我正在尝试使用 Powershell 创建用于 AWS VPN 和 OpenVPN 的证书。我发现文档帮助不大。有什么好的网站吗?
1 回答
使用 CreateCertificate.ps1 脚本,然后按照以下说明进行操作:
创建证书.ps1
#Run as Administrator
function PSScriptRoot()
{
$ScriptRoot = ""
Try
{
$ScriptRoot = Get-Variable -Name PSScriptRoot -ValueOnly -ErrorAction Stop
}
Catch
{
$ScriptRoot = Split-Path $script:MyInvocation.MyCommand.Path
}
return $ScriptRoot
}
Install-Module -Name PSPKI -Scope AllUsers
Import-Module PSPKI
$PSScriptPath = PSScriptRoot
$certPassword = ConvertTo-SecureString -String "touchworks.VPN" -Force -AsPlainText
# Create a self-signed root certificate
$exp = (Get-Date).AddYears(5)
$rootCert = New-SelfSignedCertificate `
-DnsName self-service.root.clientvpn.amazonaws.com `
-Subject "CN=AWS.VPN.Root" `
-CertStoreLocation "cert:\LocalMachine\My" `
-HashAlgorithm sha256 -KeyLength 2048 `
-NotAfter $exp `
-KeyExportPolicy Exportable -KeySpec Signature -KeyProtection None -KeyUsageProperty All
# Create a client certificate based on the Root
$clientCert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert `
-Subject "CN=AWS.VPN.Client" `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") `
-KeyExportPolicy Exportable -KeySpec Signature -KeyProtection None -KeyUsageProperty All
#Export the Root certificate with Private Key
$rootCert.PSPath
$pfxFilePath = "$PSScriptPath\" + $rootCert.Subject + ".pfx"
$pemFilePath = "$PSScriptPath\" + $rootCert.Subject + ".pem"
Export-PfxCertificate -Cert $rootCert.PSPath -FilePath $pfxFilePath -Password $certPassword
Convert-PfxToPem -InputFile $pfxFilePath -Outputfile $pemFilePath -Password $certPassword -OutputType Pkcs1
# Export the client certificate
$rootCert.PSPath
$pfxFilePath = "$PSScriptPath\" + $clientCert.Subject + ".pfx"
$pemFilePath = "$PSScriptPath\" + $clientCert.Subject + ".pem"
Export-PfxCertificate -Cert $clientCert.PSPath -FilePath $pfxFilePath -Password $certPassword -ChainOption BuildChain -CryptoAlgorithmOption AES256_SHA256
Convert-PfxToPem -InputFile $pfxFilePath -Outputfile $pemFilePath -Password $certPassword -OutputType Pkcs1
1. 创建证书
Run CreateCertificate.ps1
生成以下文件: 根目录:CN=AWS.VPN.Root.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAscrFXB0k4vVt2+4WX2f67ceWW8bL/Zxwj8VboOucAiy2RtUV
...
Pdo5MeLbJCYjZwMxZ0KuLybyl0OxkYnhYT7UNExJYgz0E87fJIFN
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIQaBfHrrrdALtOxYJsf+N4UzANBgkqhkiG9w0BAQsFADAX
...
HmuJiV7KTDWGkmTVfgxP1coMr7M=
-----END CERTIFICATE-----
客户端:CN=AWS.VPN.Client.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAq6MdA2PWfsR6k2r1rT7EFgN4fGgKvRIFpTE5K7WmUDBxqSL/
...
eEM5vupZfK5F2LW4cqkFFamv93+gcgWqVo/7U9rxwQbMdBj9v2bMWQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDOzCCAiOgAwIBAgIQWzHJgWjQhoJKcnXOLno1fTANBgkqhkiG9w0BAQsFADAX
...
ORyAIYAJd3P2MIecP+NR
-----END CERTIFICATE-----
2. 使用以下命令将根证书导入AWS Certificate Manager:
使用CertificateManager|导入证书
证书正文 ==> 使用根证书
证书私钥 ==> 使用根 RS 私钥
证书链 ==> 留空
3.使用AWS Client VPN Endpoints将AWS Certificate Manager证书应用于VPN
使用按钮客户端 VPN 端点|操作|修改客户端 VPN 端点
4. 使用AWS Client VPN Endpoints下载客户端配置 (ovpn) 文件
使用 Button客户端 VPN 端点|下载客户端配置
5.修改客户端配置(ovpn)文件
- Open VPN客户端中存在一个错误,它忽略了 ovpn 文件中的远程随机主机名设置。
- VPN 的自助服务门户不会生成可用的 ovpn 文件。
修改ovpn文件如下:
- 将随机字符串添加到 url
- 添加客户端证书和密钥
示例 OVPN 文件
client
dev tun
proto udp
>>> remote qwerty.cvpn-endpoint-0aae...680bf.prod.clientvpn.us-east-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIQdn3tb5/zQJJCitV4XSxmmTANBgkqhkiG9w0BAQsFADAX
...
tx2txb5TvvJnEoRkEFlnpxmXd5U=
-----END CERTIFICATE-----
</ca>
>>> <cert>
>>> -----BEGIN CERTIFICATE-----
>>>
>>> ***CLIENT CERTIFICATE***
>>>
>>> -----END CERTIFICATE-----
>>>
>>>
>>> </cert>
>>> <key>
>>> -----BEGIN RSA PRIVATE KEY-----
>>>
>>> ***CLIENT RSA PRIVATE KEY***
>>>
>>> -----END RSA PRIVATE KEY-----
>>>
>>> </key>
auth-user-pass
reneg-sec 0
6、将修改后的ovpn文件和Client分发给用户。
- AWS VPN 客户端在此配置中不可用。
- 用户将需要Open VPN 客户端: https ://openvpn.net/download-open-vpn/
7. 参考文献
如何配置 Windows VPN 服务器
https://www.wintips.org/how-to-setup-vpn-server-on-windows-server-2016-pptp/
https://acloudxpert.com/generate-and-export-certificates-for-point-to-site-using-powershell/
如何使用 AWS VPN 锁定对您的服务器的访问
https://www.cloudsavvyit.com/3270/how-to-use-aws-vpn-to-lock-down-access-to-your-servers/
使用 PowerShell 创建自签名证书
https://4sysops.com/archives/create-a-self-signed-certificate-with-powershell/