]# mkdir -p /etc/openvpn/easy-rsa-server ]# cp -r /usr/share/easy-rsa/3 /etc/openvpn/easy-rsa-server/ ]# cp -r /usr/share/easy-rsa/3 /etc/openvpn/easy-rsa-client/ # 更改根证书的过期时间(一般设置的时间比较长避免证书过期而带来不必要的麻烦) set_var EASYRSA_CA_EXPIRE xxxx # 证书过期时间 set_var EASYRSA_CERT_EXPIRE xxxx ]# cd /etc/openvpn/easy-rsa/server ]# ./easyrsa init-pki # 在当前目录下进行初始化以生成服务器的相关文件 ]# ./easyrsa build-ca # 生成根证书 Enter New CA Key Passphrase: # 生成根证书所需的密码(可为空) Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) .............................+++++ ................................+++++ e is65537 (0x010001) into your certificate request. What you are aboutto enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # 这里可以直接默认
CA creation complete and you may now import and sign cert requests. Your new CA certificate filefor publishing isat: /etc/openvpn/easy-rsa-server/pki/ca.crt # 生成的证书文件 ]# ./easyrsa gen-req server nopass (创建服务器端的证书,可以不加nopass参数,意为不加密私钥文件) Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key .....................+++++ ......................................................+++++ writing new private key to '/etc/openvpn/easy-rsa-server/pki/private/server.key.rdsFG9aW6P' ----- You are aboutto be asked to enter information that will be incorporated into your certificate request. What you are aboutto enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa-server/pki/reqs/server.req # 证书请求文件 key: /etc/openvpn/easy-rsa-server/pki/private/server.key # 证书的密钥文件 ]# ./easyrsa sign server server # 给证书进行签名 You are aboutto sign the following certificate. Please check overthe details shown belowfor accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source orthat you have verified the request checksum withthe sender.
Request subject, to be signed as a server certificate for1080 days: subject= commonName = server Type theword 'yes' tocontinue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa-server/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa-server/pki/private/ca.key: Check thatthe request matches the signature Signature ok The Subject's Distinguished Name isas follows commonName :ASN.112:'server' Certificate isto be certified until Nov 706:46:162025 GMT (1080 days) Write out database with1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa-server/pki/issued/server.crt ]# ./easyrsa gen-dh # 密钥交换时的算法 DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/pki/dh.pem
]# cd /etc/openvpn/easy-rsa-client ]# ./easyrsa init-pki # 在当前目录下进行初始化以生成客户端的证书生成的相关文件 ]# ./easyrsa gen-req test nopass# 生成客户端证书文件 /etc/openvpn/easy-rsa-cient/pki/reqs/test.req ]# cd /etc/openvpn/easy-rsa-server ]# ./easyrsa import-req /etc/openvpn/easy-rsa-cient/pki/reqs/test.req test ]# ./easyrsa sign client test # 给客户端的证书进行签名 subject= commonName = client Type theword 'yes' tocontinue, or any other input to abort. Confirm request details: yes