diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2001-12-10 04:06:46 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2001-12-10 04:06:46 +0000 |
commit | c7c6e636a8bfbf2c68e2ed3e6d20fa1c5237bfb0 (patch) | |
tree | 47549ab1e79cccf2f379e8fd1860d195fb09dd03 | |
parent | 930da000905a2526706d543b90944f2ae69e94db (diff) |
Add example on how to create FQDN certificates suitable for use with isakmpd. Requires an FQDN addition to /etc/ssl/x509v3.cnf
-rw-r--r-- | sbin/isakmpd/isakmpd.8 | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index c3d6dae4703..b9612909e7e 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.34 2001/12/10 03:45:03 ho Exp $ +.\" $OpenBSD: isakmpd.8,v 1.35 2001/12/10 04:06:45 ho Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. @@ -256,10 +256,10 @@ value, if you enter '.', the field will be left blank. Create keys and certificates for your IKE peers. This step as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer -to have. The 10.0.0.1 below symbolizes that ID, and should be -changed for each invocation. You will be asked for a DN for each -run too. See to encode the ID in the common name too, so it gets -unique. +to have. The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, +and should be changed for each invocation. You will be asked for a DN +for each run. Encoding the ID in the common name is recommended, as +it should be unique. .Pp .Bd -literal # openssl genrsa -out /etc/isakmpd/private/local.key 1024 @@ -278,10 +278,10 @@ or you have to make use of an OpenSSL configuration file, for example .Pa /etc/ssl/x509v3.cnf . Replace 10.0.0.1 with the IP-address which .Nm -will be using for identity. +will use as the certificate identity. .Pp -For using -.Xr certpach 8 , +To use +.Xr certpatch 8 , do the following .Bd -literal # openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \\ @@ -300,6 +300,19 @@ Otherwise do -out 10.0.0.1.crt .Ed .Pp +For a FQDN certificate, do +.Bd -literal +# setenv CERTFQDN somehost.somedomain +# openssl x509 -req -days 365 -in somehost.somedomain.csr \\ + -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \\ + -CAcreateserial \\ + -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN \\ + -out somehost.somedomain.crt +.Ed +.Pp +(This assumes the previous steps were used to create a request for +somehost.somedomain instead of 10.0.0.1) +.Pp Put the certificate (the file ending in .crt) in .Pa /etc/isakmpd/certs/ on your local system. Also carry over the CA cert |