diff options
| author | Jason McIntyre <jmc@cvs.openbsd.org> | 2005-05-14 09:25:52 +0000 |
|---|---|---|
| committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2005-05-14 09:25:52 +0000 |
| commit | 3ccc051c0145db63e28a3b67003658b067e05933 (patch) | |
| tree | f9c30219147e7376b76651a74e7497cef015151f | |
| parent | 803cafed7360b68628973752380b2a420690edd0 (diff) | |
- openssl req can create self-signed certs in one step
- no need to encourage people to generate system keys: rc(8) already does it
ok hshoexer@
| -rw-r--r-- | sbin/isakmpd/isakmpd.8 | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index 8785140a519..b81890098cf 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.76 2005/05/06 19:06:50 jmc Exp $ +.\" $OpenBSD: isakmpd.8,v 1.77 2005/05/14 09:25:51 jmc Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. @@ -289,12 +289,15 @@ The latter case, however, is described here: .It Create your own Certificate Authority (CA). .Pp -First, create a private key for the CA, and a Certificate Signing Request -(CSR) to enable the CA to sign its own key: +Create a self-signed root certificate. +The CA certificate is named +.Pa ca.crt , +and its private key +.Pa ca.key : .Bd -literal -offset indent -# openssl genrsa -out /etc/ssl/private/ca.key 1024 -# openssl req -new -key /etc/ssl/private/ca.key \e - -out /etc/ssl/private/ca.csr +# openssl req -x509 -days 365 -newkey rsa:1024 \e + -keyout /etc/ssl/private/ca.key \e + -out /etc/ssl/ca.crt .Ed .Pp .Ic openssl req @@ -305,18 +308,18 @@ There are quite a few fields, but some can be left blank. For some fields there will be a default value; if .Sq \&. is entered, the field will be left blank. -.Pp -After the CSR has been generated, it is used to create and sign -a certificate for the CA: -.Bd -literal -offset indent -# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \e - -signkey /etc/ssl/private/ca.key \e - -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \e - -out /etc/ssl/ca.crt -.Ed -.Pp .It -Create keys and CSRs for IKE peers. +Create Certificate Signing Requests (CSRs) for IKE peers. +The CSRs are signed with a pre-generated private key. +By default, the system startup script +.Xr rc 8 +generates a key-pair when starting, if one does not already exist. +The private and public keys are named +.Pa local.key +and +.Pa local.pub , +respectively. +.Pp This step, as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. @@ -325,7 +328,6 @@ and should be changed for each invocation. You will be asked for a DN for each run. Encoding the ID in the common name is recommended, as it should be unique. .Bd -literal -offset indent -# openssl genrsa -out /etc/isakmpd/private/local.key 1024 # openssl req -new -key /etc/isakmpd/private/local.key \e -out /etc/isakmpd/private/10.0.0.1.csr .Ed |