●★●OPENVPN证书的导入问题●★●

cool525000 · 发表于 2009-8-1 22:58:59

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

我在WIN下制作了一套证书，在WIN下设置OPENVPN服务器，
和在LINUX的 DDWRT 下也做成OPENVPN服务器，都能通过并连接上网。

现在我把这套证书传上ros上，前面只有QR标志，而没 KR标志。
而且没办法启动cert1的OPENVPN服务。
请参阅图片，请问是什么原因？
是不是WIN下生成的证书不能用还是怎样的？
而且我也参考了论坛的一些文章。
还有请看图，本来只需要传3个东西的。不要说3个，我全部都传了。没办法看到KR标志。
已经improt ca ... ta.... dh1024, 都最多只能 QR ，没办法做到 KR。

所以江湖救急，请教各位。证书.jpg

cool525000 · 发表于 2009-8-1 23:17:35

本帖最后由 cool525000 于 2009-8-1 23:24 编辑

看O-1图，我只要一点，就出现O-2图。就快烦恼死了，所以再次请教。

cool525000 · 发表于 2009-8-2 15:18:33

有什么办法可以把证书“KR”，麻烦转告一声。
先输入命令行
/certificate create-certificate-request
然后照着下面的继续输入
#原文地址在
#http://wiki.mikrotik.com/wiki/OpenVPN
#中文翻译出的地址在http://translate.google.com/tran ... om%2Fwiki%2FOpenVPN

#---------------------------------------------------------------------------------------
select name for certificate request file. it will be created after you finish
entering all required information.

certificate request file name: certificate-request.pem
select name of private key file. if such file does not exist, it will be
created later.

file name: private-key.pem
private key file already exists and will be overwritten if you continue.
please enter passphrase that will be used to encrypt generated private key
file. you must enter it twice to be sure you have not made any typing errors.

passphrase: ****  [IMPORTANT]
verify passphrase: **** [IMPORTANT]
enter number of bits for RSA key. longer keys take more time to generate.

rsa key bits: 1024  [Default]
now you will be asked to enter values that make up distnguished name of your
certificate. you can leave some of them empty. CA may reject your certificate
request if some of these values are incorrect or missing, so please check what
are the requirements of your CA.

enter two character coutry code.

country name: [NOT IMPORTANT]
enter full name of state or province.

state or province name: [NOT IMPORTANT]
enter locality (e.g. city) name

locality name: [NOT IMPORTANT]

enter name of the organization

organization name: [NOT IMPORTANT]
enter organizational unit name

organization unit name: [NOT IMPORTANT]

enter common name. for ssl web servers this must be the fully qualified domain
name (FQDN) of the server that will use this certificate (like
www.someverysecuresitename.com) . this is checked by browsers.

common name: ovpnserver.mydomain.com  [IMPORTANT]
enter email address

email address: [NOT IMPORTANT]

now you can enter challenge password. it's use depends on your CA. it may be
used to revoke this certificate.

challenge password: [NOT IMPORTANT]

you can enter unstructured address, if your CA accepts or requires it.

unstructured address: [NOT IMPORTANT]

now private rsa key will be generated. no other certificate operations are
possible while generating key. 4096 bit key takes about 30 seconds on Celeron
800 system to generate. you will receive log message when it is done. download
by ftp from this router both private key and certificate request files. after
you receive your certificate from CA, upload it and the private key that will
be made now to a router and use "/certificate import" command to install it.

#-----------------------------------------------------------------------------------------

cool525000 · 发表于 2009-8-2 15:21:50

原文还说，还要到https://www.cacert.org这个网站申请个帐号，然后在提交某些内容，让他又变成什么又上传上去，这不折腾人吗？！
----------------------------------------------------------------------------------------------------
As you can see, the only important fields are the Passphrase and Common Name fields, everything else can be left empty or default. After a few seconds you will receive notification that the Certificate Request file was created:

echo: system,info,critical certificate request file certificate-request.pem and private key file private-key.pem created

Copy the certificate-request.pem file to your desktop and open it with Wordpad, Textpad, or any other text editor (except Notepad). Now go back to your CAcert.org account, and create a new Server Certificate (Server Certificates > New). Copy the entire contents of the certificate-request.pem file and Paste them into the "Paste Your CSR(Certificate Signing Request) below..." box on the CAcert.org site. Submit the form and if all goes well, you should be presented with a "Below is your Server Certificate" page with a bunch of text. Copy/Paste this text into a text file using Wordpad/Textpad (or anything except Notepad), and save it as certificate-response.pem. Upload this file to the router, and import it.

Now this is the tricky part... without this next part you will get the dreaded "Couldn't change OVPN Server - no certificate found (6)" error as soon as you choose the certificate in OVPN Server!

Once you have successfully imported the certificate-response.pem file and can see it listed in the Certificate list, you have to import the private-key.pem you generated earlier. Import the private key file in the same way and your certificate should get a "KR" written next to it (K: decrypted-private-key, R: RSA). Now you will be able to use this key for OVPN.

spr1t3 · 发表于 2009-8-21 16:30:27

有QQ吗,我也遇到这样的问题，请教`

小狼 · 发表于 2009-8-22 09:19:10

...
估计是你的证书没生成好。。。

试试我的看。。。
我的成功导入到ROS了。

ca.zip (1.91 KB, 下载次数: 123)

小狼 · 发表于 2009-8-22 09:31:44

。好像导入还有顺序的，先导入crt，然后导入key

ogion · 发表于 2009-9-11 15:41:26

我的也是，弄了半天还是qr，以前搞过一次可以，现在不知道咋不行了

tlze · 发表于 2009-10-10 14:39:53

直接用命令生成还更快. 原文链接:http://www.vpnchina.org.cn/vpntechnic/2008/0829/article_7.html

1.上OpenVPN官方网站(http://openvpn.net)下载 For windows的程序
2.安装程序
3.进行安装目录，将看到 Bin Driver Easy-rsa三个目录
在[开始]->[运行] 输入 cmd
输入cd x:\xxx\xxx\
注 x:\xxx\xxx\ 为你的openvpn的安装目录，例如安装在C:\Program Files\OpenVPN就输入 cd C:\Program Files\OpenVPN
再输入指令
cd easy-rsa (进入目录)
init-config (初始化配置)

进行easy-rsa目录，使用记事本修改vars.bat 文件，如果没有这个文件，修改vars.bat.sample改成vars.bat
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
set KEY_EMAIL=mail@host.domain
修改以上几项，按你自已的需要
然后输入指令
clean-all (清除相关目录文件)

然后生成ca文件，指令
build-ca

生成客户端的key
build-key client

生成服务端的Key
build-key-server server

生成pem文件
build-dh.bat

此时在easy-rsa目录下有个keys目录
里面就有了配置OPENVPN相关的证书了

XCV123321 · 发表于 2010-1-23 21:00:38

本帖最后由 XCV123321 于 2010-1-24 08:03 编辑

3.2 和 3.22 的机器会出现证书导入失败显示 QR 的情况

这个已经解决了，现在把我的方法放出来

首先个人感觉这种情况和数字证书没有关系，主要和ros路由系统版本本身有关，所以没有从证书入手（已经反复试验过多个证书和多个版本的路由），是从系统版本入手的解决的

ovpn 数字证书 QR 的解决办法

有3个版的办法

1 从网上看到鬼佬说的, 3.22的可以用 netinstall 重新装一遍 3.2的版本

晕从哪去找 consle电缆线和 com接口

，这个实现起来有点困难

2  做系统版本的升降级操作就是我已经验证成功的

3.2 或 3.22 做 vopn 导入证书时报 QR 可以

把 3.2，3.22的系统升级到 4.x,  用升级包nkg进行升级 ftp上传后在reboot 后自动升级
注意要用zip压缩包的解压后升级 ,其中的一个叫  Xen.nkg 的注意不要上传升级  原因不解释了

还有这里只可以  升级到 4.0beta1 或者4.0beta2 ，这一点很重要千万不要升级到 4.0beta3 或更高的版本，这一点很重要 8位id的问题原因不解释

  这接下来用3.2 iso 重新装一次.

注意不要覆盖系统原来的配置否则

要重新安装注册了

这时系统就是 3.2版最后可以 ftp上传原来导入的 xx.back 文件

使用命令 /sy bk load name=.back y 重启后就会恢复原来的状态了，导入证书看是否 KQ 这个方法只适合 3.2 或3.22 , 其他的版本没有试过这仅做解决问题的思路

3 别装 security 模块或者禁用掉这个模块 ovpn 导入证书试试

ikic · 发表于 2010-3-1 22:36:10

还没成功吗？

账号		自动登录	找回密码
密码			注册

[vpn] ●★●OPENVPN证书的导入问题●★●

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。