自搭测试1:关于cert,key文件
服务器端是必须叫ca.crt的,然而客户端却可以改名为其他名称
客户端
| client dev tap0 proto tcp remote 123.123.123.123 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 ca xjp.crt cert aaa.crt key aaa.key |
aaa.crt,aaa.key是下载下来后改名的文件
改名,没有影响
换句话说,服务器端,客户端的cert,key可以看成公钥与私钥的对应,一端配置公钥,另一端当然要配置私钥了
自搭测试2:关于ta.key
open*** --genkey --secret ta.key
如果执行该命令的话,需要将ta.key丢到/etc/open***目录下,同时放到客户端目录下才行open***配置文件增加:
tls-auth ta.key 1
服务端的配置,注意服务端是ta.key 0 客户端是1,若不这么写,则报错,无法连接
| port 1194 proto tcp dev tap0 ca ca.crt cert gamewaveBJ.crt key gamewaveBJ.key dh dh1024.pem server-bridge 192.168.9.0 255.255.255.0 192.168.9.200 192.168.9.250 push "route 192.168.9.0 255.255.255.0" client-to-client duplicate-cn keepalive 10 120 tls-auth ta.key 0 comp-lzo user nobody group nobody persist-key persist-tun status open***-status.log verb 3 |
重启服务器
没找到这个文件,重启失败了
| [root@normal open***]# /etc/init.d/open*** restart Shutting down open***: [ OK ] Starting open***: [FAILED] |
|
[root@normal open***]# open*** --genkey --secret ta.key
|
|
[root@normal open***]# /etc/init.d/open*** restart
Shutting down open***: [ OK ] Starting open***: [ OK ] |
客户端
由于缺乏ta.key,无法启动
将ta.key 拷贝到config目录下,启动成功
| client dev tap0 proto tcp remote 27.111.215.31 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3 ca xjp.crt cert aaa.crt key aaa.key |
自搭测试3:增加密码访问机制
| [root@normal 2.0]# ./build-key --pass client3 Generating a 1024 bit RSA private key .......................................................++++++ .........++++++ writing new private key to 'client3.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- |
自搭测试4:pkitool和build-key 区别
pkitool不需要来回确认
build-key需要反复进行确认
|
[root@normal 2.0]# ./build-key --pass client3
Generating a 1024 bit RSA private key .........................................................++++++ ....++++++ writing new private key to 'client3.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [check]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client3]: Name []: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'check' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' commonName :PRINTABLE:'client3' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 28 07:44:24 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
| [root@normal 2.0]# ./pkitool --pass a4 Generating a 1024 bit RSA private key ................++++++ ..........................++++++ writing new private key to 'a4.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'check' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' commonName :PRINTABLE:'a4' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 28 07:44:39 2023 GMT (3650 days) Write out database with 1 new entries Data Base Updated |
官方不追加后缀时提示:也是提倡使用pkitool
| [edit vars with your site-specific info] source ./vars ./clean-all ./build-dh -> takes a long time, consider backgrounding ./pkitool --initca ./pkitool --server myserver ./pkitool client1 ./pkitool --pass client2 Typical usage for adding client cert to existing PKI: source ./vars ./pkitool client-new |
自搭测试5:log
| 服务端配置增加 log /var/log/open***.log
|
|
[root@normal open***]# tail -50 /var/log/open***.log
Wed Jan 30 16:36:52 2013 Open*** 2.2.0 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jun 6 2011 Wed Jan 30 16:36:52 2013 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to Wed Jan 30 16:36:52 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts ....
Wed Jan 30 16:38:09 2013 client1/123.123.123.135:1158 Connection reset, restarting [-1]
Wed Jan 30 16:38:09 2013 client1/123.123.123.135:1158 SIGUSR1[soft,connection-reset] received, client-instance restarting Wed Jan 30 16:38:09 2013 TCP/UDP: Closing socket |