概要
OpenVPN で接続するために使います
ちゃんとした認証局(CA)からサーバ証明書もクライアント証明書も発行できる場合はそちらを使いましょう
環境
- macOS 15.6.1
- EasyRSA 3.2.4
インストール
- brew install easy-rsa
初期化
- easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /opt/homebrew/etc/easy-rsa/pki
Using Easy-RSA configuration:
* undefined
認証局の作成
- easyrsa build-ca
パスワードと Common Name を入力します
Enter New CA Key Passphrase:
Passphrase must be at least 4 characters!
Enter New CA Key Passphrase:
Confirm New CA Key Passphrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ytest
Notice
------
CA creation complete. Your new CA certificate is at:
* /opt/homebrew/etc/easy-rsa/pki/ca.crt
Build-ca completed successfully.
サーバ証明書
- easyrsa gen-req server nopass
Common Name を入力します
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:vpn.ytest
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /opt/homebrew/etc/easy-rsa/pki/reqs/server.req
* key: /opt/homebrew/etc/easy-rsa/pki/private/server.key
このままだと使えないのでCAで署名します
- easyrsa sign-req server server
Confirm requested details は yes にします
あとは先程設定した認証局用のパスワードを入力すれば server.crt が作成されます
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
You are about to sign the following certificate:
Requested CN: 'vpn.ytest'
Requested type: 'server'
Valid for: '825' days
subject=
commonName = vpn.ytest
Type the word 'yes' to continue, or any other input to abort.
Confirm requested details: yes
Using configuration from /opt/homebrew/etc/easy-rsa/pki/96bd4afc/temp.02
Enter pass phrase for /opt/homebrew/etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'vpn.ytest'
Certificate is to be certified until Dec 15 07:19:19 2027 GMT (825 days)
Write out database with 1 new entries
Database updated
WARNING
=======
INCOMPLETE Inline file created:
* /opt/homebrew/etc/easy-rsa/pki/inline/private/server.inline
Notice
------
Certificate created at:
* /opt/homebrew/etc/easy-rsa/pki/issued/server.crt
OpenVPN サーバに設定するのは以下の3つです
- サーバ証明書 /opt/homebrew/etc/easy-rsa/pki/issued/server.crt
- サーバ秘密鍵 /opt/homebrew/etc/easy-rsa/pki/private/server.key
- CA証明書 /opt/homebrew/etc/easy-rsa/pki/ca.crt
クライアント証明書
- easyrsa gen-req client1 nopass
Common Name を入力します
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:macos.ytest
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /opt/homebrew/etc/easy-rsa/pki/reqs/client1.req
* key: /opt/homebrew/etc/easy-rsa/pki/private/client1.key
あとはサーバ証明書同様 CA で署名します
yes と CA のパスワードを入力して完了です
- easyrsa sign-req client client1
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
You are about to sign the following certificate:
Requested CN: 'macos.ytest'
Requested type: 'client'
Valid for: '825' days
subject=
commonName = macos.ytest
Type the word 'yes' to continue, or any other input to abort.
Confirm requested details: yes
Using configuration from /opt/homebrew/etc/easy-rsa/pki/25c39202/temp.02
Enter pass phrase for /opt/homebrew/etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'macos.ytest'
Certificate is to be certified until Dec 15 07:25:17 2027 GMT (825 days)
Write out database with 1 new entries
Database updated
WARNING
=======
INCOMPLETE Inline file created:
* /opt/homebrew/etc/easy-rsa/pki/inline/private/client1.inline
Notice
------
Certificate created at:
* /opt/homebrew/etc/easy-rsa/pki/issued/client1.crt
OpenVPN Connect のクライアント側には以下の3つのファイルを使います
- クライアント証明書 /opt/homebrew/etc/easy-rsa/pki/issued/client1.crt
- クライアントキー /opt/homebrew/etc/easy-rsa/pki/private/client1.key
- CA証明書 /opt/homebrew/etc/easy-rsa/pki/ca.crt
最後に
OpenVPN は基本的にはサーバ証明書とクライアント証明書の2つが必要になります
Let’sEncrypt など無料の証明書は基本的に「サーバ証明書」しか発行できないのでクライアント認証などでクライアント証明書が必要になる場合はEasyRSAなどを使ってオレオレ証明書を作成する必要があります
0 件のコメント:
コメントを投稿