Linux, Server, Web
OpenSSL 로 OpenVPN 용 인증서 생성하기
iolate
2019. 3. 8. 00:43
이건 정리용.
1. Root CA 생성
# CA private key 생성
openssl genrsa -out ca.key 2048
# CA request 생성
openssl req -new -key ca.key -out ca.csr -subj "/C=KR/O=TIM Lab/CN=My VPN CA"
# CA 인증서 생성
echo "basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyCertSign, cRLSign" > ca.ext
openssl x509 -req -days 3650 -extfile ca.ext -set_serial 1 -signkey ca.key -in ca.csr -out ca.crt
# 필요없는 설정파일과 csr 제거
rm ca.ext ca.csr
2. ta.key, dh2048.pem 생성
openssl dhparam -out dh2048.pem 2048
openvpn --genkey --secret ta.key
3. 서버용 인증서 생성
# private key 생성
openssl genrsa -out cert.key 2048
# csr 생성
openssl req -new -key cert.key -out cert.csr -subj "/C=KR/O=My Organization/CN=VPN Server"
# CA 인증서/키로 인증서 생성
echo "basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth" > cert.ext
openssl x509 -req -days 3650 -extfile cert.ext -CA ca.crt -CAcreateserial -CAkey ca.key -in cert.csr -out cert.crt
# 필요없는 설정파일과 csr 제거
rm cert.ext cert.csr
# 서버 인증서, 키 등 이동 / 복사
cp ca.crt /etc/openvpn/ca.crt
cp cert.key /etc/openvpn/server.key
cp ta.key /etc/openvpn/ta.key
mv cert.crt /etc/openvpn/server.crt
4. 클라이언트용 인증서 생성
사실 서버 인증서 생성과 큰 차이 없다. X.509 의 설정파일 내용 정도?
# private key 생성
openssl genrsa -out cert.key 2048
CERT_NAME="Gildong Hong"
# csr 생성
openssl req -new -key cert.key -out cert.csr -subj "/C=KR/O=My Organization/CN=$CERT_NAME"
# CA 인증서/키로 인증서 생성
echo "basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = digitalSignature" > cert.ext
openssl x509 -req -days 3650 -extfile cert.ext -CA ca.crt -CAcreateserial -CAkey ca.key -in cert.csr -out "clients/$CERT_NAME.crt"
# 필요없는 설정파일과 csr 제거
rm cert.ext cert.csr
5. ovpn 설정파일 만들기
exec 3> VPN.ovpn
echo "client
remote SERVER_HOST PORT
dev tun
proto udp
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA256
key-direction 1
persist-key
persist-tun
remote-cert-tls server
verb 3
;redirect-gateway def1 bypass-dhcp
;auth-user-pass
" >&3
printf "\n\n<ca>\n" >&3
cat ca.crt >&3
printf "</ca>\n\n<tls-auth>\n" >&3
cat ta.key >&3
printf "</tls-auth>\n\n<cert>\n" >&3
cat "clients/$CERT_NAME.crt" >&3
printf "</cert>\n\n<key>\n" >&3
cat cert.key >&3
printf "</key>" >&3
exec 3>&-