通过Easy-RSA自签发证书(服务端和客户端使用不同CA证书)
场景描述
Easy-RSA是一个开源的证书管理工具,用于帮助用户生成和管理数字证书。
本示例介绍在Windows操作系统中,通过Easy-RSA自签发证书,服务端和客户端使用不同CA证书。本示例使用的软件版本为Easy-RSA 3.1.7,不同软件版本之间可能存在差异,具体请参考官方指导说明。
操作步骤
- 根据Windows操作系统下载Easy-RSA安装包至“D:\”目录下。
- Windows 32位操作系统,可以下载EasyRSA-3.1.7-win32.zip。
- Windows 64位操作系统,可以下载EasyRSA-3.1.7-win64.zip。
此处以安装EasyRSA-3.1.7-win64为示例。
- 解压缩“EasyRSA-3.1.7-win64.zip”至指定目录,如“D:\EasyRSA-3.1.7”。
- 进入“D:\EasyRSA-3.1.7”目录。
- 在地址栏中输入cmd并按回车键,打开命令行窗口。
- 执行“.\EasyRSA-Start.bat”命令,运行Easy-RSA。
系统显示如下类似信息:
Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke './easyrsa' to call the program. Without commands, help is displayed. EasyRSA Shell #
- 执行“./easyrsa init-pki”命令,初始化PKI环境。
系统显示如下类似信息:
Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * D:/EasyRSA-3.1.7/pki Using Easy-RSA configuration: * undefined EasyRSA Shell #
执行命令后,在“D:\EasyRSA-3.1.7”的目录下自动生成了“pki”的文件夹。
- 配置变量参数。
- 将“D:\EasyRSA-3.1.7”目录下的“vars.example”文件复制到“D:\EasyRSA-3.1.7\pki”目录下。
- 将“D:\EasyRSA-3.1.7\pki”目录下的“vars.example”重命名为“vars”。
默认按“vars.example”中描述的参数值进行配置。如需自定义参数值,按需设置“vars”文件的参数值。
- 生成服务端CA证书认证及其私钥。
- 复制解压缩后的“EasyRSA-3.1.7”文件夹至“D:\”目录下,并重命名,如“EasyRSA-3.1.7 - server”。
- 进入“D:\EasyRSA-3.1.7 - server”目录。
- 在“D:\EasyRSA-3.1.7 - server”的文件夹中,地址栏中输入cmd并按回车键,打开命令行窗口。
- 执行“.\EasyRSA-Start.bat”命令,运行Easy-RSA。
系统显示如下类似信息:
Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke './easyrsa' to call the program. Without commands, help is displayed. EasyRSA Shell #
- 执行“./easyrsa build-ca nopass”命令,生成服务端CA证书。
此命令生成中,[Easy-RSA CA]需要设置服务端CA证书名称,例如:p2cvpn_server.com。
系统显示如下类似信息:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - server/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) ..+.....+...+..........+..+.......+..+..........+...+...+..+......+.......+...+++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++*..........+...........+...+......++++++ .......+.......+...+......+...+.....+...+...+++++++++++++++++++++++++++++++++++++++*......+.....+....+..+....+......+...+......+...+......+.....+.+++++++++++++++++++++++++++++++++++++++*.......+......+.......+..............+.+...+.....+....+........+.........+....+..+............+.+.....+....+...+...+...........+.+..+.+.........+.....+...+..................+.......+..+.......+.....+..........+......+..+.+.....+.+.....+....+.....+.......+...+.........+..+......+...+.......+...+.........+......+......+...........+....+......+...+..+...+......+...+.+.....+.......+..+.......+...+...+..+.............+........+.........+.+.........+........+....+.........+.....+.........+................+.....+.+........+.......+.....+.+........+....+..+...+..........+..+......+...+.........+................+......+.....+....+......+......+............+..+......+...+.......+.................+.+......+......+..+.+...........+.........+.........+.+......++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:p2cvpn_server.com //设置服务端CA证书名称 Notice ------ CA creation complete. Your new CA certificate is at: * D:/EasyRSA-3.1.7 - server/pki/ca.crt EasyRSA Shell #
- 查看服务端CA证书及其私钥。
- 执行 “./easyrsa build-server-full p2cserver.com nopass”命令,生成服务端证书及其私钥。
此命令中,“p2cserver.com”为服务端证书的CN,必须是域名格式,否则无法正常托管到云证书管理服务。请根据实际填写。
系统显示如下类似信息:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - server/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) .+.+......+...+.....+......+...+.......+.....+.+...+..+...+....+.....+......+++++++++++++++++++++++++++++++++++++++*....+..+....+++++++++++++++++++++++++++++++++++++++*................+.......+..+.+..+...+......+.............+...+...+.........+........+.........+...+......+.+...+...+........+....+.....+.+............+.....+...+....+...........+....+..+......+.............+.........+........+...+.+......+.....+.......+......+.....+.+.....+....+.........+...+..+............+.+........+.........+.+..+.........+......+...+....+......+.....+....+......+.....+......+.............+...+........+.+.....+.+....................+.......+.....+.+..+.......+...++++++ ......+.....+...+.+.........+..+.+..+...+++++++++++++++++++++++++++++++++++++++*.......+...+........+....+...+..+...+++++++++++++++++++++++++++++++++++++++*..+.........+...+.......+......+.................+...+...+............+...+....+........+.........+..........+......+...+...........+.+..+............+.+........+....+...........+....+...........+......+.............+......+.....++++++ ----- Notice ------ Private-Key and Public-Certificate-Request files created. Your files are: * req: D:/EasyRSA-3.1.7 - server/pki/reqs/p2cserver.com.req * key: D:/EasyRSA-3.1.7 - server/pki/private/p2cserver.com.key You are about to sign the following certificate: Request subject, to be signed as a server certificate for '825' days: subject= commonName = p2cserver.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes //输入“yes”以继续 Using configuration from D:/EasyRSA-3.1.7 - server/pki/openssl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'p2cserver.com' Certificate is to be certified until Oct 6 03:28:14 2026 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * D:/EasyRSA-3.1.7 - server/pki/issued/p2cserver.com.crt Notice ------ Inline file created: * D:/EasyRSA-3.1.7 - server/pki/inline/p2cserver.com.inline EasyRSA Shell #
- 查看服务端证书及其私钥。
- 生成客户端CA证书认证及其私钥。
- 复制解压缩后的“EasyRSA-3.1.7”文件夹至“D:\”目录下,并重命名,如“EasyRSA-3.1.7 - client”
- 进入“EasyRSA-3.1.7 - client”目录。
- 在“EasyRSA-3.1.7 - client”的文件夹中,地址栏中输入cmd并按回车键,打开命令行窗口。
- 执行“.\EasyRSA-Start.bat”命令,运行Easy-RSA。
系统显示如下类似信息:
Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke './easyrsa' to call the program. Without commands, help is displayed. EasyRSA Shell #
- 执行“ ./easyrsa build-ca nopass”命令,生成客户端CA证书。
系统显示如下类似信息:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - client/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) .+++++++++++++++++++++++++++++++++++++++*.....+.+..+...+....+.....................+..+...+....+.........+.....+......+.+.....+....+++++++++++++++++++++++++++++++++++++++*....+...+...+...+............+.........++++++ .+.........+.........+.+......+...........+....+.....+.........+....+..+...+.+.........+......+......+...+.....+......+......+..........+++++++++++++++++++++++++++++++++++++++*.+.........+......+.+++++++++++++++++++++++++++++++++++++++*...........+................+..............+.........+.+...+.....................+..+....+.....+..........+...+...+..+.++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:p2cvpn_client.com //设置客户端CA证书名称 Notice ------ CA creation complete. Your new CA certificate is at: * D:/EasyRSA-3.1.7 - client/pki/ca.crt EasyRSA Shell #
- 查看客户端CA证书及其私钥。
- 执行“./easyrsa build-client-full p2cclient.com nopass”命令,生成客户端证书及其私钥。
此命令中,客户端证书的命名(如“p2cclient.com”)应与服务端证书的命名(如“p2cserver.com”)不一致。
系统显示如下类似信息:
Using Easy-RSA 'vars' configuration: * D:/EasyRSA-3.1.7 - client/pki/vars Using SSL: * openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) .+++++++++++++++++++++++++++++++++++++++*.........+.....+...+.+........+.+.....+.........+.+......+.....+++++++++++++++++++++++++++++++++++++++*..........+...+...+..+.......+...+..+.+.........+.....+.+..+.+....................+......+...............+.............+......+..+....+...+......+..+....+.....+.........+................+...+...+.....+....+.........++++++ .+..+..........+.........+++++++++++++++++++++++++++++++++++++++*...+..+++++++++++++++++++++++++++++++++++++++*.......+...............+......+.........+..............+....+.....+...+..................+....+...+........+....+.....+.+.....+...............++++++ ----- Notice ------ Private-Key and Public-Certificate-Request files created. Your files are: * req: D:/EasyRSA-3.1.7 - client/pki/reqs/p2cclient.com.req * key: D:/EasyRSA-3.1.7 - client/pki/private/p2cclient.com.key You are about to sign the following certificate: Request subject, to be signed as a client certificate for '825' days: subject= commonName = p2cclient.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from D:/EasyRSA-3.1.7 - client/pki/openssl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'p2cclient.com' Certificate is to be certified until Oct 7 11:19:52 2026 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * D:/EasyRSA-3.1.7 - client/pki/issued/p2cclient.com.crt Notice ------ Inline file created: * D:/EasyRSA-3.1.7 - client/pki/inline/p2cclient.com.inline EasyRSA Shell #
- 查看客户端证书和私钥。