まずスクリプトを/etc/openvpn/へコピーする。/etc/openvpn/の中身は空だったけど念のためcp -iで上書き確認。なおcp -aはコピー元の属性と同じようにしてコピーすることを指示している。cp -dpRと同じ、だそうだ。
degas@debian:$ sudo cp -ai /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/ degas@debian:/etc/openvpn$ cd /etc/openvpn/easy-rsa/ degas@debian:/etc/openvpn/easy-rsa$ ls -l 合計 80 drwxr-xr-x 2 root root 4096 2008-01-16 00:53 2.0 -rw-r--r-- 1 root root 2619 2005-11-01 20:06 README.gz -rwxr-xr-x 1 root root 242 2005-11-01 20:06 build-ca -rwxr-xr-x 1 root root 228 2005-11-01 20:06 build-dh -rwxr-xr-x 1 root root 529 2005-11-01 20:06 build-inter -rwxr-xr-x 1 root root 516 2005-11-01 20:06 build-key -rwxr-xr-x 1 root root 424 2005-11-01 20:06 build-key-pass -rwxr-xr-x 1 root root 695 2005-11-01 20:06 build-key-pkcs12 -rwxr-xr-x 1 root root 662 2005-11-01 20:06 build-key-server -rwxr-xr-x 1 root root 466 2005-11-01 20:06 build-req -rwxr-xr-x 1 root root 402 2005-11-01 20:06 build-req-pass -rwxr-xr-x 1 root root 280 2005-11-01 20:06 clean-all -rw-r--r-- 1 root root 264 2005-11-01 20:06 list-crl -rw-r--r-- 1 root root 268 2005-11-01 20:06 make-crl -rw-r--r-- 1 root root 7487 2005-11-01 20:06 openssl.cnf -rw-r--r-- 1 root root 268 2005-11-01 20:06 revoke-crt -rwxr-xr-x 1 root root 593 2005-11-01 20:06 revoke-full -rwxr-xr-x 1 root root 411 2005-11-01 20:06 sign-req -rw-r--r-- 1 root root 1266 2005-11-01 20:06 vars
varsファイルを編集。以下のはオリジナル。
degas@debian:/etc/openvpn/easy-rsa$ sudo cat vars # easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. export D=`pwd` # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=$D/openssl.cnf # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR=$D/keys # Issue rm -rf warning echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=KG export KEY_PROVINCE=NA export KEY_CITY=BISHKEK export KEY_ORG="OpenVPN-TEST" export KEY_EMAIL="me@myhost.mydomain"
最後の5行は変更すべき環境変数を規定しているので、ココのみを適合するよう修正。上から国名(JP)、都道府県名、市町村名、団体名(個人なら名前でよいのでは)、一番下がメールアドレス。
そしてCA証明書とCA秘密鍵の生成を行う。所有者がrootだし、varsで環境変数に設定を行うので、rootになる必要がある。
degas@debian:/etc/openvpn/easy-rsa$ sudo su - debian:~# cd /etc/openvpn/easy-rsa/ debian:/etc/openvpn/easy-rsa# . ./vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys debian:/etc/openvpn/easy-rsa# ./clean-all debian:/etc/openvpn/easy-rsa# ./build-ca Generating a 1024 bit RSA private key ....................................++++++ .++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- export KEY_COUNTRY=** export KEY_PROVINCE=** export KEY_CITY=** export KEY_ORG="**" export KEY_EMAIL="**@**" Country Name (2 letter code) [**]: State or Province Name (full name) [**]: Locality Name (eg, city) [**]: Organization Name (eg, company) [**]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:OPEN_VPN-CA Email Address [**@**]: debian:/etc/openvpn/easy-rsa# logout
Common Nameのみ設定を行う必要があるので、適当に。
なお、間違って一般ユーザで行おうとしてしまったときには
degas@debian:/etc/openvpn/easy-rsa$ ./clean-all mkdir: ディレクトリ `/etc/openvpn/easy-rsa/keys' を作成できません: 許可がありません
と怒られた。
上記の作業でrootのみ見れる/etc/openvpn/easy-rsa/keys/が作られた。そういえば. ./varsしたときに「./clean-allしたら/etc/openvpn/easy-rsa/keys/が真っさらになりますよ」と言っていたな。
ちなみに中身はこんな感じ。
degas@debian:/etc/openvpn/easy-rsa$ sudo ls -l ./keys/ 合計 12 -rw-r--r-- 1 root root 1261 2008-01-16 14:29 ca.crt(CA証明書) -rw------- 1 root root 887 2008-01-16 14:29 ca.key(CA秘密鍵) -rw-r--r-- 1 root root 0 2008-01-16 14:27 index.txt -rw-r--r-- 1 root root 3 2008-01-16 14:27 serial degas@debian:/etc/openvpn/easy-rsa$ sudo cat ./keys/serial 01 degas@debian:/etc/openvpn/easy-rsa$ sudo cat ./keys/ca.crt -----BEGIN CERTIFICATE----- (うにゅうにゅ) -----END CERTIFICATE----- degas@debian:/etc/openvpn/easy-rsa$ sudo cat ./keys/ca.key -----BEGIN RSA PRIVATE KEY----- (うにゅうにゅ) -----END RSA PRIVATE KEY-----