how to generate CA

2025-04-03 20:47:38 +03:00 · 2021-12-05 20:53:32 +08:00 · 2021-12-05 20:53:32 +08:00 · 7d9edaba3c
commit 7d9edaba3c
parent fb189c5411
2 changed files with 146 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -363,3 +363,75 @@ To change the logging level, use `LOGGING_LEVEL` environment variable. The avail
 To print JSON instead, set `LOGGING_FORMATTER` to `json`

 To change the logging timestamp format, set `LOGGING_TIMESTAMP_FORMAT`
+
+ ## Hysteria custom CA
+
+  1. Suppose the server address is `123.123.123.123`, UDP port `5678` is not blocked by firewall
+  2. openssl is already installed
+  3. hysteria is already installed in `/root/hysteria/` directory
+<details>
+  <summary>4. Generate custom CA certificate</summary>
+
+- Run below shell in `/root/hysteria/` folder
+
+``` shell
+#!/usr/bin/env bash
+
+domain=$(openssl rand -hex 8)
+password=$(openssl rand -hex 16)
+obfs=$(openssl rand -hex 6)
+path="/root/hysteria"
+
+openssl genrsa -out hysteria.ca.key 2048
+
+openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt
+
+openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=*.${domain}.com" -out hysteria.server.csr
+
+openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain}.com,DNS:www.${domain}.com") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt
+
+cat > ./client.json <<EOF
+{
+    "server": "123.123.123.123:5678",
+    "alpn": "h3",
+    "obfs": "${obfs}",
+    "auth_str": "${password}",
+    "up_mbps": 30,
+    "down_mbps": 30,
+    "socks5": {
+        "listen": "0.0.0.0:1080"
+    },
+    "http": {
+        "listen": "0.0.0.0:8080"
+    },
+    "server_name": "www.${domain}.com",
+    "ca": "${path}/hysteria.ca.crt"
+}
+EOF
+
+
+cat > ./server.json <<EOF
+{
+    "listen": ":5678",
+    "alpn": "h3",
+    "obfs": "${obfs}",
+    "cert": "${path}/hysteria.server.crt",
+    "key": "${path}/hysteria.server.key" ,
+    "auth": {
+        "mode": "password",
+        "config": {
+            "password": "${password}"
+        }
+    }
+}
+EOF
+```
+</details>
+
+5. Server side: copy `server.json`、 `hysteria.server.crt`、 `hysteria.server.key` to `/root/hysteria/` directory, run `/root/hysteria/hysteria -c /root/hysteria/server.json server` command
+
+6. Client side: Assuming that the client directory is also`/root/hysteria`, copy `client.json`、`hysteria.ca.crt` to `/root/hysteria/` directory, run `/root/hysteria/hysteria -c /root/hysteria/client.json` cmmand
+
+7. After generating CA certificate, modify the server address, port and certificate file path according to your own situation, add obfs and alpn to prevent the first time to be walled in some environment, after the first test passed in full parameters, you can remove the unnecessary parameters such as obfs and alpn in your own network environment.
+
+8. If you are using shadowrocket on IOS, you can airdrop the file `hysteria.ca.crt` to your iPhone and install it, then you can use custom CA certificate.
--- a/README.zh.md
+++ b/README.zh.md
@ -343,3 +343,77 @@ ACL 在服务端和客户端都可以使用。在服务端可以用来实现限
 如果需要输出 JSON 可以把 `LOGGING_FORMATTER` 设置为 `json`

 如果需要修改日志时间戳格式可以使用 `LOGGING_TIMESTAMP_FORMAT`
+
+
+ ## Hysteria自定义CA方法
+
+  1. 假设服务器地址是 `123.123.123.123`, 端口`5678`UDP/TCP协议未被防火墙拦截
+  2. 已经安装了 openssl
+  3. hysteria 已经安装在 `/root/hysteria/`目录下
+<details>
+  <summary>4. 生成自定义CA证书</summary>
+
+- 在 `/root/hysteria/` 目录下，将以下shell命令保存为 `generate.sh` , 并赋予执行权限: `chmod +x ./generate.sh` 后，运行 `./generate.sh` 命令生成自定义CA证书
+- 或者在`/root/hysteria/` 目录下，直接执行以下shell命令生成自定义CA证书
+
+``` shell
+#!/usr/bin/env bash
+
+domain=$(openssl rand -hex 8)
+password=$(openssl rand -hex 16)
+obfs=$(openssl rand -hex 6)
+path="/root/hysteria"
+# 生成CAkey
+openssl genrsa -out hysteria.ca.key 2048
+# 生成CA证书
+openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt
+
+openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=*.${domain}.com" -out hysteria.server.csr
+# 签发服务端用的证书
+openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain}.com,DNS:www.${domain}.com") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt
+
+cat > ./client.json <<EOF
+{
+    "server": "123.123.123.123:5678",
+    "alpn": "h3",
+    "obfs": "${obfs}",
+    "auth_str": "${password}",
+    "up_mbps": 30,
+    "down_mbps": 30,
+    "socks5": {
+        "listen": "0.0.0.0:1080"
+    },
+    "http": {
+        "listen": "0.0.0.0:8080"
+    },
+    "server_name": "www.${domain}.com",
+    "ca": "${path}/hysteria.ca.crt"
+}
+EOF
+
+
+cat > ./server.json <<EOF
+{
+    "listen": ":5678",
+    "alpn": "h3",
+    "obfs": "${obfs}",
+    "cert": "${path}/hysteria.server.crt",
+    "key": "${path}/hysteria.server.key" ,
+    "auth": {
+        "mode": "password",
+        "config": {
+            "password": "${password}"
+        }
+    }
+}
+EOF
+```
+</details>
+
+5. 服务端：复制 `server.json`、 `hysteria.server.crt`、 `hysteria.server.key` 到 `/root/hysteria/` 目录下，运行 `/root/hysteria/hysteria -c /root/hysteria/server.json server` 命令
+
+6. 客户端：假设客户端运行目录也为`/root/hysteria`, 复制 `client.json`、`hysteria.ca.crt` 到 `/root/hysteria/` 目录下，运行 `/root/hysteria/hysteria -c /root/hysteria/client.json` 命令
+
+7. 生成CA证书之后，根据自身情况修改服务器地址、端口和证书文件路径，加上`obfs`和`alpn`是防止首次在某些环境下被墙，第一次在全参数情况下测试通过后，可以自身网络环境删除不必须要参数，比如`obfs`和`alpn`.
+
+8. IOS端如果使用的是小火箭shadowrocket，可以把文件`hysteria.ca.crt` airdrop到手机，然后在手机上安装并信任后, 就可以使用自定义CA证书了。