トップ > Debian > OpenVPNサーバ側設定(2)OpenVPNサーバの証明書と秘密鍵の生成

OpenVPNサーバ側設定(2)OpenVPNサーバの証明書と秘密鍵の生成

Debian メモ Security

またrootになる必要がある。だが一旦ログアウトしたので、環境変数を再度設定するため先ず. ./varsを実行。

debian:/etc/openvpn/easy-rsa# . ./vars 
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
debian:/etc/openvpn/easy-rsa# ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...................++++++
writing new private key to 'server.key'

    

  • 

      

    • 

        

      • 

          

        • -
          • 

        • 

      • 

    • 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

    

  • 

      

    • 

        

      • 

          

        • -
          • 

        • 

      • 

    • 

Country Name (2 letter code) [**]:
State or Province Name (full name) [**]:
Locality Name (eg, city) [**]:
Organization Name (eg, company) [**]:
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) :debian
Email Address [**@**]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :(入力しない!)
An optional company name :
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'**'
stateOrProvinceName   :PRINTABLE:'**'
localityName          :PRINTABLE:'**'
organizationName      :PRINTABLE:'**'
commonName            :PRINTABLE:'**'
emailAddress          :IA5STRING:'**@**'
Certificate is to be certified until Jan 13 05:57:55 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

この状態でkeysには

debian:/etc/openvpn/easy-rsa# ls -l ./keys/
total 40
-rw-r--r-- 1 root root 3660 Jan 16 14:58 01.pem
-rw-r--r-- 1 root root 1261 Jan 16 14:29 ca.crt(CA証明書)
-rw------- 1 root root  887 Jan 16 14:29 ca.key(CA秘密鍵)
-rw-r--r-- 1 root root   95 Jan 16 14:58 index.txt
-rw-r--r-- 1 root root   21 Jan 16 14:58 index.txt.attr
-rw-r--r-- 1 root root    0 Jan 16 14:27 index.txt.old
-rw-r--r-- 1 root root    3 Jan 16 14:58 serial
-rw-r--r-- 1 root root    3 Jan 16 14:27 serial.old
-rw-r--r-- 1 root root 3660 Jan 16 14:58 server.crt(サーバ証明書)
-rw-r--r-- 1 root root  672 Jan 16 14:57 server.csr(不要)
-rw------- 1 root root  891 Jan 16 14:57 server.key(サーバ秘密鍵)

となり、server.*が3つ増えた。そのうちserver.csrはCAへの申請書にあたるらしい。もうサーバ証明書が出来ているので、今となっては不要(参考書1より)。
またindex.txtやindcex.attr、そして01.pemが作られているが、これは管理用ファイルらしく、認証には関係してこないらしい(参考書2より)。