openvpn howto make OCSP server using OpenSSL [Part2]

# At Server 192.168.5.1

create OCSP server using openssl ocsp at vpnserver
# cd /etc/openvpn/my_keys
# openssl ocsp -index keys/index.txt -port 4444 -CA keys/ca.crt -rsigner keys/ca.crt -rkey keys/ca.key -resp_text

download ocsp script at http://svn.openvpn.net/projects/openvpn/contrib/dazo/contrib/OCSP_check/OCSP_check.sh
save as /etc/openvpn/my_keys/ocsp.sh,
this script will be use by openvpn server for check sertificate validation.

edit the script
# vim ocsp.sh
ocsp_url="http://192.168.5.1:4444"
issuer="/etc/openvpn/my_keys/ca.crt"
verify="/etc/eopnvpn/my_keys/ca.crt"

at the end of the script add this echo command below "# check that it's good"
so become like this.
# check that it's good
  echo "OCSP status: $status"

make sure the scipt executable
# chmod 755 ocsp.sh

enable tls option,unmark ; at server.conf
script-security 2
tls-verify /etc/openvpn/my_keys/ocsp.sh
tls-auth   /etc/openvpn/my_keys/ta.key 0

# openvpn --config server.conf

<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
At Client 192.168.5.5

Server
# scp /etc/openvpn/my_keys/ta.key root@192.168.5.5:/etc/openvpn/my_keys/

Back to client 
enable tls option, unmark ; at client.conf

ns-cert-type server
tls-auth /etc/openvpn/my_keys/ta.key 1

# openvpn --config client.conf


Comments

Popular posts from this blog

authentication failure using SSH pam_unix(sshd:auth): authentication failure;

Howto configure SPLUNK Universal Forwarder