●★●OPENVPN证书的导入问题●★●
我在WIN下制作了一套 证书,在WIN下设置OPENVPN服务器 ,和在LINUX的 DDWRT 下 也做成OPENVPN服务器 ,都能通过并连接上网。
现在我把这套证书传上ROS上,前面只有QR标志,而没 KR标志。
而且没办法启动cert1的OPENVPN服务。
请参阅图片,请问是什么原因?
是不是WIN下生成的证书不能用还是怎样的?
而且我也参考了论坛的一些文章。
还有请看图,本来只需要传3个东西的。不要说3个,我全部都传了。没办法看到KR标志。
已经improt ca ... ta.... dh1024, 都最多只能 QR ,没办法做到 KR。
所以江湖救急,请教各位。 本帖最后由 cool525000 于 2009-8-1 23:24 编辑
看O-1图,我只要一点,就出现O-2图。就快烦恼死了,所以再次请教。 有什么办法可以把证书“KR”,麻烦转告一声。
先输入命令行
/certificate create-certificate-request
然后照着下面的继续输入
#原文地址在
#http://wiki.mikrotik.com/wiki/OpenVPN
#中文翻译出的地址在http://translate.google.com/translate?hl=zh-CN&u=http%3A%2F%2Fwiki.mikrotik.com%2Fwiki%2FOpenVPN
#---------------------------------------------------------------------------------------
select name for certificate request file. it will be created after you finish
entering all required information.
certificate request file name: certificate-request.pem
select name of private key file. if such file does not exist, it will be
created later.
file name: private-key.pem
private key file already exists and will be overwritten if you continue.
please enter passphrase that will be used to encrypt generated private key
file. you must enter it twice to be sure you have not made any typing errors.
passphrase: ****
verify passphrase: ****
enter number of bits for RSA key. longer keys take more time to generate.
rsa key bits: 1024
now you will be asked to enter values that make up distnguished name of your
certificate. you can leave some of them empty. CA may reject your certificate
request if some of these values are incorrect or missing, so please check what
are the requirements of your CA.
enter two character coutry code.
country name:
enter full name of state or province.
state or province name:
enter locality (e.g. city) name
locality name:
enter name of the organization
organization name:
enter organizational unit name
organization unit name:
enter common name. for ssl web servers this must be the fully qualified domain
name (FQDN) of the server that will use this certificate (like
www.someverysecuresitename.com) . this is checked by browsers.
common name: ovpnserver.mydomain.com
enter email address
email address:
now you can enter challenge password. it's use depends on your CA. it may be
used to revoke this certificate.
challenge password:
you can enter unstructured address, if your CA accepts or requires it.
unstructured address:
now private rsa key will be generated. no other certificate operations are
possible while generating key. 4096 bit key takes about 30 seconds on Celeron
800 system to generate. you will receive log message when it is done. download
by ftp from this router both private key and certificate request files. after
you receive your certificate from CA, upload it and the private key that will
be made now to a router and use "/certificate import" command to install it.
#----------------------------------------------------------------------------------------- 原文还说,还要到https://www.cacert.org这个网站申请个帐号,然后在提交某些内容,让他又变成什么又上传上去,这不折腾人吗?!
----------------------------------------------------------------------------------------------------
As you can see, the only important fields are the Passphrase and Common Name fields, everything else can be left empty or default. After a few seconds you will receive notification that the Certificate Request file was created:
echo: system,info,critical certificate request file certificate-request.pem and private key file private-key.pem created
Copy the certificate-request.pem file to your desktop and open it with Wordpad, Textpad, or any other text editor (except Notepad). Now go back to your CAcert.org account, and create a new Server Certificate (Server Certificates > New). Copy the entire contents of the certificate-request.pem file and Paste them into the "Paste Your CSR(Certificate Signing Request) below..." box on the CAcert.org site. Submit the form and if all goes well, you should be presented with a "Below is your Server Certificate" page with a bunch of text. Copy/Paste this text into a text file using Wordpad/Textpad (or anything except Notepad), and save it as certificate-response.pem. Upload this file to the router, and import it.
Now this is the tricky part... without this next part you will get the dreaded "Couldn't change OVPN Server - no certificate found (6)" error as soon as you choose the certificate in OVPN Server!
Once you have successfully imported the certificate-response.pem file and can see it listed in the Certificate list, you have to import the private-key.pem you generated earlier. Import the private key file in the same way and your certificate should get a "KR" written next to it (K: decrypted-private-key, R: RSA). Now you will be able to use this key for OVPN. 有QQ吗,我也遇到这样的问题,请教` ...
估计是你的证书没生成好。。。
试试我的看。。。
我的成功导入到ROS了。
。好像导入还有顺序的,先导入crt,然后导入key 我的也是,弄了半天还是qr,以前搞过一次可以,现在不知道咋不行了 直接用命令生成还更快. 原文链接:http://www.vpnchina.org.cn/vpntechnic/2008/0829/article_7.html
1.上OpenVPN官方网站(http://openvpn.net)下载 For windows的程序
2.安装程序
3.进行安装目录,将看到 Bin Driver Easy-rsa三个目录
在[开始]->[运行] 输入 cmd
输入cd x:\xxx\xxx\
注 x:\xxx\xxx\ 为你的openvpn的安装目录,例如安装在C:\Program Files\OpenVPN就输入 cd C:\Program Files\OpenVPN
再输入指令
cd easy-rsa (进入目录)
init-config (初始化配置)
进行easy-rsa目录,使用记事本修改vars.bat 文件,如果没有这个文件,修改vars.bat.sample改成vars.bat
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
set KEY_EMAIL=mail@host.domain
修改以上几项,按你自已的需要
然后输入指令
clean-all (清除相关目录文件)
然后生成ca文件,指令
build-ca
生成 客户端的key
build-key client
生成服务端的Key
build-key-server server
生成pem文件
build-dh.bat
此时在easy-rsa目录下有个keys目录
里面就有了配置OPENVPN相关的证书了 本帖最后由 XCV123321 于 2010-1-24 08:03 编辑
3.2 和 3.22 的机器 会出现 证书导入失败 显示 QR 的 情况
这个已经解决了,现在 把我的方法 放出来
首先 个人感觉 这种情况和数字证书没有关系,主要和ros路由系统版本本身有关,所以没有从证书入手(已经反复试验过多个证书和多个版本的路由),是从系统版本入手的解决的
ovpn 数字证书 QR 的 解决 办法
有3个版的办法
1 从 网上看到 鬼佬说的, 3.22的可以 用 netinstall 重新装一遍 3.2的 版本
晕 从哪去找consle电缆线 和 com接口:L,这个 实现起来有点困难
2做系统版本的升降级操作 就是我已经验证成功的
3.2 或 3.22 做 vopn 导入证书时报 QR 可以
把 3.2,3.22的系统升级到 4.x,用升级包nkg进行升级 ftp上传后在reboot 后自动升级
注意 要用zip压缩包的解压后升级 ,其中的一个叫Xen.nkg 的 注意不要上传升级原因不解释了
还有这里只可以升级到 4.0beta1 或者4.0beta2 ,这一点 很重要 千万不要升级到 4.0beta3 或更高的版本 ,这一点很重要 8位id的问题 原因不解释;P
这接下来 用3.2 iso 重新装一次.
注意 不要 覆盖系统原来的配置 否则:lol 要重新安装注册了
这时 系统 就是 3.2版最后 可以 ftp上传 原来导入的 xx.back 文件
使用命令 /sy bk load name=.backy 重启后就会恢复原来的状态了 , 导入证书 看是否 KQ 这个方法只适合 3.2 或3.22 , 其他的版本 没有试过这仅做解决问题的思路 ;P
3 别装 security 模块 或者禁用掉这个模块ovpn 导入证书试试;P 还没成功吗?
页:
[1]