增加多个用户证书
[root@openvpnserver ~]# cd /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/ [root@openvpnserver 2.0]# source vars #<===多开窗口或退出此路径,重新进入,必须使用此命令重新加载 NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys [root@openvpnserver 2.0]# ./build-key-pass test2 #<===新增一个用户,拨号后需要输入密码验证 Generating a 1024 bit RSA private key ....++++++ ..++++++ writing new private key to 'test2.key' Enter PEM pass phrase: #<===此处输入的密码都是123456 Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GZ]: Locality Name (eg, city) [GuangZhou]: Organization Name (eg, company) [oldboy]: Organizational Unit Name (eg, section) [oldboy]: Common Name (eg, your name or your server's hostname) [test2]: Name [oldboy]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: Using configuration from /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GZ' localityName :PRINTABLE:'GuangZhou' organizationName :PRINTABLE:'oldboy' organizationalUnitName:PRINTABLE:'oldboy' commonName :PRINTABLE:'test2' name :PRINTABLE:'oldboy' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Feb 10 08:47:25 2029 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@openvpnserver 2.0]# ls ./keys/test2* ./keys/test2.crt ./keys/test2.csr ./keys/test2.key [root@openvpnserver 2.0]# sz -y ./keys/test* #<===下载以上2个文件(key和crt)和公用的ca证书到Windows openvpnGUI配置文件test2用户文件夹下
并复制客户端conf配置文件修改为如下,并重命名为test2.ovpn
验证拨号成功
允许多个用户共用一个证书
[root@openvpnserver 2.0]# grep "duplicate-cn" /etc/openvpn/server.conf ;duplicate-cn #<===去掉此分号,即可允许多个用户共用一个证书
在openvpnserver服务端查看客户端登录情况
log /etc/openvpn/openvpn.log #<===服务端定义此文件路径 [root@openvpnserver 2.0]# cat /etc/openvpn/openvpn.log
openvpn用户证书吊销
[root@openvpnserver 2.0]# tail -7 openssl-1.0.0.cnf #<===如果是openvpn2.09须将以下注释掉,否则有时候会报错(error23),2.2.2版本以上版本忽略,但好像报错也不影响吊销 [ pkcs11_section ] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = $ENV::PKCS11_MODULE_PATH PIN = $ENV::PKCS11_PIN init = 0 [root@openvpnserver 2.0]# ./revoke-full test2 #<===使用此命令吊销用户证书 Using configuration from /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Revoking Certificate 04. Data Base Updated Using configuration from /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf test2.crt: C = CN, ST = GZ, L = GuangZhou, O = oldboy, OU = oldboy, CN = test2, name = oldboy, emailAddress = [email protected] error 8 at 0 depth lookup:CRL signature failure 139770038765384:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:217: [root@openvpnserver 2.0]# ll keys/crl.pem #<===执行revoke-full 命令后生成的命令 -rw-r--r-- 1 root root 548 2月 13 17:22 keys/crl.pem [root@openvpnserver 2.0]# cat keys/crl.pem #<====此文件就是被吊销的用户证书 -----BEGIN X509 CRL----- MIIBbDCB1jANBgkqhkiG9w0BAQQFADCBkDELMAkGA1UEBhMCQ04xCzAJBgNVBAgT AkdaMRIwEAYDVQQHEwlHdWFuZ1pob3UxDzANBgNVBAoTBm9sZGJveTEPMA0GA1UE CxMGb2xkYm95MQswCQYDVQQDEwJDTjEPMA0GA1UEKRMGb2xkYm95MSAwHgYJKoZI hvcNAQkBFhEyNTcwNTgzNzg2QHFxLmNvbRcNMTkwMjEzMDkyMjU4WhcNMTkwMzE1 MDkyMjU4WjAUMBICAQQXDTE5MDIxMzA5MjIyOFowDQYJKoZIhvcNAQEEBQADgYEA CdIKepY6G6AoR0kkdbQwr5yYyY6NjxyhRWpVbk8REi5E9S+xeq8y4nrHyv5TpdO5 fbMAZA/m1AcImt/5eZPTSgyJhGrjXNQCCwdtrxVSzXKC/GAdpDaHniJkMP0SigS1 cgVTUuk8mdCgnudAF/mvdeJrM/kknJceiGZaFUQkkak= -----END X509 CRL----- [root@openvpnserver 2.0]# cat keys/index.txt #<===此文件中查看用户证书吊销情况,前面是R的代表证书已被吊销 V 290126034549Z 01 unknown /C=CN/ST=GZ/L=GuangZhou/O=oldboy/OU=oldboy/CN=server/name=oldboy/[email protected] V 290126035058Z 02 unknown /C=CN/ST=GZ/L=GuangZhou/O=oldboy/OU=oldboy/CN=test/name=oldboy/[email protected] V 290126035511Z 03 unknown /C=CN/ST=GZ/L=GuangZhou/O=oldboy/OU=oldboy/CN=ett/name=oldboy/[email protected] R 290210084725Z 190213092228Z 04 unknown /C=CN/ST=GZ/L=GuangZhou/O=oldboy/OU=oldboy/CN=test2/name=oldboy/[email protected] [root@openvpnserver 2.0]# cp keys/crl.pem /etc/openvpn/keys/ [root@openvpnserver 2.0]# echo 'crl-verify' /etc/openvpn/keys/crl.pem >>/etc/openvpn/server.conf #<===让服务端加载此吊销文件,被吊销的用户就不能登录了 [root@openvpnserver 2.0]# tail -1 /etc/openvpn/server.conf crl-verify /etc/openvpn/keys/crl.pem
在Windows openvpnGUI验证已经无法再链接成功(注意必须重启openvpn服务)
为Windows客户端用户增加密码(原来没有密码验证就可以登录的用户)
吊销多个用户证书方法:
[root@openvpnserver 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys [root@openvpnserver 2.0]# ./revoke-full ett [root@openvpnserver 2.0]# \cp keys/crl.pem /etc/openvpn/keys/crl.pem #<===采取覆盖方法,覆盖掉此文件, [root@openvpnserver 2.0]# /etc/init.d/openvpn restart #<==重启服务后,之前被吊销的用户和后面被吊销的用户都是不能登录的了