@H_403_2@

sudo apt-get update@H_403_2@

@H_403_2@

sudo apt-get install easy-rsa@H_403_2@

软件库里easy-rsa的版本是2.0@H_403_2@

@H_403_2@

使用dpkg -L查看安装了哪些文件@H_403_2@

$ dpkg -L easy-rsa
/.
/usr
/usr/share
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/make-cadir.1.gz
/usr/share/easy-rsa
/usr/share/easy-rsa/openssl-1.0.0.cnf
/usr/share/easy-rsa/build-req-pass
/usr/share/easy-rsa/build-key
/usr/share/easy-rsa/inherit-inter
/usr/share/easy-rsa/sign-req
/usr/share/easy-rsa/build-key-pkcs12
/usr/share/easy-rsa/vars
/usr/share/easy-rsa/pkitool
/usr/share/easy-rsa/openssl-0.9.8.cnf
/usr/share/easy-rsa/build-dh
/usr/share/easy-rsa/build-key-pass
/usr/share/easy-rsa/revoke-full
/usr/share/easy-rsa/openssl-0.9.6.cnf
/usr/share/easy-rsa/build-ca
/usr/share/easy-rsa/build-key-server
/usr/share/easy-rsa/clean-all
/usr/share/easy-rsa/list-crl
/usr/share/easy-rsa/build-inter
/usr/share/easy-rsa/build-req
/usr/share/easy-rsa/whichopensslcnf
/usr/share/doc
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/README-2.0.gz
/usr/share/doc/easy-rsa/README.Debian
/usr/share/doc/easy-rsa/copyright
/usr/share/doc/easy-rsa/changelog.Debian.gz
/usr/bin
/usr/bin/make-cadir

使用脚本make-cadir MyCA建立CA目录@H_403_2@

该脚本会建立MyCA目录，建立文件链接并准备相关文件@H_403_2@

脚本主要内容@H_403_2@

mkdir -p "$1"
chmod 700 "$1"
ln -s /usr/share/easy-rsa/* "$1"
rm -f "$1"/vars "$1"/*.cnf
cp /usr/share/easy-rsa/vars /usr/share/easy-rsa/*.cnf "$1"

创建的MyCA目录的结构@H_403_2@

   28 Dec 13 11:32 build-ca -> /usr/share/easy-rsa/build-ca
   28 Dec 13 11:32 build-dh -> /usr/share/easy-rsa/build-dh
   31 Dec 13 11:32 build-inter -> /usr/share/easy-rsa/build-inter
   29 Dec 13 11:32 build-key -> /usr/share/easy-rsa/build-key
   34 Dec 13 11:32 build-key-pass -> /usr/share/easy-rsa/build-key-pass
   36 Dec 13 11:32 build-key-pkcs12 -> /usr/share/easy-rsa/build-key-pkcs12
   36 Dec 13 11:32 build-key-server -> /usr/share/easy-rsa/build-key-server
   29 Dec 13 11:32 build-req -> /usr/share/easy-rsa/build-req
   34 Dec 13 11:32 build-req-pass -> /usr/share/easy-rsa/build-req-pass
   29 Dec 13 11:32 clean-all -> /usr/share/easy-rsa/clean-all
   33 Dec 13 11:32 inherit-inter -> /usr/share/easy-rsa/inherit-inter
   28 Dec 13 11:32 list-crl -> /usr/share/easy-rsa/list-crl
 7859 Dec 13 11:32 openssl-0.9.6.cnf
 8416 Dec 13 11:32 openssl-0.9.8.cnf
 8313 Dec 13 11:32 openssl-1.0.0.cnf
   27 Dec 13 11:32 pkitool -> /usr/share/easy-rsa/pkitool
   31 Dec 13 11:32 revoke-full -> /usr/share/easy-rsa/revoke-full
   28 Dec 13 11:32 sign-req -> /usr/share/easy-rsa/sign-req
 2077 Dec 13 11:32 vars
   35 Dec 13 11:32 whichopensslcnf -> /usr/share/easy-rsa/whichopensslcnf

cd MyCA进入CA目录@H_403_2@

修改配置文件vars@H_403_2@

把KEY_SIZE改为4096@H_403_2@

其他的如KEY_COUNTRY、KEY_PROVINCE等可以改成适当的值@H_403_2@

使用source vars引入环境变量@H_403_2@

@H_403_2@

使用env命令可以看到vars中的变量在环境变量中@H_403_2@

KEY_SIZE=4096
KEY_NAME=EasyRSA
KEY_CITY=SanFrancisco
KEY_PROVINCE=CA
KEY_ORG=Fort-Funston
......
 

准备keys目录@H_403_2@

@H_403_2@

执行./build-ca脚本@H_403_2@

创建ca的私钥和证书，在keys目录内@H_403_2@

提示的直接回车即可@H_403_2@

@H_403_2@

执行./build-key-server server@H_403_2@

创建用于服务端的ssl server证书@H_403_2@

Common Name即脚本的参数server
@H_403_2@

默认回车即可@H_403_2@

最后输入2次y确认@H_403_2@

创建的证书在keys目录keys/server.crt keys/server.csr keys/server.key
@H_403_2@

build-key-server脚本创建的证书含有Netscape Cert Type扩展@H_403_2@

        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server

执行./build-key client1@H_403_2@

创建客户端证书@H_403_2@