1.安装工具软件
pacman -S gnutls2.创建证书路径
mkdir /etc/ocserv/client/ && cd /etc/ocserv/client/3.生成CA证书的私钥
certtool --generate-privkey --outfile ca-privkey.pem4.创建CA证书的模版
nano ca-cert.cfg
# X.509 Certificate options
# The organization of the subject.
organization = "v.zeno.vip"
# The common name of the certificate owner.
cn = "Zeno's CA"
# The serial number of the certificate.
serial = 001
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = -1
# Whether this is a CA certificate or not
ca
# Whether this certificate will be used to sign data
signing_key
# Whether this key will be used to sign other certificates.
cert_signing_key
# Whether this key will be used to sign CRLs.
crl_signing_key5.生成CA证书
certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem6.生成客户端私钥
certtool --generate-privkey --outfile client-privkey.pem7.配置客户端证书模版
mkdir -p .ocscerts/office && cd .ocscerts/office && nano client-cert-office.cfg
# X.509 Certificate options
# The organization of the subject.
organization = "v.zeno.vip"
# The common name of the certificate owner.
cn = "User:office"
# A user id of the certificate owner.
uid = "office"
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = 7300
# Whether this certificate will be used for a TLS server
tls_www_client
# Whether this certificate will be used to sign data
signing_key
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key8.生成客户端证书
cd ../../
certtool --generate-certificate --load-privkey client-privkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-privkey.pem --template .ocscerts/office/client-cert-office.cfg --outfile .ocscerts/office/client-cert-office.pem9.合并客户端私钥和证书
很多机器已经是openssl 3.0了,所以要用第二条老的指令生成
certtool --to-p12 --load-privkey client-privkey.pem --load-certificate .ocscerts/office/client-cert-office.pem --pkcs-cipher aes-256 --outfile .ocscerts/office/client-office.p12 --outder# 默认系统安装了openssl 3.0,导致mac上无法使用,安装老版本的openssl,然后生成客户端证书即可
openssl-1.1 pkcs12 -export -inkey client-privkey.pem -in .ocscerts/office/client-cert-office.pem -name "office" -certfile ca-cert.pem -caname "Zeno's CA" -out .ocscerts/office/client-office.p12 -passout pass:123456苹果手机使用方法
第一步,打开软件,第二行有个连接,点进去,第二行有个服务地址,第一行说明可不填。
请添加服务地址 v.zeno.vip:1985 ,然后保存。
第二步 导入证书
打开anyconnect,点下面的“诊断”→“证书”,导入证书,输入导入证书URL地址。
http://v.zeno.vip/username.p12
导入密m:123456(注意第一个字母大写)
导入成功,返回到app首页 直接点开开关即可。
复制粘贴服务地址和证书URL的时候检查后面不要多余空格,不然会提示解析失败。
电脑使用方法1.下载证书到电脑上,复制下面证书地址 到浏览器打开 下载。
http://v.zeno.vip/username.p12
2.然后双击证书文件导入到电脑。
证书密码123456
3.打开anyconnect,输入服务器地址 v.zeno.vip:1985 然后点connect就可以连上。
备注:MAC电脑的,打开浏览器,复制证书地址到浏览器打开下载,然后双击证书文件,选择“系统”,添加
