?最近公司要求在內網部署一套open***使用，上網查了一下才發現open***版本已經升級到2.3.12了，其中最主要的改動是源碼包里不再包含easy-rsa，如今部署open***要去github上面下載easy-rsa程序，并且easy-rsa也已經升級到了第三個版本（以往easy-rsa2居多），所以決定重新整理一下新版本的open***部署，以及easy-rsa3的使用。

部署open***：

一：yum源安裝相關的包：

#?yum?-y?install?openssl.x86_64?pam-devel.x86_64

二：安裝lzo包，lzo包需源碼包編譯安裝，不然編譯open***時會報"lzo missing"的錯誤：

#?tar?-zxvf?lzo-2.03.tar.gz #?cd?lzo-2.03 #?./configure?--prefix=/usr/local #?make?&&?make?install

三：編譯安裝open***：

#?tar?-zxvf?open***-2.3.12.tar.gz #?cd?open***-2.3.12 #?./configure?--prefix=/opt/apps/open*** #?make?&&?make?install

四：獲取easy-rsa3應用：

?創建etc目錄，從https://github.com/Open***/easy-rsa下載easy-rsa3程序包：

#?mkdir?/opt/apps/open***/etc?&&?cd?/opt/apps/open***/etc #?unzip?easy-rsa-master.zip #?cd?easy-rsa-master?&&?mv?../easyrsa3?&&?cd?..

?以上，就獲取到了easyrsa3程序，easyrsa目錄結構如下：

#?tree?easyrsa3/ easyrsa3/ ├──?easyrsa ├──?openssl-1.0.cnf ├──?vars.example └──?x509-types├──?ca├──?client├──?COMMON└──?server

?可以看到easy-rsa3中，少了2版本中的許多執行文件，只剩下easyrsa一個執行文件，使用這個文件，就可以創建各種所需的密鑰文件。

五：創建服務端與客戶端密鑰：

?服務端：（這里采用無密碼方式創建相關文件，避免后期輸入pam密碼的各種麻煩）

#?cp?-rp?easyrsa3?key_server #?cd?key_server----var文件----------- #?mv?vars.example?vars----初始化pki目錄------ #?./easyrsa?init-pki Note:?using?Easy-RSA?configuration?from:?./vars init-pki?complete;?you?may?now?create?a?CA?or?requests. Your?newly?created?PKI?dir?is:?/opt/apps/open***/etc/key_server/pki----以無密碼方式，創建服務器ca文件----- #?./easyrsa?build-ca?nopass Note:?using?Easy-RSA?configuration?from:?./vars Generating?a?2048?bit?RSA?private?key ................................................................+++ ......................+++ writing?new?private?key?to?'/opt/apps/open***/etc/key_server/pki/private/ca.key.xyvUlxOV9t' ----- You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Common?Name?(eg:?your?user,?host,?or?server?name)?[Easy-RSA?CA]: CA?creation?complete?and?you?may?now?import?and?sign?cert?requests. Your?new?CA?certificate?file?for?publishing?is?at: /opt/apps/open***/etc/key_server/pki/ca.crt----創建服務端key文件-------- #?./easyrsa?gen-req?cmhserver?nopass Note:?using?Easy-RSA?configuration?from:?./vars Generating?a?2048?bit?RSA?private?key ...................................+++ ...................................................+++ writing?new?private?key?to?'/opt/apps/open***/etc/key_server/pki/private/cmhserver.key.0S1X7d4NCP' ----- You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Common?Name?(eg:?your?user,?host,?or?server?name)?[cmhserver]: Keypair?and?certificate?request?completed.?Your?files?are: req:?/opt/apps/open***/etc/key_server/pki/reqs/cmhserver.req key:?/opt/apps/open***/etc/key_server/pki/private/cmhserver.key----注冊服務端CN名，生產服務端crt文件------ #?./easyrsa?sign?server?cmhserver Note:?using?Easy-RSA?configuration?from:?./vars You?are?about?to?sign?the?following?certificate. Please?check?over?the?details?shown?below?for?accuracy.?Note?that?this?request has?not?been?cryptographically?verified.?Please?be?sure?it?came?from?a?trusted source?or?that?you?have?verified?the?request?checksum?with?the?sender. Request?subject,?to?be?signed?as?a?server?certificate?for?3650?days: subject=commonName????????????????=?cmhserver Type?the?word?'yes'?to?continue,?or?any?other?input?to?abort.Confirm?request?details:?yes Using?configuration?from?/opt/apps/open***/etc/key_server/openssl-1.0.cnf Check?that?the?request?matches?the?signature Signature?ok The?Subject's?Distinguished?Name?is?as?follows commonName????????????:PRINTABLE:'cmhserver' Certificate?is?to?be?certified?until?Oct?29?03:51:14?2026?GMT?(3650?days) Write?out?database?with?1?new?entries Data?Base?Updated Certificate?created?at:?/opt/apps/open***/etc/key_server/pki/issued/cmhserver.crt------dh.pem文件生產------- #?./easyrsa?gen-dh Note:?using?Easy-RSA?configuration?from:?./vars Generating?DH?parameters,?2048?bit?long?safe?prime,?generator?2 This?is?going?to?take?a?long?time .................................................................................................................................................................+.................................................................................................................+................+..........................................................................................................................................+..........................................................................+.........+..............+..+..............................................................................................................................................................+...............................................................+.............................................+..................................................................................................................+..................................................+.................................................................................+..........+................................................................................................................+............................................................+..+...........+..................................................................+..............+..........................................................................+.+........+........................................................................................................................................................+..................++*++* DH?parameters?of?size?2048?created?at?/opt/apps/open***/etc/key_server/pki/dh.pem

?

?客戶端：

#?cd?/opt/apps/open***/etc #?cp?-rp?easyrsa3?key_client #?cd?key_client----var文件----------- #?mv?vars.example?vars----初始化pki目錄------ #?./easyrsa?init-pki Note:?using?Easy-RSA?configuration?from:?./vars init-pki?complete;?you?may?now?create?a?CA?or?requests. Your?newly?created?PKI?dir?is:?/opt/apps/open***/etc/key_server/pki----以無密碼方式，創建客戶端key文件----- #?./easyrsa?gen-req?cmhclient?nopassNote:?using?Easy-RSA?configuration?from:?./vars Generating?a?2048?bit?RSA?private?key ...............+++ ..........................+++ writing?new?private?key?to?'/opt/apps/open***/etc/key_client/pki/private/cmhclient.key.RM36zZRxnc' ----- You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Common?Name?(eg:?your?user,?host,?or?server?name)?[cmhclient]:Keypair?and?certificate?request?completed.?Your?files?are: req:?/opt/apps/open***/etc/key_client/pki/reqs/cmhclient.req key:?/opt/apps/open***/etc/key_client/pki/private/cmhclient.key-----進入服務端key目錄，關聯客戶端req，使之向服務端注冊---- #?cd?../key_server/ #?./easyrsa?import-req?/opt/apps/open***/etc/key_client/pki/reqs/cmhclient.req?cmhclientNote:?using?Easy-RSA?configuration?from:?./varsThe?request?has?been?successfully?imported?with?a?short?name?of:?cmhclient You?may?now?use?this?name?to?perform?signing?operations?on?this?request.-----注冊客戶端CN名，生產客戶端key文件------- #?./easyrsa?sign?client?cmhclientNote:?using?Easy-RSA?configuration?from:?./varsYou?are?about?to?sign?the?following?certificate. Please?check?over?the?details?shown?below?for?accuracy.?Note?that?this?request has?not?been?cryptographically?verified.?Please?be?sure?it?came?from?a?trusted source?or?that?you?have?verified?the?request?checksum?with?the?sender.Request?subject,?to?be?signed?as?a?client?certificate?for?3650?days:subject=commonName????????????????=?cmhclientType?the?word?'yes'?to?continue,?or?any?other?input?to?abort.Confirm?request?details:?yes Using?configuration?from?/opt/apps/open***/etc/key_server/openssl-1.0.cnf Check?that?the?request?matches?the?signature Signature?ok The?Subject's?Distinguished?Name?is?as?follows commonName????????????:PRINTABLE:'cmhclient' Certificate?is?to?be?certified?until?Oct?29?03:54:56?2026?GMT?(3650?days)Write?out?database?with?1?new?entries Data?Base?UpdatedCertificate?created?at:?/opt/apps/open***/etc/key_server/pki/issued/cmhclient.crt

?

六：服務端配置，指定相關ca、crt、key文件，打開服務器路由轉發以及防火墻轉發：

#?cp?/opt/src/open***-2.3.12/sample/sample-config-files/server.conf?/opt/apps/open***/etc/ #?grep?-v?"^#"?server.conf?|?grep?-v?"^;"?|?grep?-v?"^$" local?192.168.52.135 port?1194 proto?tcp dev?tun ca?/opt/apps/open***/etc/key_server/pki/ca.crt cert?/opt/apps/open***/etc/key_server/pki/issued/cmhserver.crt key?/opt/apps/open***/etc/key_server/pki/private/cmhserver.key dh?/opt/apps/open***/etc/key_server/pki/dh.pem server?10.8.0.0?255.255.255.0 ifconfig-pool-persist?ipp.txt client-to-client keepalive?10?120 comp-lzo persist-key persist-tun status?open***-status.log verb?3

打開服務器的ip路由轉發功能，并生效；

#?grep?ipv4?/etc/sysctl.conf net.ipv4.ip_forward=?1 #?sysctl?-p net.ipv4.ip_forward=?1 #?iptables?-t?nat?-A?POSTROUTING?-s?10.8.0.0/24?-jMASQUERADE

七：開啟服務以及客戶端配置：

#?/opt/apps/open***/sbin/open***?--daemon?--config?/opt/apps/open***/etc/server.conf

客戶端下載如下文件，并應用，即可使用密鑰使用***：（各系統的客戶端配置不一，故這里不贅述客戶端配置）

/opt/apps/open***/etc/key_server/pki/ca.crt

/opt/apps/open***/etc/key_client/pki/private/cmhclient.key

/opt/apps/open***/etc/key_server/pki/issued/cmhclient.crt

總結

以上是生活随笔為你收集整理的open***2.3.12安装与easy-rsa3的使用的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。