Board logo

標題: Ways to move certificates and ca from one server to another [打印本頁]
作者: 角色    時間: 2022-6-7 10:52     標題: Ways to move certificates and ca from one server to another

本帖最後由 角色 於 2022-6-7 15:17 編輯

可以先参考[1]
  1. /certificate
  2. export-certificate myCa export-passphrase=xxxxxxxx
  3. export-certificate server export-passphrase=xxxxxxxx
複製代碼
  1. Then on second router: /certificate
  2. import file-name=cert_export_myCa.crt passphrase="xxxxxxxx"
  3. import file-name=cert_export_myCa.key passphrase="xxxxxxxx"
  4. import file-name=cert_export_server.crt passphrase="xxxxxxxx"
  5. import file-name=cert_export_server.key passphrase="xxxxxxxx" After setting certificate for OpenVPN server and changing server.example.net to point to new router, client can connect again, without any changes required.
複製代碼
下面是我用过export ca, server, user certificate and private keys scripts
  1. /ceritifcate
  2. export-certificate tw.ca export-passphrase=12345678
  3. export-certificate tw.server export-passphrase=12345678
  4. export-certificate peter export-passphrase=12345678
複製代碼
In the Files folder, you can find the corresponding files with crt and key extensions.

The following scripts are used for importing certficates and keys of ca, server, and peter
  1. /certificate
  2. import file-name=cert_export_tw.ca.crt passphrase="12345678"
  3. import file-name=cert_export_tw.ca.key passphrase="12345678"

  5. import file-name=cert_export_tw.server.crt passphrase="12345678"
  6. import file-name=cert_export_tw.server.key passphrase="12345678"

  8. import file-name=cert_export_peter.crt passphrase="12345678"
  9. import file-name=cert_export_peter.key passphrase="12345678"
複製代碼
做完上面的settings,如果你只有一个client,可以用vpn client连到,但是如果你多过一个client,你会连不上,还有在log看到
  1. cant's get private key
複製代碼
不知道什么原因,在import过程中,把IPSec Identity里,Certificate应该是server,但是经过import却更改为某个vpn client’s name。需要把它改回去,即certificate=server就可以。

还有import user’s certificates,可以采用pk12 format(包含user certificate and private key)。


References:
[1] BOUNTY for help offered - hardware upgrade - certificate export/import issue Link
[2] Can't Revoke Certificates after Importing to new hardware - has private key Link
作者: Skypeus    時間: 2022-6-10 18:59

好贴收藏了。 谢谢角色的经验!



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2