ocserv使用用户证书进行身份认证

1.安装工具软件

pacman -S gnutls

2.创建证书路径

mkdir /etc/ocserv/client/ && cd /etc/ocserv/client/

3.生成CA证书的私钥

certtool --generate-privkey --outfile ca-privkey.pem

4.创建CA证书的模版

nano ca-cert.cfg

# X.509 Certificate options

# The organization of the subject.
organization = "v.zeno.vip"

# The common name of the certificate owner.
cn = "Zeno's CA"

# The serial number of the certificate.
serial = 001

# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = -1

# Whether this is a CA certificate or not
ca

# Whether this certificate will be used to sign data
signing_key

# Whether this key will be used to sign other certificates.
cert_signing_key

# Whether this key will be used to sign CRLs.
crl_signing_key

5.生成CA证书

certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem

6.生成客户端私钥

certtool --generate-privkey --outfile client-privkey.pem

7.配置客户端证书模版

mkdir -p .ocscerts/office && cd .ocscerts/office && nano client-cert-office.cfg

# X.509 Certificate options
# The organization of the subject.
organization = "v.zeno.vip"

# The common name of the certificate owner.
cn = "User:office"

# A user id of the certificate owner.
uid = "office"

# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = 7300

# Whether this certificate will be used for a TLS server
tls_www_client

# Whether this certificate will be used to sign data
signing_key

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key

8.生成客户端证书

cd ../../
certtool --generate-certificate --load-privkey client-privkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-privkey.pem --template .ocscerts/office/client-cert-office.cfg --outfile .ocscerts/office/client-cert-office.pem

9.合并客户端私钥和证书
很多机器已经是openssl 3.0了,所以要用第二条老的指令生成

certtool --to-p12 --load-privkey client-privkey.pem --load-certificate .ocscerts/office/client-cert-office.pem --pkcs-cipher aes-256 --outfile .ocscerts/office/client-office.p12 --outder
# 默认系统安装了openssl 3.0,导致mac上无法使用,安装老版本的openssl,然后生成客户端证书即可
openssl-1.1 pkcs12 -export -inkey client-privkey.pem -in .ocscerts/office/client-cert-office.pem -name "office" -certfile ca-cert.pem -caname "Zeno's CA" -out .ocscerts/office/client-office.p12 -passout pass:123456

苹果手机使用方法
第一步,打开软件,第二行有个连接,点进去,第二行有个服务地址,第一行说明可不填。
请添加服务地址 v.zeno.vip:1985 ,然后保存。
第二步 导入证书
打开anyconnect,点下面的“诊断”→“证书”,导入证书,输入导入证书URL地址。
http://v.zeno.vip/username.p12

导入密m:123456(注意第一个字母大写)
导入成功,返回到app首页 直接点开开关即可。

复制粘贴服务地址和证书URL的时候检查后面不要多余空格,不然会提示解析失败。

电脑使用方法

1.下载证书到电脑上,复制下面证书地址 到浏览器打开 下载。
http://v.zeno.vip/username.p12
2.然后双击证书文件导入到电脑。
证书密码123456
3.打开anyconnect,输入服务器地址 v.zeno.vip:1985 然后点connect就可以连上。

备注:MAC电脑的,打开浏览器,复制证书地址到浏览器打开下载,然后双击证书文件,选择“系统”,添加

关于Zeno Chen

本人涉及的领域较多,杂而不精 程序设计语言: Perl, Java, PHP, Python; 数据库系统: MySQL,Oracle; 偶尔做做电路板的开发,主攻STM32单片机
此条目发表在Linux分类目录。将固定链接加入收藏夹。