またrootになる必要がある。だが一旦ログアウトしたので、環境変数を再度設定するため先ず. ./varsを実行。
debian:/etc/openvpn/easy-rsa# . ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
debian:/etc/openvpn/easy-rsa# ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...................++++++
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default
value,
If you enter '.',
the field will be left blank.
Country Name (2 letter code) [**]:
State or Province Name (full name) [**]:
Locality Name (eg, city) [**]:
Organization Name (eg, company) [**]:
Organizational Unit Name (eg, section)
:
Common Name (eg, your name or your server's hostname) :
debian
Email Address [**@**]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password
:(入力しない!)
An optional company name :
Using configuration from /etc/
openvpn/easy-
rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'**'
stateOrProvinceName :PRINTABLE:'**'
localityName :PRINTABLE:'**'
organizationName :PRINTABLE:'**'
commonName :PRINTABLE:'**'
emailAddress :IA5STRING:'**@**'
Certificate is to be certified until Jan 13 05:57:55 2018
GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
この状態でkeysには
debian:/etc/openvpn/easy-rsa# ls -l ./keys/
total 40
-rw-r--r-- 1 root root 3660 Jan 16 14:58 01.pem
-rw-r--r-- 1 root root 1261 Jan 16 14:29 ca.crt(CA証明書)
-rw------- 1 root root 887 Jan 16 14:29 ca.key(CA秘密鍵)
-rw-r--r-- 1 root root 95 Jan 16 14:58 index.txt
-rw-r--r-- 1 root root 21 Jan 16 14:58 index.txt.attr
-rw-r--r-- 1 root root 0 Jan 16 14:27 index.txt.old
-rw-r--r-- 1 root root 3 Jan 16 14:58 serial
-rw-r--r-- 1 root root 3 Jan 16 14:27 serial.old
-rw-r--r-- 1 root root 3660 Jan 16 14:58 server.crt(サーバ証明書)
-rw-r--r-- 1 root root 672 Jan 16 14:57 server.csr(不要)
-rw------- 1 root root 891 Jan 16 14:57 server.key(サーバ秘密鍵)
となり、server.*が3つ増えた。そのうちserver.csrはCAへの申請書にあたるらしい。もうサーバ証明書が出来ているので、今となっては不要(参考書1より)。
またindex.txtやindcex.attr、そして01.pemが作られているが、これは管理用ファイルらしく、認証には関係してこないらしい(参考書2より)。