Создаем PKCS12 для Филиалов №1,2,3

Переходим в директорию и создаем ключи для филиалов №1,2,3:
filial1.p12, filial2.p12, filial3.p12
pkcs12 имя файла в формате PKCS #12, содержащего сертификат CA, ключ и сертификат клиента. Такой файл и команда заменяют сразу 3 соответствующих файла и команды - .ca,.cert, .key

//> cd /usr/local/share/doc/openvpn/easy-rsa/ /usr/local/share/doc/openvpn/easy-rsa/> sh

#. ./vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/share/doc/openvpn/easy-rsa/keys/server #

Создаем ключи для Филиала №1




# ./build-key-pkcs12 filial1 Generating a 1024 bit RSA private key ..................................++++++ .....++++++ writing new private key to 'filial1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:RU State or Province Name (full name) [NA]:Rostov-on-Don Locality Name (eg, city) [BISHKEK]:Zernograd Organization Name (eg, company) [OpenVPN-TEST]:server Organizational Unit Name (eg, section) []:server Common Name (eg, your name or your server's hostname) []:filial1 Email Address [me@myhost.mydomain]:filial1@localhost Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:filial1 Using configuration from /usr/local/share/doc/openvpn/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'RU' stateOrProvinceName :PRINTABLE:'Rostov-on-Don' localityName :PRINTABLE:'Zernograd' organizationName :PRINTABLE:'server' organizationalUnitName:PRINTABLE:'server' commonName :PRINTABLE:'filial1' emailAddress :IA5STRING:'filial1@localhost' Certificate is to be certified until Jan 17 19:46:38 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Enter Export Password: Verifying - Enter Export Password:

Создаем ключи для Филиала №2

# ./build-key-pkcs12 filial2 Generating a 1024 bit RSA private key ..................................++++++ .....++++++ writing new private key to 'filial2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:RU State or Province Name (full name) [NA]:Rostov-on-Don Locality Name (eg, city) [BISHKEK]:Zernograd Organization Name (eg, company) [OpenVPN-TEST]:server Organizational Unit Name (eg, section) []:server Common Name (eg, your name or your server's hostname) []:filial2 Email Address [me@myhost.mydomain]:filial2@localhost Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:filial2 Using configuration from /usr/local/share/doc/openvpn/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'RU' stateOrProvinceName :PRINTABLE:'Rostov-on-Don' localityName :PRINTABLE:'Zernograd' organizationName :PRINTABLE:'server' organizationalUnitName:PRINTABLE:'server' commonName :PRINTABLE:'filial2' emailAddress :IA5STRING:'filial2@localhost' Certificate is to be certified until Jan 17 19:46:38 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Enter Export Password: Verifying - Enter Export Password:

Создаем ключи для Филиала №3

# ./build-key-pkcs12 filial3 Generating a 1024 bit RSA private key ..................................++++++ .....++++++ writing new private key to 'filial3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:RU State or Province Name (full name) [NA]:Rostov-on-Don Locality Name (eg, city) [BISHKEK]:Zernograd Organization Name (eg, company) [OpenVPN-TEST]:server Organizational Unit Name (eg, section) []:server Common Name (eg, your name or your server's hostname) []:filial3 Email Address [me@myhost.mydomain]:filial3@localhost Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:filial3 Using configuration from /usr/local/share/doc/openvpn/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'RU' stateOrProvinceName :PRINTABLE:'Rostov-on-Don' localityName :PRINTABLE:'Zernograd' organizationName :PRINTABLE:'server' organizationalUnitName:PRINTABLE:'server' commonName :PRINTABLE:'filial3' emailAddress :IA5STRING:'filial3@localhost' Certificate is to be certified until Jan 17 19:46:38 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Enter Export Password: Verifying - Enter Export Password:

# exit

Вот мы и создали 3 ключа

//> ls /usr/local/share/doc/openvpn/easy-rsa/keys/server | grep filial filial1.p12 filial2.p12 filial3.p12 //>

В директории /usr/local/etc/openvpn/ccd создаем файла с настройками для Филиалов

Филиал №1

//> ee /usr/local/etc/openvpn/ccd/filial1

С содержанием

ifconfig-push 10.10.100.2 10.10.100.1 iroute 192.168.1.0 255.255.255.0

Филиал №2

//> ee /usr/local/etc/openvpn/ccd/filial2

С содержанием

ifconfig-push 10.10.100.6 10.10.100.5 iroute 192.168.2.0 255.255.255.0

Филиал №3

//> ee /usr/local/etc/openvpn/ccd/filial3

С содержанием


ifconfig-push 10.10.100.10 10.10.100.9 iroute 192.168.3.0 255.255.255.0

Перезапустим OpenVPN Сервер

//> /usr/local/etc/rc.d/openvpn restart Stopping openvpn. Starting openvpn. //>

Часть 3