openVPN設定 №2

2018年10月12日

openVPN設定 №1 の続きからです。

8.サーバ証明書とサーバ秘密鍵を作成。

[user@localhost] ./build-key-server server

[ファイル内容]

Generating a 1024 bit RSA private key
............................................................++++++
.....++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:【ENTER】
State or Province Name (full name) [Tokyo]:【ENTER】
Locality Name (eg, city) [Hachiouzi]:【ENTER】
Organization Name (eg, company) [tmyinsight.net]:【ENTER】
Organizational Unit Name (eg, section) [changeme]:【ENTER】
Common Name (eg, your name or your server's hostname) [server]:【ENTER】
Name [changeme]:【ENTER】
Email Address [postmaster@tmyinsight.net]:【ENTER】

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【ENTER】
An optional company name []:【ENTER】
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
localityName          :PRINTABLE:'Hachiouzi'
organizationName      :PRINTABLE:'tmyinsight.net'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'postmaster@tmyinsight.net'
Certificate is to be certified until Dec 10 12:56:12 2024 GMT (3650 days)
Sign the certificate? [y/n]:【y】【ENTER】


1 out of 1 certificate requests certified, commit? [y/n]【y】【ENTER】
Write out database with 1 new entries
Data Base Updated

※"【】"はキーボードで入力していることを表しています。
作成されたのか確認する場合は・・・

[user@localhost] ls keys/
server.crt server.csr server.key ・・・

9. クライアント証明書・クライアントの秘密鍵を作成。
クライアントの数が決まっている場合は、その分だけ繰り返し作成を行ってください。
また、パスフレーズの有無の設定が出来ますので、そのことも書きたいと思います。

[パスフレーズが必要な場合]

[user@localhost] ./build-key-pass Client_pass

[確認内容]

Generating a 1024 bit RSA private key
..................++++++
..................++++++
writing new private key to 'Client_pass.key'
Enter PEM pass phrase:【パスフレーズを入力】【ENTER】
Verifying - Enter PEM pass phrase:【パスフレーズを再入力】【ENTER】
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:【ENTER】
State or Province Name (full name) [Tokyo]:【ENTER】
Locality Name (eg, city) [Hachiouzi]:【ENTER】
Organization Name (eg, company) [tmyinsight.net]:【ENTER】
Organizational Unit Name (eg, section) [changeme]:【ENTER】
Common Name (eg, your name or your server's hostname) [Client_pass]:
Name [changeme]:【ENTER】
Email Address [postmaster@tmyinsight.net]:【ENTER】

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【ENTER】
An optional company name []:【ENTER】
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
localityName          :PRINTABLE:'Hachiouzi'
organizationName      :PRINTABLE:'tmyinsight.net'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :T61STRING:'Client_pass'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'postmaster@tmyinsight.net'
Certificate is to be certified until Dec 10 13:09:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:【y】【ENTER】


1 out of 1 certificate requests certified, commit? [y/n]【y】【ENTER】
Write out database with 1 new entries
Data Base Updated

[パスフレーズが不必要な場合]

[user@localhost] ./build-key Client_nopass

[確認内容]

Generating a 1024 bit RSA private key
.............................................................++++++
...................................................++++++
writing new private key to 'Client_nopass.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:【ENTER】
State or Province Name (full name) [Tokyo]:【ENTER】
Locality Name (eg, city) [Hachiouzi]:【ENTER】
Organization Name (eg, company) [tmyinsight.net]:【ENTER】
Organizational Unit Name (eg, section) [changeme]:【ENTER】
Common Name (eg, your name or your server's hostname) [Client_nopass]:
Name [changeme]:【ENTER】
Email Address [postmaster@tmyinsight.net]:【ENTER】

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【ENTER】
An optional company name []:【ENTER】
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
localityName          :PRINTABLE:'Hachiouzi'
organizationName      :PRINTABLE:'tmyinsight.net'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :T61STRING:'Client_nopass'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'postmaster@tmyinsight.net'
Certificate is to be certified until Dec 10 13:22:33 2024 GMT (3650 days)
Sign the certificate? [y/n]:【y】【ENTER】

1 out of 1 certificate requests certified, commit? [y/n]【y】【ENTER】
Write out database with 1 new entries
Data Base Updated

※"【】"はキーボードで入力していることを表しています。

作成されたのか確認する場合は・・・

[user@localhost] ls keys/

[確認内容]

Client_nopass.csr  Client_pass.crt  Client_pass.key  Client_nopass.crt  Client_nopass.key  Client_pass.csr ・・・