[root @ myzdl ~] # yum install open *** easy-rsa lzo lzo-devel openssl openssl-devel -y // installation services
[root @ myzdl ~] # ls / etc / open *** / // open * ** installation directory service
client server
directory [root @ myzdl ~] # ls / usr / share / easy-rsa / // easy-rsa installation
3 3.0 3.0.3
[root @ myzdl ~] # LS / usr / sbin / open *** // startup script directory services
/ usr / sbin / open ***
Creating a server certificate and the CA root certificate:
[root @ myzdl ~] # the Find / -name "vars.example" The -type f // know the certificate template parameters
/usr/share/doc/easy-rsa-3.0.3/vars. Example
[myzdl the root @ ~] # CD /usr/share/easy-rsa/3.0.3/
[@ myzdl the root 3.0.3] CP # /usr/share/doc/easy-rsa-3.0.3/vars.example vars // some default parameters to generate the certificate is provided inside
[root @ myzdl 3.0.3] # vi vars // modify the default parameters, as shown 
here, if the latter is configured in the client configuration "ns-cert-type server" parameter, We need to set the following parameters to yes, to create a certificate
#set_var EASYRSA_NS_SUPPORT "no"
[root @ myzdl 3.0.3] # ./easyrsa init-pki // generate a new pki directory structure
[root @ myzdl 3.0.3] # ./easyrsa build-ca nopass // Create a root CA certificate, no password is required, Enter. (Obtained in ca.crt) 
[the root @ myzdl 3.0.3] Gen-REQ # ./easyrsa *** Server NoPass // generate a key pair and the certificate request file password is not required, the transport. (Get *** server.req, *** server.key) 
[root @ myzdl 3.0.3] # ./easyrsa Sign Server Server // *** *** server.req signature file with the root certificate CA, generating the server certificate. (Obtained server.crt ***) 
[the root @ myzdl 3.0.3] # // Create ./easyrsa Gen-DH Diffie Hellman parameters
[root @ myzdl easy-rsa] # cp -R 3.0.3 / / root / Desktop // copy 3.0.3 / directory to the desktop, and so will be used.
创建客户端证书:
[root@myzdl 3.0.3]# rm -rf pki/ //需要删除旧的pki,重新创建
[root@myzdl 3.0.3]# ./easyrsa init-pki
[root@myzdl 3.0.3]# ./easyrsa gen-req client nopass //生成密钥对和证书请求文件,不需要密码,回车。(得到client.req、client.key)
刚才我们是用根证书CA签名生成服务器证书***server.crt,现在以CA根证书和***server.crt证书签名得到client.crt
[root@myzdl 3.0.3]# cp pki/reqs/client.req /root/Desktop/3.0.3/pki/reqs/
[root@myzdl 3.0.3]# cp pki/private/client.key /root/Desktop/3.0.3/pki/private/
[root@myzdl 3.0.3]# cd /root/Desktop/3.0.3/
[root@myzdl 3.0.3]# ./easyrsa sign client client //成功生成证书client.crt
完成以上步骤服务器端需要的文件有:ca.crt 、dh.pem 、***server.crt 、***server.key
客户端需要的文件有:ca.crt 、client.key 、client.crt
_
以证书方式认证:
[root@myzdl 3.0.3]# pwd
/root/Desktop/3.0.3
[root@myzdl 3.0.3]# cp pki/{ca.crt,dh.pem} /etc/open***/server/
[root@myzdl 3.0.3]# cp pki/private/***server.key /etc/open***/server/
[root@myzdl 3.0.3]# cp pki/issued/***server.crt /etc/open***/server/
[root@myzdl 3.0.3]# find / -name "server.conf" -type f //查找配置文件所在位置
/usr/share/doc/open***-2.4.5/sample/sample-config-files/server.conf
/usr/share/doc/NetworkManager/examples/server.conf
[root@myzdl 3.0.3]# cp /usr/share/doc/open***-2.4.5/sample/sample-config-files/server.conf /etc/open***/server/ //复制配置文件到这里来
[root@myzdl 3.0.3]# cd /etc/open***/server/
root@myzdl server]# vi server.conf //编辑配置文件
[root @ myzdl Server] # CAT server.conf | grep -v ^ # | grep -v ^ $ | grep -v ^ ";" 
[root @ myzdl Server] # / usr / sbin / Open *** --config ./server.conf --daemon // start the service
[root @ myzdl Server] # netstat -anulp | grep 1194 
[root @ myzdl Server] # Firewall-cmd --add-service = = Open *** --zone public --permanent
[root @ myzdl Server] # firewall firewall-cmd --reload // *** put through the data port
to configure the client, the client files listed above to find ways to get on the client (ca.crt, client.key, client.crt).
installation steps:
