这是几个用来签发证书的脚本，请注意这需要你安装了gnutls才可以，主要当时是为了ocserv而写，纯偷懒。基本上，你只要用 ./cert-client.sh you-user-name 这种格式，就可以自动生成 you-user-name-key.pem/ your-user-name-cert.pem /your-user-name.p12

cert-client.sh

#! /bin/sh
#! /usr/bin/expect -f


certtool --generate-privkey --outfile $1-key.pem
sed -i "1ccn = "${1}"" client.tmpl
sed -i "3cemail = ${1}@abc.org" client.tmpl
certtool --generate-certificate --load-privkey $1-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile $1-cert.pem
openssl pkcs12 -export -inkey $1-key.pem -in $1-cert.pem -name "$1 VPN Client Cert" -certfile ca-cert.pem -out $1.cert.p12



exit 0

签发证书配置文件_ca.tmpl

cn = "abc.org VPN CA" 
state = "Shanghai"
country = CN
organization = "Tyrael Ltd." 
serial = 1 
expiration_days = 3650
email = "[email protected]"
dns_name = "anyconnect.abc.org"
ca 
signing_key 
encryption_key
ipsec_ike_key
cert_signing_key 
crl_signing_key 

签发证书配置文件_server.tmpl

cn = "anyconnect.abc.org" 
o = "Tyrael Ltd." 
email = [email protected]

dns_name = "anyconnect.abc.org"
country = CN
state = "Shanghai"

serial = 2 
expiration_days = 3650

signing_key 
encryption_key #only if the generated key is an RSA one 
tls_www_server 
ipsec_ike_key
time_stamping_key

证书签发配置_client.tmpl

cn = test
o = "Tyrael Ltd." 
email = [email protected]
dns_name = "anyconnect.abc.org"
country = CN
state = "Shanghai"
serial = 3 
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one 
tls_www_client
ipsec_ike_key
time_stamping_key

很奇怪，按你的命令生成client端证书，连接过程中遇到找不到证书的提示如下：

Oct 15 02:37:44 jamin-sfo1 ocserv[996]: GnuTLS error (at worker-vpn.c:734): A TLS fatal alert has been received.: Unknown certificate
Oct 15 02:37:44 jamin-sfo1 ocserv[964]: main: 106.38.240.21:15040 main-misc.c:423: command socket closed
Oct 15 02:38:39 jamin-sfo1 ocserv[997]: worker: 106.38.240.21:15060 tlslib.c:349: error verifying client certificate: No certificate was found.
Oct 15 02:38:39 jamin-sfo1 ocserv[997]: worker: 106.38.240.21:15060 no certificate provided for authentication
Oct 15 02:38:39 jamin-sfo1 ocserv[964]: main: 106.38.240.21:15060 main-misc.c:423: command socket closed

日志里提示找不到证书的建议把证书从"Trusted Root Certification Authorities"拷贝到personal下面再试试。

不过我这里（服务端 denbian7 安装的ocserv 0.8.9，0.8.5也试了）的问题是在win7上用Cisco AnyConnect Secure Mobility Client 连接后，客户端提示 “Establishing VPN - Repairing VPN adapter.."一段时间后最终连接还是失败了，期间anyconnect适配器也无法获取到ip，相应的ocserv服务端日志如下：
...
ocserv[3753]: main: processed 1 CA certificate(s)
ocserv[3753]: main: putting process 3755 to cgroup 'cpuset:test'
ocserv[3753]: main: main-misc.c:755: cannot open: /sys/fs/cgroup/cpuset/test/tasks
ocserv[3755]: worker: ...:60311 accepted connection
ocserv[3754]: sec-mod: received request from pid 3755 and uid 65534
ocserv[3754]: sec-mod: cmd [size=87] sm: sign
ocserv[3755]: GnuTLS error (at worker-vpn.c:749): The TLS connection was non-properly terminated.
ocserv[3753]: main: ...:60311 main-misc.c:426: command socket closed
ocserv[3753]: main: ...:60311 removing client '' with id '3755'
ocserv[3753]: main: putting process 3756 to cgroup 'cpuset:test'
ocserv[3753]: main: main-misc.c:755: cannot open: /sys/fs/cgroup/cpuset/test/tasks
ocserv[3756]: worker: ...:60312 accepted connection
ocserv[3754]: sec-mod: cmd [size=87] sm: sign
ocserv[3756]: worker: ...:60312 client certificate verification succeeded
ocserv[3756]: worker: ...:60312 sending message 'resume data store request' to main
... 【证书校验通过】
ocserv[3754]: sec-mod: cmd [size=87] sm: sign
ocserv[3761]: worker: ...:60318 tlslib.c:372: error verifying client certificate: No certificate was found.
ocserv[3761]: worker: ...:60318 sending message 'resume data store request' to main
... 【客户端提示 证书没有可靠源】
ocserv[3766]: worker: ...:60324 reducing MTU due to TCP MSS to 1439
ocserv[3766]: worker: ...:60324 CSTP Base MTU is 1439 bytes
ocserv[3766]: worker: ...:60324 DTLS ciphersuite: AES128-SHA
ocserv[3766]: worker: ...:60324 DTLS overhead is 94
ocserv[3766]: worker: ...:60324 suggesting DTLS MTU 1345
ocserv[3766]: worker: ...:60324 setsockopt(SO_PRIORITY) to 5, failed.
ocserv[3766]: worker: ...:60324 sending message 'tun mtu change' to main
ocserv[3753]: main: ...:60324 main received message 'tun mtu change' of 3 bytes
ocserv[3753]: main: ...:60324 setting vpns0 MTU to 1345
ocserv[3766]: worker: ...:60324 setting MTU to 1345
ocserv[3766]: worker: ...:60324 sending message 'session info' to main
ocserv[3753]: main: ...:60324 main received message 'session info' of 97 bytes 【这里客户端提示“Establishing VPN - Repairing VPN adapter.."一段时间】
ocserv[3766]: worker: ...:60324 received BYE packet; exiting
ocserv[3766]: worker: ...:60324 sending message 'cli stats' to main
ocserv[3766]: worker: ...:60324 sending stats (in: 0, out: 0) to main
ocserv[3753]: main: ...:60324 main received message 'cli stats' of 4 bytes
ocserv[3753]: main: ...:60324 main-misc.c:426: command socket closed
ocserv[3753]: main: ...:60324 removing client '' with id '3766'
ocserv[3753]: main: putting process 3778 to cgroup 'cpuset:test'
ocserv[3753]: main: main-misc.c:755: cannot open: /sys/fs/cgroup/cpuset/test/tasks
ocserv[3778]: worker: ...:60333 accepted connection
ocserv[3778]: worker: ...:60333 sending message 'resume data fetch request' to main
ocserv[3753]: main: ...:60333 main received message 'resume data fetch request' of 34 bytes
ocserv[3753]: main: ...:60333 TLS session DB resuming d0240462b65a4948d13588bf024636ef165fedb5bf5e05a7770ab2e6895969f1
ocserv[3753]: main: ...:60333 sending message 'resume data fetch reply' to worker
ocserv[3778]: worker: ...:60333 client certificate verification succeeded
ocserv[3778]: worker: ...:60333 TLS handshake completed
ocserv[3778]: worker: ...:60333 User-agent: 'AnyConnect Windows 4.0.00048'
ocserv[3753]: main: ...:60333 main-misc.c:426: command socket closed
ocserv[3753]: main: ...:60333 removing client '' with id '3778'

AnyConnect Secure Mobility Client从3.1升级到4.0还是一样的问题，证书制作和配置文件都是抄楼主的，配置文件里也把 ”default-domain =“ 改成和证书一样的anyconnect.abc.org。

改用OpenConnect-GUI这个客户端就正常了。另外，iOS端的Cisco AnyConnect用着也正常。