Deploy your own CA
ENV: Debian 10 Buster 64bit
Dependencies: GnuTLS<\/p>\n\n\n\n
Install GnuTLS and Generate key<\/p>\n\n\n\n
apt install gnutls-bin\nmkdir \/etc\/ocserv\/ssl\/\ncd \/etc\/ocserv\/ssl\/\ncerttool --generate-privkey --outfile ca-privkey.pem<\/code><\/pre>\n\n\n\nMake a CA Template<\/p>\n\n\n\n
nano ca-cert.cfg\n\n\/\/ Template start here\n# X.509 Certificate options\n\n# The organization of the subject.\n\norganization = \"Example Org\"\n\n# The common name of the certificate owner.\n\ncn = \"Example CA\"\n\n# The serial number of the certificate.\n\nserial = 001\n\n# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.\n\nexpiration_days = -1\n\n# Whether this is a CA certificate or not\n\nca\n\n# Whether this certificate will be used to sign data\n\nsigning_key\n\n# Whether this key will be used to sign other certificates.\n\ncert_signing_key\n\n# Whether this key will be used to sign CRLs.\n\ncrl_signing_key\n\n\/\/ Template End here<\/code><\/pre>\n\n\n\nLet’s generate a CA with Template that we made before<\/p>\n\n\n\n
certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem<\/code><\/pre>\n\n\n\nLet’s generate PKCS12 <\/p>\n\n\n\n
certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile client.p12 --outder<\/code><\/pre>\n\n\n\nEdit Ocserv configuration<\/p>\n\n\n\n
nano \/etc\/ocserv\/ocserv.conf\n\n\/\/ Remove #comment\nauth = \"certificate\"\n\/\/ If you want auth user with plain password by comment out this line\nenable-auth = \"plain[passwd=\/etc\/ocserv\/ocpasswd]\"\n\n\/\/ Replace\nca-cert = \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem \nto \nca-cert = \/etc\/ocserv\/ssl\/ca-cert.pem\n\n\/\/ Exit and restart service\nsystemctl restart ocserv<\/code><\/pre>\n\n\n\nReferences
1. https:\/\/beyondkmp.com\/post\/centos7-ocser-config\/<\/a>
2. https:\/\/holmesian.org\/linode-vps-centos-anyconnect<\/a>
3. https:\/\/ywnz.com\/linuxyffq\/4562.html<\/a>
4. https:\/\/nova.moe\/deploy-openconnect-ocserv-with-letsencrypt\/<\/a>
5. https:\/\/www.linuxbabe.com\/debian\/openconnect-vpn-server-ocserv-debian-10-buster<\/a>
Photo by\u00a0Jon Tyson<\/a>\u00a0on\u00a0Unsplash<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Deploy your own CA ENV: Debian 10 Buster 64bitDependencies: GnuTLS Install GnuTLS and Generate key Make a CA Template Let’s…<\/p>\n","protected":false},"author":1,"featured_media":3513,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37,32],"tags":[],"class_list":["post-3510","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-technology"],"_links":{"self":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/3510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/comments?post=3510"}],"version-history":[{"count":0,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/3510\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media\/3513"}],"wp:attachment":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media?parent=3510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/categories?post=3510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/tags?post=3510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}