Ways to move certificates and ca from one server to another
本帖最後由 角色 於 2022-6-7 15:17 編輯
可以先参考[1]- /certificate
- export-certificate myCa export-passphrase=xxxxxxxx
- export-certificate server export-passphrase=xxxxxxxx
複製代碼- Then on second router: /certificate
- import file-name=cert_export_myCa.crt passphrase="xxxxxxxx"
- import file-name=cert_export_myCa.key passphrase="xxxxxxxx"
- import file-name=cert_export_server.crt passphrase="xxxxxxxx"
- import file-name=cert_export_server.key passphrase="xxxxxxxx" After setting certificate for OpenVPN server and changing server.example.net to point to new router, client can connect again, without any changes required.
複製代碼 下面是我用过export ca, server, user certificate and private keys scripts- /ceritifcate
- export-certificate tw.ca export-passphrase=12345678
- export-certificate tw.server export-passphrase=12345678
- export-certificate peter export-passphrase=12345678
複製代碼 In the Files folder, you can find the corresponding files with crt and key extensions.
The following scripts are used for importing certficates and keys of ca, server, and peter- /certificate
- import file-name=cert_export_tw.ca.crt passphrase="12345678"
- import file-name=cert_export_tw.ca.key passphrase="12345678"
- import file-name=cert_export_tw.server.crt passphrase="12345678"
- import file-name=cert_export_tw.server.key passphrase="12345678"
- import file-name=cert_export_peter.crt passphrase="12345678"
- import file-name=cert_export_peter.key passphrase="12345678"
複製代碼 做完上面的settings,如果你只有一个client,可以用vpn client连到,但是如果你多过一个client,你会连不上,还有在log看到不知道什么原因,在import过程中,把IPSec Identity里,Certificate应该是server,但是经过import却更改为某个vpn client’s name。需要把它改回去,即certificate=server就可以。
还有import user’s certificates,可以采用pk12 format(包含user certificate and private key)。
References:
[1] BOUNTY for help offered - hardware upgrade - certificate export/import issue Link
[2] Can't Revoke Certificates after Importing to new hardware - has private key Link |