4.0 KiB
- run this command to generated rquired client file:
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full <username> nopass
example create test client key for user name: [arthur]
arthur@server:~/openvpn-ca$ ./easyrsa gen-req arthur nopass Using Easy-RSA 'vars' configuration:
- /home/arthur/openvpn-ca/vars
Using SSL:
- openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) ....+...+...+..+.......+.....+......+...+.......+.....+...+..........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+...............+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+............+......+.......+.....+...+....+..+......+.......+......+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...+..+......+....+..................+...+.....+.......+...+......+.....+....+.........+......+.....+....+..+.+........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [arthur]:
Notice
Private-Key and Public-Certificate-Request files created. Your files are:
- req: /home/arthur/openvpn-ca/pki/reqs/arthur.req
- key: /home/arthur/openvpn-ca/pki/private/arthur.key
arthur@server:~/openvpn-ca$ ./easyrsa sign-req client arthur Using Easy-RSA 'vars' configuration:
- /home/arthur/openvpn-ca/vars
Using SSL:
- openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) You are about to sign the following certificate: Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for '825' days:
subject= commonName = arthur
Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes
Using configuration from /home/arthur/openvpn-ca/pki/openssl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'arthur' Certificate is to be certified until Dec 19 04:09:41 2027 GMT (825 days)
Write out database with 1 new entries Database updated
Notice
Certificate created at:
- /home/arthur/openvpn-ca/pki/issued/arthur.crt
- OpenVPN Server Configuration\
### Check location of key before copy
------
CA creation complete. Your new CA certificate is at:
* /home/arthur/openvpn-ca/pki/ca.crt
------
Certificate created at:
* /home/arthur/openvpn-ca/pki/issued/server.crt
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/arthur/openvpn-ca/pki/reqs/server.req
* key: /home/arthur/openvpn-ca/pki/private/server.key
------
DH parameters of size 2048 created at:
* /home/arthur/openvpn-ca/pki/dh.pem
------
TA Key at:
* /home/arthur/openvpn-ca/ta.key
### Start copying requirement files
arthur@server:~/openvpn-ca$ sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key ta.key pki/dh.pem /etc/openvpn/server/
### Check the destination again
arthur@server:~/openvpn-ca$ ls -la /etc/openvpn/server/
total 32
drwxr-xr-x 2 root root 4096 Sep 15 04:17 .
drwxr-xr-x 4 root root 4096 Sep 15 03:39 ..
-rw------- 1 root root 1245 Sep 15 04:17 ca.crt
-rw------- 1 root root 424 Sep 15 04:17 dh.pem
-rw------- 1 root root 4728 Sep 15 04:17 server.crt
-rw------- 1 root root 1708 Sep 15 04:17 server.key
-rw------- 1 root root 636 Sep 15 04:17 ta.key