openvpn添加一个新的用户并注销

2019/03/13 10:49
阅读数 3.8K

背景介绍:在上一篇文章,已经成功搭建了一个openVPN服务,但是也只是一个用户,但在搭建一个openvpn后,有时会有新的用户需要使用这个服务,这时就需要提供新的用户证书给新用户,就需要重新生成,但同时也会有注销老用户的操作

一、创建新的客户端证书

1.1 创建一个新的pki

[root@loaclhost ~]# cd /etc/openvpn/client/easy-rsa/3.0.6/

[root@loaclhost 3.0.6]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars
WARNING!!!
You are about to remove the EASYRSA_PKI at: /etc/openvpn/client/easy-rsa/3.0.6/pki
and initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.6/pki

 

1.2 创建新的无密码用户client 

[root@loaclhost 3.0.6]# ./easyrsa gen-req client nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Generating a 2048 bit RSA private key
.+++
................+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.6/pki/private/client.key.t2BB3YF7HR'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/client.req
key: /etc/openvpn/client/easy-rsa/3.0.6/pki/private/client.key

1.3 签约客户端证书

[root@loaclhost 3.0.6]# cd /etc/openvpn/easy-rsa/3.0.6/

[root@loaclhost 3.0.6]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/client.req client

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013

Easy-RSA error:

Unable to import the request as the destination file already exists.
Please choose a different name for your imported request file.
Existing file at: /etc/openvpn/easy-rsa/3.0.6/pki/reqs/client.req

[root@loaclhost 3.0.6]# ./easyrsa sign client client

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
    commonName                = client
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client'
Certificate is to be certified until Feb 25 01:31:26 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/client.crt

1.4 整理客户端证书

[root@loaclhost 3.0.6]# mkdir /etc/openvpn/client/client

[root@loaclhost 3.0.6]# cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/client/

[root@loaclhost 3.0.6]# cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/client.crt /etc/openvpn/client/client/

[root@loaclhost 3.0.6]# cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/client.key /etc/openvpn/client/client/

[root@loaclhost 3.0.6]# cp /etc/openvpn/open.ovpn /etc/openvpn/client/client/

[root@loaclhost 3.0.6]# ll /etc/openvpn/client/client/

-rw-------. 1 root root 1172 Mar 13 09:32 ca.crt
-rw-------. 1 root root 4432 Mar 13 09:32 client.crt
-rw-------. 1 root root 1704 Mar 13 09:33 client.key
-rw-r--r--. 1 root root  200 Mar 13 09:33 open.ovpn

:open.ovpn的这个文件,和用户user1的文件内容是一样的,但是需要改动key和crt两个文件的文件位置和文件名!!!

1.5 把文件发送给客户,登录验证

二、吊销用户证书

[root@loaclhost easy-rsa]# pwd

[root@loaclhost easy-rsa]# ./easyrsa revoke client

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Please confirm you wish to revoke the certificate with the following subject:
subject= 
    commonName                = client
Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Revoking Certificate 8D2113F513D3CB46FE1227FCAA328C32.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@loaclhost 3.0.6]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem

生成了一个crl文件,位置在 /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem,需要把这个文件写进配置文件,重启服务;

[root@loaclhost 3.0.6]# cat /etc/openvpn/easy-rsa/3.0.6/pki/index.txt

V    220224033507Z        6D3DC0E978F79684824E1CA415EF2987    unknown    /CN=server
V    220224034651Z        B3A4DBE92C6B04C0607D4E5C48F16EDC    unknown    /CN=user1
R 220225013126Z 190313022757Z 8D2113F513D3CB46FE1227FCAA328C32 unknown /CN=client

[root@loaclhost 3.0.6]# vim /etc/openvpn/server.conf

crl-verify /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem

[root@loaclhost 3.0.6]# service openvpn restart

Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [  OK  ]

用户注销完成,最后客户端进行测试

 

展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部