生成并导出证书Generate and export certificates

点到站点连接使用证书进行身份验证。Point-to-Site connections use certificates to authenticate. 本文说明如何使用 Linux CLI 和 strongSwan 创建自签名根证书以及生成客户端证书。This article shows you how to create a self-signed root certificate and generate client certificates using the Linux CLI and strongSwan. 如果正在查找不同的证书说明,请参阅 PowershellMakeCert 文章。If you are looking for different certificate instructions, see the Powershell or MakeCert articles. 有关如何使用 GUI 而不是 CLI 安装 strongSwan 的信息,请参阅客户端配置一文中的步骤。For information about how to install strongSwan using the GUI instead of CLI, see the steps in the Client configuration article.

安装 strongSwanInstall strongSwan

以下配置用于执行下面的步骤:The following configuration was used for the steps below:

ComputerComputer Ubuntu Server 18.04Ubuntu Server 18.04
依赖项Dependencies strongSwanstrongSwan

使用以下命令安装所需的 strongSwan 配置:Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

使用以下命令安装 Azure 命令行接口:Use the following command to install the Azure command-line interface:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

有关如何安装 Azure CLI 的其他说明Additional instructions on how to install the Azure CLI

生成并导出证书Generate and export certificates

生成 CA 证书。Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

打印 base64 格式的 CA 证书。Print the CA certificate in base64 format. 这是 Azure 支持的格式。This is the format that is supported by Azure. 按照 P2S 配置步骤,将此证书上传到 Azure。You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

生成用户证书。Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

生成包含用户证书的 p12 捆绑包。Generate a p12 bundle containing the user certificate. 在后续步骤中使用客户端配置文件时将使用此捆绑包。This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

后续步骤Next steps

继续进行点到站点配置以创建和安装 VPN 客户端配置文件Continue with your Point-to-Site configuration to Create and install VPN client configuration files.