思科Anyconnect ocserv自签证书

生成CA公钥

sudo certtool --generate-privkey --outfile ca.key

编辑CA证书模板

cn = "Tuchine CA"
organization = "Tuchine.LTD"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

根据模板和公钥生成证书

certtool --generate-self-signed --load-privkey ca.key --template ../template/ca.tmpl --outfile ca.crt

生成服务器证书公钥

sudo certtool --generate-privkey --outfile server.key

编辑服务器证书模板

cn = "Tuchine.com" 
o = "Tuchine Ltd." 
email = [email protected]
dns_name = "www.tuchine.com"
country = US
state = "YongZhou"
expiration_days = 3650
signing_key 
encryption_key #only if the generated key is an RSA one 
tls_www_server 
ipsec_ike_key
time_stamping_key

根据用户模板、服务器证书公钥、CA证书、CA公钥生成服务器证书

certtool --generate-certificate --load-privkey server-key --load-ca-certificate ca.crt --load-ca-privkey ca.key --template ../template/server.tmpl --outfile server.crt

编辑用户证书模板

cn = user
o = "TuchineUsers"
email = "[email protected]"
dns_name = "www.Tuchine.com"
country = US
state = "YongZhou"
expiration_days = 365
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key

生成用户公钥

certtool --generate-privkey --outfile user.key

根据用户模板、用户公钥、CA证书、CA公钥生成服务器证书

certtool --generate-certificate --load-privkey user.key --load-ca-certificate ca.crt --load-ca-privkey ca.key --template ../template/user.tmpl --outfile user.crt

用户证书转P12格式证书

certtool --to-p12 --load-privkey user.key -pkcs-cipher 3des-pkcs12 --load-certificate user.crt --outfile user.p12 --outder

用户证书一键脚本


#!/bin/sh
serial=`date +%s`
l='others'
certtool --generate-privkey --outfile ./clients/$l.key
sed -i "1ccn = ${l}" ./template/client.tmpl
sed -i "3cemail = ${l}@tuchine.com" ./template/client.tmpl
sed -i "7cserial = ${serial}" ./template/client.tmpl
certtool --generate-certificate --load-privkey ./clients/$l.key --load-ca-certificate ./ca/ca.crt --load-ca-privkey ./ca/ca.key --template ./template/client.tmpl --outfile ./clients/$l.crt
openssl pkcs12 -export -inkey ./clients/$l.key -in ./clients/$l.crt -name "Tuchine VPN Client Cert" -certfile ./ca/ca.crt -out ./clients/$l.p12
exit 0

注意:请保持你的服务器主机域名与这里证书的DNS域名是同一个,且你的客户端导入了服务器证书,否则点击连接会每次都提示不信任的服务器。

发布者

湘笃秀

曲水流觞,维湘笃秀