密鑰：

       ./build-key-server Open×××_Server

[root@cloud 2.0]# ./build-key-server Open×××_Server

Generating a 2048 bit RSA private key

.................................+++

............+++

writing new private key to 'Open×××_Server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen×××]:

Common Name (eg, your name or your server's hostname) [Open×××_Server]:

Name [EasyRSA]:

Email Address [ADMIN@ XIAOCUI.COM]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BEIJING'

localityName          :PRINTABLE:'BEIJING'

organizationName      :PRINTABLE:' XIAOCUI '

organizationalUnitName:PRINTABLE:'MyOpen×××'

commonName            :T61STRING:'Open×××_Server'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'ADMIN@ XIAOCUI.COM'

Certificate is to be certified until May  2 07:49:13 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

建立客戶端的證書和密鑰：

       ./build-key client-user-test1

 

[root@cloud 2.0]# ./build-key client-user-test1

Generating a 2048 bit RSA private key

....................+++

...............................................................................+++

writing new private key to 'client-user-cuiyuanrong.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen×××]:

Common Name (eg, your name or your server's hostname) [client-user-test1]:

Name [EasyRSA]:

Email Address [ADMIN@XIAOCUI.COM]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BEIJING'

localityName          :PRINTABLE:'BEIJING'

organizationName      :PRINTABLE:'XIAOCUI'

organizationalUnitName:PRINTABLE:'MyOpen×××'

commonName            :PRINTABLE:'client-user-test1'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'ADMIN@XIAOCUI.COM'

Certificate is to be certified until May  2 07:53:17 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

建立Diffie Hellman 參數：

       ./build-dh

2、基於easy_rsa 3.x製做證書：

    連接：http://openwrt.iteye.com/blog/2305318 

最近研究如何在路由器上面實現open***的功能，其中便涉及到使用easyrsa來製做證書的問題，針對最新的open***-2.3.11源碼包,easyrsa已經不包含在裏面，須要單獨下載，下載網址爲https://github.com/Open×××/easy-rsa，下載下來是一個easy-rsa-master.zip壓縮包，已上傳爲附件，在linux上面將其解壓獲得easy-rsa-master，進入easyrsa3，將vars.example複製一份命名爲vars，此文件爲製做證書時所使用到的配置文件，根據個人須要，我只打開了以下選項： 

set_var EASYRSA_DN  "org" 

set_var EASYRSA_REQ_COUNTRY "CN" 

set_var EASYRSA_REQ_PROVINCE    "Guangdong" 

set_var EASYRSA_REQ_CITY    "Shenzhen" 

set_var EASYRSA_REQ_ORG "XXX" 

set_var EASYRSA_REQ_EMAIL   "me@myhost.mydomain" 

/*************************************/ 

若是open*** client的配置文件中使用了ns-cert-type server則要打開此選項，製做server證書時會將一些信息寫入證書，如不打開此選項，則open*** client會提示server certificate verify fail 

set_var EASYRSA_NS_SUPPORT  "yes" 

/*************************************/  

下面就能夠製做證書了，每條命令執行以後都有些信息輸出，如出錯，會提示相關錯誤信息 

1 ./easyrsa init-pki 

初始化，會在當前目錄建立PKI目錄，用於存儲一些中間變量及最終生成的證書 

2 ./easyrsa build-ca 

建立根證書，首先會提示設置密碼，用於ca對以後生成的server和client證書籤名時使用，而後會提示設置Country Name，State or Province Name，Locality Name，Organization Name，Organizational Unit Name，Common Name，Email Address，能夠鍵入回車使用默認的，也能夠手動更改 

3 ./easyrsa gen-req server nopass 

建立server端證書和private key，nopass表示不加密private key，而後會提示設置Country Name，State or Province Name，Locality Name，Organization Name，Organizational Unit Name，Common Name，Email Address，能夠鍵入回車使用默認的，也能夠手動更改 

4 ./easyrsa sign server server 

給server端證書作簽名，首先是對一些信息的確認，能夠輸入yes，而後輸入build-ca時設置的那個密碼 

5 ./easyrsa gen-dh 

建立Diffie-Hellman，時間會有點長，耐心等待 

6 建立client端證書，須要單獨把easyrsa3文件夾拷貝出來一份，刪除裏面的PKI目錄，而後進入到此目錄 

./easyrsa init-pki 

初始化，會在當前目錄建立PKI目錄，用於存儲一些中間變量及最終生成的證書 

7 ./easyrsa gen-req client nopass 

建立client端證書和private key，nopass表示不加密private key，而後會提示設置Country Name，State or Province Name，Locality Name，Organization Name，Organizational Unit Name，Common Name，Email Address，能夠鍵入回車使用默認的，也能夠手動更改 

8 回到製做server證書時的那個easyrsa3目錄，導入client端證書，準備簽名 

./easyrsa import-req client.req所在路徑 client 

client.req應該在剛纔製做client端證書的easyrsa3/pki/reqs/下面 

9 ./easyrsa sign client client 

給client端證書作簽名，首先是對一些信息的確認，能夠輸入yes，而後輸入build-ca時設置的那個密碼 

注意：ca、server和client的Common Name最好不要設置爲同樣，我沒有驗證，不過網上有人說設置同樣後，open***鏈接時會有問題 

至此，server和client端證書已製做完畢 

open*** server端須要的是 

easyrsa3/pki/ca.crt   <製做server證書的文件夾> 

easyrsa3/pki/private/server.key <製做server證書的文件夾> 

easyrsa3/pki/issued/server.crt <製做server證書的文件夾> 

easyrsa3/pki/dh.pem 

open*** client端須要的是 

easy-rsa/easyrsa3/pki/ca.crt <製做server證書的文件夾> 

easy-rsa/easyrsa3/pki/issued/client.crt <製做server證書的文件夾> 

easy-rsa/easyrsa3/pki/private/client.key <製做client證書的文件夾>