Linux Blog

CentOS7でLinuxサーバー構築

TOP » サーバー構築 » OpenVPN »

認証局(CA)の設置とOpenVPN用証明書と鍵のの作成

ここではマスター認証機関の証明書と鍵を生成し、サーバーの証明書と鍵を生成します。
証明書・鍵作成用環境変数設定ファイルを編集します。
64行目から69行目までをコメントアウトして、70行目から74行目までを追加します。

vi /usr/share/easy-rsa/2.0/vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
#export KEY_COUNTRY="US"
#export KEY_PROVINCE="CA"
#export KEY_CITY="SanFrancisco"
#export KEY_ORG="Fort-Funston"
#export KEY_EMAIL="me@myhost.mydomain"
#export KEY_OU="MyOrganizationalUnit"
export KEY_COUNTRY="JP"
export KEY_PROVINCE="Osaka"
export KEY_CITY="Osaka"
export KEY_ORG="astermark.com"
export KEY_EMAIL="admin@astermark.com"

# X509 Subject Field
export KEY_NAME="EasyRSA"

# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

PKI(公開鍵基盤)を初期化します。の構築です。PKIにはサーバーとクライアントそれぞれに個別に必要な証明書(公開鍵とも言われます)と秘密鍵サーバーやクライアントで使用される証明書に署名するために必要な認証局(CA)の証明書と鍵が含まれます。

cd /usr/share/easy-rsa/2.0
source ./vars
./clean-all

build-caコマンドを実行してopensslコマンドが呼び出し、認証機関(CA)の証明書と鍵を生成します。
コマンドを実行したときにいくつかの情報を尋ねられますが、その際にデフォルト値として先ほどvarsファイルで設定した値が使用されるので全てエンターキーを押して応答します。

./build-ca
Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Osaka]: Locality Name (eg, city) [Osaka]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) [astermark.com]: Common Name (eg, your name or your server's hostname) []: Email Address [admin@astermark.com]:

生成されたルートCAの証明書であるca.crtをopenvpnのディレクトリに移動します。

cp keys/ca.crt /etc/openvpn/

コメントを残す