1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux: //Generate a private key openssl genrsa -des3 -out server.key 1024 //Generate Certificate signing request openssl req -new -key server.key -out server.csr //Sign certificate with private key openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt //Remove password requirement (needed for example) cp server.key server.key.secure openssl rsa -in server.key.secure -out server.key //Generate dhparam file openssl dhparam -out dh512.pem 512 Once you've done that, you need to change the filenames in server.cpp and client.cpp. server.cpp context_.use_certificate_chain_file("server.crt"); context_.use_private_key_file("server.key", boost::asio::ssl::context::pem); context_.use_tmp_dh_file("dh512.pem"); client.cpp ctx.load_verify_file("server.crt"); Then it should all work! ---------------------------------------------------------- Secure Socket Layer (SSL) or Transport Security Layer (TSL) Java Introduction: See JavaTM Secure Socket Extension (JSSE) Simple Examples: SimpleServer: SimpleServer.java SimpleClient: SimpleClient.java Running the Examples: Server: java SimpleServer <port> oducsc Client: java -Djavax.net.ssl.trustStore=wahabPublicStore SimpleClient <host> <port> Key Stores: The Server requires a file called: wahabPrivateStore while the Client requires a file called: wahabPublicStore (the password used in the following is: oducsc). Generating wahabPrivateStore: % keytool -genkey -alias wahabkey -keystore wahabPrivateStore ....answer the questions...... Generating wahabPublicStore: % keytool -export -alias wahabkey -keystore wahabPrivateStore -file wahab.cert % keytool -import -alias wahabkey -keystore wahabPublicStore -file wahab.cert C Generating the certificates needed by the examples To create the root CA: % openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem (cp random.pem ~/.rnd) % openssl x509 -req -in rootreq.pem -sha1 -extfile myopenssl.cnf \ -extensions v3_ca -signkey rootkey.pem -out rootcert.pem (cp /usr/local/ssl/openssl.cnf myopenssl.cnf) % cat rootcert.pem rootkey.pem > root.pem % openssl x509 -subject -issuer -noout -in root.pem To create the server CA and sign it with the root CA: % openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem % openssl x509 -req -in serverCAreq.pem -sha1 -extfile myopenssl.cnf \ -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial \ -out serverCAcert.pem % cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem % openssl x509 -subject -issuer -noout -in serverCA.pem To create the server's certificate and sign it with the server CA: % openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem % openssl x509 -req -in serverreq.pem -sha1 -extfile myopenssl.cnf \ -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial \ -out servercert.pem % cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem % openssl x509 -subject -issuer -noout -in server.pem To create the client certificate and sign it with the root CA: % openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem % openssl x509 -req -in clientreq.pem -sha1 -extfile myopenssl.cnf \ -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial \ -out clientcert.pem % cat clientcert.pem clientkey.pem rootcert.pem > client.pem % openssl x509 -subject -issuer -noout -in client.pem To create the dh512.pem dh1024.pem: % openssl dhparam -check -text -5 512 -out dh512.pem % openssl dhparam -check -text -5 1024 -outdh1024.pem ---------------- As Ency says, provided you've created your own CA, you simply create another key for the new user. Before any more gets typed, when you set up openVPN you did create your own CA, as recommended, didn't you? Edit: OK, then cd easy-rsa . ./vars ./build-key newclient I also have some notes somewhere about making a CRL, which allows you to revoke old certificates, and pointing openVPN at the crl, but I can't immediately find them. |