Deploy your own CA
ENV: Debian 10 Buster 64bit
Dependencies: GnuTLS
Install GnuTLS and Generate key
apt install gnutls-bin
mkdir /etc/ocserv/ssl/
cd /etc/ocserv/ssl/
certtool --generate-privkey --outfile ca-privkey.pemMake a CA Template
nano ca-cert.cfg
// Template start here
# X.509 Certificate options
# The organization of the subject.
organization = "Example Org"
# The common name of the certificate owner.
cn = "Example CA"
# The serial number of the certificate.
serial = 001
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = -1
# Whether this is a CA certificate or not
ca
# Whether this certificate will be used to sign data
signing_key
# Whether this key will be used to sign other certificates.
cert_signing_key
# Whether this key will be used to sign CRLs.
crl_signing_key
// Template End hereLet’s generate a CA with Template that we made before
certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pemLet’s generate PKCS12
certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile client.p12 --outderEdit Ocserv configuration
nano /etc/ocserv/ocserv.conf
// Remove #comment
auth = "certificate"
// If you want auth user with plain password by comment out this line
enable-auth = "plain[passwd=/etc/ocserv/ocpasswd]"
// Replace
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
to
ca-cert = /etc/ocserv/ssl/ca-cert.pem
// Exit and restart service
systemctl restart ocservReferences
1. https://beyondkmp.com/post/centos7-ocser-config/
2. https://holmesian.org/linode-vps-centos-anyconnect
3. https://ywnz.com/linuxyffq/4562.html
4. https://nova.moe/deploy-openconnect-ocserv-with-letsencrypt/
5. https://www.linuxbabe.com/debian/openconnect-vpn-server-ocserv-debian-10-buster
Photo by Jon Tyson on Unsplash