openvpn证书到期更换
# 准备
准备easyrsa命令,github地址: https://github.com/OpenVPN/easy-rsa
wget https://github.com/OpenVPN/easy-rsa/archive/refs/tags/v3.1.5.tar.gz
tar xf easy-rsa-3.1.5.tar.gz
cd easy-rsa/
cp -r easyrsa3 /etc/openvpn/
cd /etc/openvpn/easyrsa3
chmod +x easyrsa
1
2
3
4
5
6
2
3
4
5
6
# ca证书
初始化pki
./easyrsa init-pki
1
执行命令后会在目录下生成一个pki的目录
修改 pki 目录下的 vars 文件,主要修改证书有效期为10年
vim pki/vars
...
# In how many days should the root CA key expire?
#
#set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
#
set_var EASYRSA_CERT_EXPIRE 3650
...
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
默认ca证书有效期为10年,默认服务端证书有效期为825天。
打开set_var EASYRSA_CERT_EXPIRE 参数前面的注释,并修改825为3650
创建ca根证书:
./easyrsa build-ca
1
输入密码、通用名
Enter New CA Key Passphrase: ## 设置密码 P@ssw1rd
Re-Enter New CA Key Passphrase: ## 再次输入密码
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ## common随便定义,openvpn
1
2
3
2
3
# 服务端证书
创建服务器端证书
./easyrsa gen-req server nopass
1
也可以使用
./easyrsa build-server-full server nopass,未测试
输入通用名
Common Name (eg: your user, host, or server name) [server]: ## gw11
1
根据网上资料所说,这个通用名和ca的最好不要重复
签名服务端证书
./easyrsa sign server server
Confirm request details: ## yes
Enter pass phrase for /xxx/EasyRSA-3.1.0/pki/private/ca.key: ## ca的密码:P@ssw1rd
1
2
3
4
2
3
4
创建Diffie-Hellman
./easyrsa gen-dh
1
服务端证书文件路径:
pki\ca.crt ## ca根证书
pki\dh.pem ## dh算法证书
pki\issued\server.crt ## 服务端公钥
pki\private\server.key ## 服务端私钥
1
2
3
4
2
3
4
重启服务端:
# 把证书放到服务端openvpn目录下
cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/
# 修改openvpn配置文件
vim server.conf
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
;dh dh.pem
dh dh.pem
# 重启服务端
systemctl restart openvpn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# 客户端证书
./easyrsa build-client-full gw31 nopass
Enter pass phrase for /xxx/EasyRSA-3.1.0/pki/private/ca.key: ## ca的密码:P@ssw1rd
1
2
2
客户端证书文件路径:
pki\issued\gw31.crt ## 客户端公钥
pki\private\gw31.key ## 客户端私钥
1
2
2
重启客户端
# 把证书放到客户端openvpn目录下
cp pki/ca.crt pki/issued/gw31.crt pki/private/gw31.key /etc/openvpn/
# 修改openvpn配置文件
vim client.conf
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert gw31.crt
key gw31.key
# 重启客户端
systemctl restart openvpn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
上次更新: 2023/07/11, 13:47:34