« OpenVPN 2.0 HOWTO-方式和网络规划篇(翻译) | 首页 | OpenVPN 2.0 HOWTO-基本配置篇(翻译) »
August 14, 2006
OpenVPN 2.0 HOWTO-安全证书篇(翻译)
原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教
Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
Overview
The first step in building an OpenVPN 2.0 configuration is to establish a PKI (public key infrastructure). The PKI consists of:
a separate certificate (also known as a public key) and private key for the server and each client, and
a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.
Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
This security model has a number of desirable features from the VPN perspective:
The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it.
The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.
If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt.
The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name.
Generate the master Certificate Authority (CA) certificate & key
In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients.
For PKI management, we will use a set of scripts bundled with OpenVPN.
If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory of the OpenVPN distribution. If you installed OpenVPN from an RPM file, the easy-rsa directory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 (it's best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won't overwrite your modifications). If you installed from a .tar.gz file, the easy-rsa directory will be in the top level directory of the expanded source tree.
If you are using Windows, open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
init-config
Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
Next, initialize the PKI. On Linux/BSD/Unix:
. ./vars
./clean-all
./build-ca
On Windows:
vars
clean-all
build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
ai:easy-rsa # ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [me@myhost.mydomain]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".
Generate certificate & key for server
Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:
./build-key-server server
On Windows:
build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Generate certificates & keys for 3 clients
Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:
./build-key client1
./build-key client2
./build-key client3
On Windows:
build-key client1
build-key client2
build-key client3
If you would like to password-protect your client keys, substitute the build-key-pass script.
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:
./build-dh
On Windows:
build-dh
Output:
ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................Key Files
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
Filename |
Needed By |
Purpose |
Secret |
ca.crt |
server + all clients |
Root CA certificate |
NO |
ca.key |
key signing machine only |
Root CA key |
YES |
dh{n}.pem |
server only |
Diffie Hellman parameters |
NO |
server.crt |
server only |
Server Certificate |
NO |
server.key |
server only |
Server Key |
YES |
client1.crt |
client1 only |
Client1 Certificate |
NO |
client1.key |
client1 only |
Client1 Key |
YES |
client2.crt |
client2 only |
Client2 Certificate |
NO |
client2.key |
client2 only |
Client2 Key |
YES |
client3.crt |
client3 only |
Client3 Certificate |
NO |
client3.key |
client3 only |
Client3 Key |
YES |
The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.
Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel?
The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated.
建立自己的认证证书(CA),并为以此来为OpenVPN服务器生成认证的密匙和为多个用户生成密匙
概括
第一步,是建立一个OpenVPN 2.0配置需要的PKI(公匙). PKI 的组成:
针对服务器和每个客户端的独立证书(又称公匙)和私人密匙(称为私匙),
一个主要的认证的(CA)证书,用这个证书来对每个服务器和客户端的证书进行数字签名.
OpenVPN支持基于双向认证的证书, 这意味着用户对服务器的认证和服务器对用户的认证这两者之间必须建立相互信任的机制.
无论是服务器还是用户端进行认证,他们首先会先验证主要的认证(CA)证书,然后相互测试认证证书的数据包头,比如证书的通用名称或者认证类型.
这个安全的方式让VPN有很多可取的特点:
服务器只需要属于自己的认证密匙,而不需要知道每个用户的证书当哪些用户需要连接的时候.
服务器只接受那些通过主要(CA)证书进行数字签名的客户端证书. 因为服务器会进行这方面签名的检查,而无需访问CA密匙, 这很关键,因为CA证书(最敏感的核心,整个PKI)可能存在不同的机器,即使没有联网.
如果私匙作废,可以把那个证书名单添加到CRL(证书废除名单). 有了CRL就能直接阻止那些作废的证书的使用而不需要重建整个PKI.
服务器通过判断证书某个字段,比如通用名称(Common Name),来决定给用户相应的访问权限
创建主要认证(CA)证书的关键
在这一章节,我们将创建一个主要的CA证书,一个服务器的证书,以及3个客户端证书.
为了管理PKI,我们要用到OpenVPN本身自带的脚本程序.
如果你使用Linux, BSD, 或者类unix系统, 可以进入easy-rsa目录运行脚本. 如果你使用的是RPM包的安装方式安装OpenVPN,easy-rsa目录被安装在/usr/share/doc/packages/openvpn或者/usr/share/doc/openvpn-2.0目录下 (如果你要修改,最好把这个目录拷贝到另外的目录比如 /etc/openvpn下,这样以后OpenVPN软件进行升级就不会覆盖被修改的地方). 如果你是用.tar.gz的源代码进行安装, easy-rsa目录在源代码解压的根目录.
如果你运行windows系统,你进入DOS命令模式进入\Program Files\OpenVPN\easy-rsa. 目录运行以下批处理脚本,能拷贝配置文件到这里(会覆盖已经存在的vars.bat和openssl.cnf这两个文件):
init-config
现在修改vars文件(Windows下是vars.bat) 分别对KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL参数进行修改. 这些参数不要出现任何空白.
下一步在Linux/BSD/Unix系统建立PKI:
. ./vars
./clean-all
./build-ca
Windows系统如下操作:
vars
clean-all
build-ca
最后的命令(build-ca)将生成认证(CA)证书,这些密匙是跟openssl紧密结合的:
ai:easy-rsa # ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [me@myhost.mydomain]:
请注意上述顺序,最常用的参数默认在vars或者vars.bat文件已经指定. 只有“Common Name”这个参数需要被单独指定,在这个例子中,我们用"OpenVPN-CA".
建立服务器的认证证书和密匙
接下来,我们将为服务器建立认证证书和密匙,在Linux/BSD/Unix平台:
./build-key-server server
Windows平台下:
build-key-server server
与上一步差不多,大部分参数是默认的,当提问到” Common Name”时输入"server". 另外2个问题也必须回答y, "Sign the certificate? [y/n]" 和 "1 out of 1 certificate requests certified, commit? [y/n]".
建立3个客户端认证证书和密
生成客户端证书跟上一步差不多,在Linux/BSD/Unix平台上:
./build-key client1
./build-key client2
./build-key client3
Windows平台上:
build-key client1
build-key client2
build-key client3
如果你想保护你的客户端密匙,请运行build-key-pass脚本.
为了区分每个客户端,必须用适当的名称命名”Common Name”, 比如. "client1", "client2", or "client3". 通常是为每个客户端指定唯一的”common name”.
创建Diffie Hellman参数
OpenVPN服务器必须创建Diffie Hellman参数. 在Linux/BSD/Unix平台下:
./build-dh
Windows平台下:
build-dh
输出显示:
ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................
密匙文件
现在我们能在keys目录看到我们刚刚新生成的钥匙和证书. 这里对相关文件进行解释:
| Filename | Needed By | Purpose | Secret |
| ca.crt | server + all clients | Root CA certificate | NO |
| ca.key | key signing machine only | Root CA key | YES |
| dh{n}.pem | server only | Diffie Hellman parameters | NO |
| server.crt | server only | Server Certificate | NO |
| server.key | server only | Server Key | YES |
| client1.crt | client1 only | Client1 Certificate | NO |
| client1.key | client1 only | Client1 Key | YES |
| client2.crt | client2 only | Client2 Certificate | NO |
| client2.key | client2 only | Client2 Key | YES |
| client3.crt | client3 only | Client3 Certificate | NO |
| client3.key | client3 only | Client3 Key | YES |
最关键的最后一步是复制这一过程产生的所有文件到需要的机器,特别要注意的是拷贝那些密匙文件最好通过一些安全的渠道.
等到现在你怎么说,如果没有一个安全的通道,是不可能建立PKI?
答案显然是肯定的,在上面的例子中,出于简单考虑,我们把所有的私匙生成在相同的目录. 当然我们稍微做点改动,也可以通过不同的方式生成这些. 例如,不用在服务器上生成客户端的认证证书和钥匙,可以用户自己提供自己的私匙, 然后提交证书签署要求(CSR)到主要的认证证书机器.反过来,证书认证机器可以处理CSR,然后返回一个签名的证书给客户端. 这样我们不需要这个机器上事先生成密匙也能实现这个目标.
由 frank 发表于 August 14, 2006 10:15 PM
相关文章
Trackback Pings
TrackBack URL for this entry:
http://blog.5ilinux.com/cgi-bin/mt-tb.cgi/64
发表评论
谢谢您的登陆, . 现在您可以发表评论。 (登出)
(如果您从未在此Blog发表过评论,则您的评论必须在Blog拥有着验证后才可以显示,谢谢您的耐心等候。)