1 月 212020
http://ocserv.gitlab.io/www/manual.html
生成CA证书
$ certtool --generate-privkey --outfile ca-key.pem $ cat << _EOF_ >ca.tmpl cn = "VPN CA" organization = "Big Corp" serial = 1 expiration_days = -1 ca signing_key cert_signing_key crl_signing_key _EOF_ $ certtool --generate-self-signed --load-privkey ca-key.pem \ --template ca.tmpl --outfile ca-cert.pem
生成服务器证书
$ certtool --generate-privkey --outfile server-key.pem $ cat << _EOF_ >server.tmpl cn = "VPN server" dns_name = "www.example.com" dns_name = "vpn1.example.com" #ip_address = "1.2.3.4" organization = "MyCompany" expiration_days = -1 signing_key encryption_key #only if the generated key is an RSA one tls_www_server _EOF_ $ certtool --generate-certificate --load-privkey server-key.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --template server.tmpl --outfile server-cert.pem
生成客户端证书
$ certtool --generate-privkey --outfile user-key.pem $ cat << _EOF_ >user.tmpl cn = "user" unit = "admins" expiration_days = 365 signing_key tls_www_client _EOF_ $ certtool --generate-certificate --load-privkey user-key.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --template user.tmpl --outfile user-cert.pem $ certtool --to-p12 --load-privkey user-key.pem \ --pkcs-cipher 3des-pkcs12 \ --load-certificate user-cert.pem \ --outfile user.p12 --outder
吊销客户端证书
$ cat << _EOF_ >crl.tmpl crl_next_update = 365 crl_number = 1 _EOF_ $ cat user-cert.pem >>revoked.pem $ certtool --generate-crl --load-ca-privkey ca-key.pem \ --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \ --template crl.tmpl --outfile crl.pem
生成空吊销列表文件
$ certtool --generate-crl --load-ca-privkey ca-key.pem \ --load-ca-certificate ca-cert.pem \ --template crl.tmpl --outfile crl.pem