openvpn 追加 client 证书

# 查找 build-key 装在了哪里，用 2.0 的
[root@test-machine ~]# find / -name build-key
/usr/local/easy-rsa-old-master/easy-rsa/1.0/build-key
/usr/local/easy-rsa-old-master/easy-rsa/2.0/build-key

# 进入目录
[root@test-machine ~]# cd /usr/local/easy-rsa-old-master/easy-rsa/2.0/
[root@test-machine 2.0]# ls
build-ca  build-inter  build-key-pass    build-key-server  build-req-pass  inherit-inter  list-crl           openssl-0.9.8.cnf  pkitool      sign-req  whichopensslcnf
build-dh  build-key    build-key-pkcs12  build-req         clean-all       keys           openssl-0.9.6.cnf  openssl-1.0.0.cnf  revoke-full  vars

# 新建一个证书 clientnexus ，报错
[root@test-machine 2.0]# ./build-key clientnexus
  Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.

# 按提示运行 source ./vars
[root@test-machine 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/easy-rsa-old-master/easy-rsa/2.0/keys

# 再创建证书，一路回车，直到最后输入两次 y
[root@test-machine 2.0]# ./build-key clientnexus
Generating a 4096 bit RSA private key
...................................++
...............................................................................................................................................++
writing new private key to 'clientnexus.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [qijiangtech]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [clientnexus]:
Name [changeme]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/easy-rsa-old-master/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'qijiangtech'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'clientnexus'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Aug  5 00:52:56 2034 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test-machine 2.0]#  

# 在 keys 文件夹中可以查看到证书
[root@test-machine 2.0]# ls keys/