open***---证书认证

环境：

操作系统： CentOS 6.6

软件：lzo-2.0.6、open***-2.2.2

安装前准备

关闭防火墙：

/etc/init.d/iptables stop           #关闭防火墙

/etc/init.d/iptables status         #查看防火墙状态

chkconfig iptables off              #关闭防火墙自启动

chkconfig --list iptables           #检查

关闭SELINUX

setenforce 0                         #临时关闭

sed -i 's#SELINUX=enforcing#SELINUX=disabled#' /etc/selinux/config  #永久关闭

getenforce                           #查看状态

系统时间同步

echo '*/5 * * * * /usr/sbin/ntpdate s2c.time.edu.cn >/dev/null 2>&1'>>/var/spool/cron/root

crontab -l

安装软件包

[root@open***]# yum install -y tree lrzsz openssl* gcc-c++

[root@open*** ~]# cd /

[root@open*** /]# mkdir tools

[root@open*** /]# cd tools

rz -y

[root@open*** tools]# tar zxf lzo-2.06.tar.gz

[root@open*** tools]# cd lzo-2.06

[root@open*** lzo-2.06]# ./configure

[root@open*** lzo-2.06]# make

[root@open*** lzo-2.06]# make install

[root@open*** lzo-2.06]# cd ..

[root@open*** tools]# tar zxf open***-2.2.2.tar.gz

[root@open*** tools]# cd open***-2.2.2

[root@open*** open***-2.2.2]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib

[root@open*** open***-2.2.2]# make

[root@open*** open***-2.2.2]# make install

[root@open*** open***-2.2.2]# which open***              #查看OPEN×××目录

/usr/local/sbin/open***

配置OPEN×××

[root@open*** easy-rsa]# cd /tools/open***-2.2.2/easy-rsa/2.0

[root@open*** 2.0]# cp vars vars.bak

vim vars                    #修改最后12行

原始：

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="SanFrancisco"

export KEY_ORG="Fort-Funston"

export KEY_EMAIL="me@myhost.mydomain"

export KEY_EMAIL=mail@host.domain

export KEY_CN=changeme

export KEY_NAME=changeme

export KEY_OU=changeme

export PKCS11_MODULE_PATH=changeme

export PKCS11_PIN=1234

修改后：

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BJ"

export KEY_CITY="Beijing"

export KEY_ORG="test"     #根据需求自己修改

export KEY_EMAIL="sina@sina.com"

export KEY_EMAIL=sina@sina.com

export KEY_CN=CN

export KEY_NAME=test      #根据需求自己修改

export KEY_OU=test        #根据需求自己修改

export PKCS11_MODULE_PATH=changeme

export PKCS11_PIN=1234

[root@open*** 2.0]# source vars               

NOTE: If you run ./clean-all, I will be doing a rm -rf on /tools/open***-2.2.2/easy-rsa/2.0/keys             

[root@open*** 2.0]# ./clean-all

创建CA证书

[root@open*** 2.0]# ./build-ca

Generating a 1024 bit RSA private key

.....++++++

....................................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [TEST]:

Organizational Unit Name (eg, section) [OES]:

Common Name (eg, your name or your server's hostname) [CN]:

Name [viewhigh]:

Email Address [networks@viewhigh.com]:

创建server端证书

[root@open*** 2.0]# ./build-key-server oesserver

Generating a 1024 bit RSA private key

..++++++

..............++++++

writing new private key to 'oesserver.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [TEST]:

Organizational Unit Name (eg, section) [OES]:

Common Name (eg, your name or your server's hostname) [oesserver]:

Name [viewhigh]:

Email Address [networks@viewhigh.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /tools/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'beijing'

organizationName      :PRINTABLE:'TEST'

organizationalUnitName:PRINTABLE:'OES'

commonName            :PRINTABLE:'oesserver'

name                  :PRINTABLE:'test'

emailAddress          :IA5STRING:'sina@sina.com'

Certificate is to be certified until Mar 19 09:18:14 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

创建客户端证书

[root@open*** 2.0]# ./build-key oesclient     #不带密码

Generating a 1024 bit RSA private key

..++++++

............++++++

writing new private key to 'oesclient.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [TEST]:

Organizational Unit Name (eg, section) [OES]:

Common Name (eg, your name or your server's hostname) [oesclient]:

Name [test]:

Email Address [sina@sina.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /tools/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'beijing'

organizationName      :PRINTABLE:'TEST'

organizationalUnitName:PRINTABLE:'OES'

commonName            :PRINTABLE:'oesclient'

name                  :PRINTABLE:'test'

emailAddress          :IA5STRING:'sina@sina.com'

Certificate is to be certified until Mar 19 09:19:06 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated  

./build-key-pass ett                 #带密码

创建迪菲·赫尔曼密钥

[root@open*** 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

.........................................+...............................+...........................................................................................................................................................................................+........................................+..................+.....+........................................................................+.............................+.....................................................................................................................+..........................................+......+.............................................+.....................................+..............................................+..................................................................................................................................................................................+..................................................+............+.....................................................+..................................+..................+..............................................................................................................+..................++*++*++*

拷贝key及配置文件

[root@open*** /]# mkdir -p /etc/open***

[root@open*** open***]# cd /tools/open***-2.2.2/easy-rsa/2.0

[root@open*** 2.0]# cp -ap keys /etc/open***

[root@open*** 2.0]# cd /tools/open***-2.2.2/sample-config-files/

[root@open*** sample-config-files]# cp client.conf server.conf /etc/open***

配置server.conf文件

local 192.168.1.57    #修改成你自己ip地址

port 1194

proto udp

dev tun

ca /etc/open***/keys/ca.crt

cert /etc/open***/keys/server.crt

dh /etc/open***/keys/dh1024.pem

key /etc/open***/keys/server.key

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 172.16.0.0 255.255.255.0"    #修改成需要访问的ip地址段

duplicate-cn

client-to-client

keepalive 10 120

comp-lzo

persist-key

persist-tun

status open***-status.log

log /var/log/open***.log

verb 3

打开内核转发

vim /etc/sysctl.conf

net.ipv4.ip_forward=0   #0改为1

[root@open*** keys]# sysctl -p

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key

error: "net.bridge.bridge-nf-call-iptables" is an unknown key

error: "net.bridge.bridge-nf-call-arptables" is an unknown key

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

启动OPEN×××（后台启动）

/usr/local/sbin/open*** --config /etc/open***/server.conf &

加入到开机启动

echo '/usr/local/sbin/open*** --config /etc/open***/server.conf & ' >>/etc/rc.local

设置NAT转换

/sbin/iptables -t nat -I POSTROUTING -s 10.10.0.0/255.255.255.0 -o eth0 -j MASQUERADE

到此为止，服务端就配置完了。

下面就是客户端了。

将服务端的证书文件拷贝下来，ca.crt、oesclient.crt、oesclient.key。

配置客户端配置文件：

client

dev tun

proto udp

remote 192.168.1.57 1194    #如果是外网，改为外网的IP地址

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3

将文件保存为client.o***

将证书文件和客户端配置文件拷贝到指定位置。

到此就大功告成了。

转载于:https://blog.51cto.com/frank1008/1977850