生成并签署客户端 SSL 证书
为客户端机器生成 SSL 证书。
# ./easyrsa gen-req client-01.onitroad.com nopass Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key .....+++++ .........................................................+++++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-3291.u5C952/tmp.8Ra4q5' ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Common Name (eg: your user, host, or server name) [client-01.onitroad.com]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/client-01.onitroad.com.req key: /opt/easy-rsa/pki/private/client-01.onitroad.com.key
如下签署客户端 SSL 证书。
# ./easyrsa sign-req client client-01.onitroad.com
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client-01.onitroad.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3318.NwnX5d/tmp.YpLhll
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client-01.onitroad.com'
Certificate is to be certified until Aug 12 09:00:41 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/client-01.onitroad.com.crt
我们已成功生成并签署了客户端 SSL 证书。
将证书颁发机构 (CA) 证书复制到 Linux 客户端的 /etc/pki/ca-trust/source/anchors/ 中,以将 CA 添加到其受信任的 CA 列表中。
在 CentOS/Red Hat Enterprise Linux 上安装 EasyRSA
借助 wget 命令,下载最新版本的 EasyRSA 。
# cd /opt/ # wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
通过在 Linux bash 提示符下执行 tar 命令来提取下载的 tar包。
# tar xvf EasyRSA-3.0.8.tgz
重命名提取的目录如下。
# mv EasyRSA-3.0.8 easy-rsa
欢迎来到之路教程(on itroad-com)
生成并签署服务器 SSL 证书
为 Linux 服务器生成 RSA 私钥和 CSR。
# ./easyrsa gen-req easyrsa-01.onitroad.com nopass Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ..................................+++++ .........+++++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-3156.k8Hinw/tmp.d8ywZV' ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Common Name (eg: your user, host, or server name) [easyrsa-01.onitroad.com]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/easyrsa-01.onitroad.com.req key: /opt/easy-rsa/pki/private/easyrsa-01.onitroad.com.key
使用证书颁发机构 (CA) 私钥对服务器 CSR 进行签名。
# ./easyrsa sign-req server easyrsa-01.onitroad.com
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = easyrsa-01.onitroad.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3182.jIol30/tmp.3py67u
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'easyrsa-01.onitroad.com'
Certificate is to be certified until Aug 12 08:41:53 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/easyrsa-01.onitroad.com.crt
我们已成功签署了 Linux 服务器的 SSL 证书。
要验证 SSL 证书是否正确生成,我们可以执行 openssl 命令,如下所示。
# openssl verify -CAfile pki/ca.crt /opt/easy-rsa/pki/issued/easyrsa-01.onitroad.com.crt /opt/easy-rsa/pki/issued/easyrsa-01.onitroad.com.crt: OK
生成 Diffie-Hellman 密钥
生成一个强大的 Diffie-Hellman 密钥以供密钥交换过程使用。
# ./easyrsa gen-dh Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............+..............................................................................................................................................................++*++*++*++* DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem
生成 PKI 目录和 CA 证书
调用 easyrsa 命令生成 pki 目录。
# cd easy-rsa # ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/easy-rsa/pki
生成证书颁发机构 (CA) 证书,该证书将用于签署服务器和客户端证书签名请求 (CSR)。
# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ................+++++ ............................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:onitroad CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/easy-rsa/pki/ca.crt
EasyRSA 是一个免费的开源 CLI 实用程序,用于创建根证书颁发机构、请求和签署证书,包括中间 CA 和证书吊销列表 (CRL)。
在这里,我们将学习如何在 CentOS/RHEL 8 上安装和使用EasyRSA。
日期:2020-09-17 00:14:00 来源:oir作者:oir