トップ > Debian > OpenVPNサーバ側設定(1)CA証明書とCA秘密鍵の生成

OpenVPNサーバ側設定(1)CA証明書とCA秘密鍵の生成

Debian メモ Security

まずスクリプトを/etc/openvpn/へコピーする。/etc/openvpn/の中身は空だったけど念のためcp -iで上書き確認。なおcp -aはコピー元の属性と同じようにしてコピーすることを指示している。cp -dpRと同じ、だそうだ。

degas@debian:$ sudo cp -ai /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
degas@debian:/etc/openvpn$ cd /etc/openvpn/easy-rsa/
degas@debian:/etc/openvpn/easy-rsa$ ls -l
合計 80
drwxr-xr-x 2 root root 4096 2008-01-16 00:53 2.0
-rw-r--r-- 1 root root 2619 2005-11-01 20:06 README.gz
-rwxr-xr-x 1 root root  242 2005-11-01 20:06 build-ca
-rwxr-xr-x 1 root root  228 2005-11-01 20:06 build-dh
-rwxr-xr-x 1 root root  529 2005-11-01 20:06 build-inter
-rwxr-xr-x 1 root root  516 2005-11-01 20:06 build-key
-rwxr-xr-x 1 root root  424 2005-11-01 20:06 build-key-pass
-rwxr-xr-x 1 root root  695 2005-11-01 20:06 build-key-pkcs12
-rwxr-xr-x 1 root root  662 2005-11-01 20:06 build-key-server
-rwxr-xr-x 1 root root  466 2005-11-01 20:06 build-req
-rwxr-xr-x 1 root root  402 2005-11-01 20:06 build-req-pass
-rwxr-xr-x 1 root root  280 2005-11-01 20:06 clean-all
-rw-r--r-- 1 root root  264 2005-11-01 20:06 list-crl
-rw-r--r-- 1 root root  268 2005-11-01 20:06 make-crl
-rw-r--r-- 1 root root 7487 2005-11-01 20:06 openssl.cnf
-rw-r--r-- 1 root root  268 2005-11-01 20:06 revoke-crt
-rwxr-xr-x 1 root root  593 2005-11-01 20:06 revoke-full
-rwxr-xr-x 1 root root  411 2005-11-01 20:06 sign-req
-rw-r--r-- 1 root root 1266 2005-11-01 20:06 vars

varsファイルを編集。以下のはオリジナル。

degas@debian:/etc/openvpn/easy-rsa$ sudo cat vars 
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys

# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"

最後の5行は変更すべき環境変数を規定しているので、ココのみを適合するよう修正。上から国名(JP)、都道府県名、市町村名、団体名(個人なら名前でよいのでは)、一番下がメールアドレス。

そしてCA証明書とCA秘密鍵の生成を行う。所有者がrootだし、varsで環境変数に設定を行うので、rootになる必要がある。

degas@debian:/etc/openvpn/easy-rsa$ sudo su -
debian:~# cd /etc/openvpn/easy-rsa/
debian:/etc/openvpn/easy-rsa# . ./vars 
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
debian:/etc/openvpn/easy-rsa# ./clean-all 
debian:/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key
....................................++++++
.++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
export KEY_COUNTRY=**
export KEY_PROVINCE=**
export KEY_CITY=**
export KEY_ORG="**"
export KEY_EMAIL="**@**"

Country Name (2 letter code) [**]:
State or Province Name (full name) [**]:
Locality Name (eg, city) [**]:
Organization Name (eg, company) [**]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OPEN_VPN-CA
Email Address [**@**]:
debian:/etc/openvpn/easy-rsa# logout

Common Nameのみ設定を行う必要があるので、適当に。

なお、間違って一般ユーザで行おうとしてしまったときには

degas@debian:/etc/openvpn/easy-rsa$ ./clean-all 
mkdir: ディレクトリ `/etc/openvpn/easy-rsa/keys' を作成できません: 許可がありません

と怒られた。
上記の作業でrootのみ見れる/etc/openvpn/easy-rsa/keys/が作られた。そういえば. ./varsしたときに「./clean-allしたら/etc/openvpn/easy-rsa/keys/が真っさらになりますよ」と言っていたな。
ちなみに中身はこんな感じ。

degas@debian:/etc/openvpn/easy-rsa$ sudo ls -l ./keys/
合計 12
-rw-r--r-- 1 root root 1261 2008-01-16 14:29 ca.crt(CA証明書)
-rw------- 1 root root  887 2008-01-16 14:29 ca.key(CA秘密鍵)
-rw-r--r-- 1 root root    0 2008-01-16 14:27 index.txt
-rw-r--r-- 1 root root    3 2008-01-16 14:27 serial
degas@debian:/etc/openvpn/easy-rsa$ sudo cat ./keys/serial
01
degas@debian:/etc/openvpn/easy-rsa$ sudo cat ./keys/ca.crt
-----BEGIN CERTIFICATE-----
(うにゅうにゅ)
-----END CERTIFICATE-----
degas@debian:/etc/openvpn/easy-rsa$ sudo cat ./keys/ca.key
-----BEGIN RSA PRIVATE KEY-----
(うにゅうにゅ)
-----END RSA PRIVATE KEY-----