more logical section order;

1 files changed, 154 insertions, 154 deletions

diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index b81890098cf..becadc093b8 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.8,v 1.77 2005/05/14 09:25:51 jmc Exp $
+.\" $OpenBSD: isakmpd.8,v 1.78 2005/05/14 09:28:18 jmc Exp $
 .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.
@@ -272,159 +272,6 @@ reports successful completion of phase 1 (Main and Aggressive) and phase 2
 (Quick) exchanges (Information and Transaction exchanges do not generate any
 additional status information).
 .El
-.Ss Setting up an IKE public key infrastructure (a.k.a. PKI)
-In order to use public key based authentication, there has to be an
-infrastructure managing the key signing.
-Either there is an already existing PKI
-.Nm
-should take part in, or there will be a need to set one up.
-In the former case, what is needed to be done varies depending on the
-actual Certificate Authority used, and is therefore not covered here,
-other than mentioning that
-.Xr openssl 1
-needs to be used to create a certificate signing request that the
-CA understands.
-The latter case, however, is described here:
-.Bl -enum
-.It
-Create your own Certificate Authority (CA).
-.Pp
-Create a self-signed root certificate.
-The CA certificate is named
-.Pa ca.crt ,
-and its private key
-.Pa ca.key :
-.Bd -literal -offset indent
-# openssl req -x509 -days 365 -newkey rsa:1024 \e
-	-keyout /etc/ssl/private/ca.key \e
-	-out /etc/ssl/ca.crt
-.Ed
-.Pp
-.Ic openssl req
-will prompt for information that will be incorporated
-into the certificate request.
-The information entered comprises a Distinguished Name (DN).
-There are quite a few fields, but some can be left blank.
-For some fields there will be a default value; if
-.Sq \&.
-is entered, the field will be left blank.
-.It
-Create Certificate Signing Requests (CSRs) for IKE peers.
-The CSRs are signed with a pre-generated private key.
-By default, the system startup script
-.Xr rc 8
-generates a key-pair when starting, if one does not already exist.
-The private and public keys are named
-.Pa local.key
-and
-.Pa local.pub ,
-respectively.
-.Pp
-This step, as well as the next one, needs to be done for every peer.
-Furthermore the last step will need to be done once for each ID you
-want the peer to have.
-The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID,
-and should be changed for each invocation.
-You will be asked for a DN for each run.
-Encoding the ID in the common name is recommended, as it should be unique.
-.Bd -literal -offset indent
-# openssl req -new -key /etc/isakmpd/private/local.key \e
-	-out /etc/isakmpd/private/10.0.0.1.csr
-.Ed
-.Pp
-Now take these certificate signing requests to your CA and process
-them as below.
-A
-.Em subjectAltName
-extension field has to be added
-to the certificate in order to make it usable by
-.Nm .
-There are two possible ways to add the extensions to the certificate:
-either run
-.Xr certpatch 8
-or make use of an OpenSSL configuration file, such as
-.Pa /etc/ssl/x509v3.cnf .
-Replace 10.0.0.1 with the IP address which
-.Nm
-will use as the certificate identity.
-.Pp
-To use
-.Xr certpatch 8 ,
-do the following:
-.Bd -literal -offset indent
-# openssl x509 -req -days 365 -in 10.0.0.1.csr \e
-	-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
-	-CAcreateserial -out 10.0.0.1.crt
-# certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \e
-	10.0.0.1.crt 10.0.0.1.crt
-.Ed
-.Pp
-Otherwise do:
-.Bd -literal -offset indent
-# setenv CERTIP 10.0.0.1
-# openssl x509 -req -days 365 -in 10.0.0.1.csr \e
-	-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
-	-CAcreateserial -extfile /etc/ssl/x509v3.cnf \e
-	-extensions x509v3_IPAddr -out 10.0.0.1.crt
-.Ed
-.Pp
-For a FQDN certificate, do:
-.Bd -literal -offset indent
-# setenv CERTFQDN somehost.somedomain
-# openssl x509 -req -days 365 -in somehost.somedomain.csr \e
-	-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
-	-CAcreateserial -extfile /etc/ssl/x509v3.cnf \e
-	-extensions x509v3_FQDN -out somehost.somedomain.crt
-.Ed
-.Pp
-Or with
-.Xr certpatch 8 :
-.Bd -literal -offset indent
-# certpatch -t fqdn -i somehost.somedomain \e
-	-k /etc/ssl/private/ca.key \e
-	somehost.somedomain.crt somehost.somedomain.crt
-.Ed
-.Pp
-(This assumes the previous steps were used to create a request for
-somehost.somedomain instead of 10.0.0.1.)
-.Pp
-Put the certificate (the file ending in .crt) in
-.Pa /etc/isakmpd/certs/
-on your local system.
-Also carry over the CA cert
-.Pa /etc/ssl/ca.crt
-and put it in
-.Pa /etc/isakmpd/ca/ .
-.El
-.Pp
-To revoke certificates, create a Certificate Revocation List (CRL) file
-and install it in the
-.Pa /etc/isakmpd/crls/
-directory.
-See
-.Xr openssl 1
-and the
-.Sq crl
-subcommand for more info.
-.Pp
-It is also possible to store trusted public keys to make them directly
-usable by
-.Nm ,
-bypassing the need to use X509 certificates.
-The keys should be saved in PEM format (see
-.Xr openssl 1 )
-and named and stored after this easy formula:
-.Pp
-.Bl -tag -width "for_ufqdn_identitiesXX" -offset 3n -compact
-.It For IPv4 identities:
-/etc/isakmpd/pubkeys/ipv4/A.B.C.D
-.It For IPv6 identities:
-/etc/isakmpd/pubkeys/ipv6/abcd:abcd::ab:bc
-.It For FQDN identities:
-/etc/isakmpd/pubkeys/fqdn/foo.bar.org
-.It For UFQDN identities:
-/etc/isakmpd/pubkeys/ufqdn/user@foo.bar.org
-.El
 .Ss The FIFO user interface
 When
 .Nm
@@ -592,6 +439,159 @@ Tear down all active connections.
 .It Ic t Aq Ic name
 Tear down the named connection, if active.
 .El
+.Ss Setting up an IKE public key infrastructure (a.k.a. PKI)
+In order to use public key based authentication, there has to be an
+infrastructure managing the key signing.
+Either there is an already existing PKI
+.Nm
+should take part in, or there will be a need to set one up.
+In the former case, what is needed to be done varies depending on the
+actual Certificate Authority used, and is therefore not covered here,
+other than mentioning that
+.Xr openssl 1
+needs to be used to create a certificate signing request that the
+CA understands.
+The latter case, however, is described here:
+.Bl -enum
+.It
+Create your own Certificate Authority (CA).
+.Pp
+Create a self-signed root certificate.
+The CA certificate is named
+.Pa ca.crt ,
+and its private key
+.Pa ca.key :
+.Bd -literal -offset indent
+# openssl req -x509 -days 365 -newkey rsa:1024 \e
+	-keyout /etc/ssl/private/ca.key \e
+	-out /etc/ssl/ca.crt
+.Ed
+.Pp
+.Ic openssl req
+will prompt for information that will be incorporated
+into the certificate request.
+The information entered comprises a Distinguished Name (DN).
+There are quite a few fields, but some can be left blank.
+For some fields there will be a default value; if
+.Sq \&.
+is entered, the field will be left blank.
+.It
+Create Certificate Signing Requests (CSRs) for IKE peers.
+The CSRs are signed with a pre-generated private key.
+By default, the system startup script
+.Xr rc 8
+generates a key-pair when starting, if one does not already exist.
+The private and public keys are named
+.Pa local.key
+and
+.Pa local.pub ,
+respectively.
+.Pp
+This step, as well as the next one, needs to be done for every peer.
+Furthermore the last step will need to be done once for each ID you
+want the peer to have.
+The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID,
+and should be changed for each invocation.
+You will be asked for a DN for each run.
+Encoding the ID in the common name is recommended, as it should be unique.
+.Bd -literal -offset indent
+# openssl req -new -key /etc/isakmpd/private/local.key \e
+	-out /etc/isakmpd/private/10.0.0.1.csr
+.Ed
+.Pp
+Now take these certificate signing requests to your CA and process
+them as below.
+A
+.Em subjectAltName
+extension field has to be added
+to the certificate in order to make it usable by
+.Nm .
+There are two possible ways to add the extensions to the certificate:
+either run
+.Xr certpatch 8
+or make use of an OpenSSL configuration file, such as
+.Pa /etc/ssl/x509v3.cnf .
+Replace 10.0.0.1 with the IP address which
+.Nm
+will use as the certificate identity.
+.Pp
+To use
+.Xr certpatch 8 ,
+do the following:
+.Bd -literal -offset indent
+# openssl x509 -req -days 365 -in 10.0.0.1.csr \e
+	-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
+	-CAcreateserial -out 10.0.0.1.crt
+# certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \e
+	10.0.0.1.crt 10.0.0.1.crt
+.Ed
+.Pp
+Otherwise do:
+.Bd -literal -offset indent
+# setenv CERTIP 10.0.0.1
+# openssl x509 -req -days 365 -in 10.0.0.1.csr \e
+	-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
+	-CAcreateserial -extfile /etc/ssl/x509v3.cnf \e
+	-extensions x509v3_IPAddr -out 10.0.0.1.crt
+.Ed
+.Pp
+For a FQDN certificate, do:
+.Bd -literal -offset indent
+# setenv CERTFQDN somehost.somedomain
+# openssl x509 -req -days 365 -in somehost.somedomain.csr \e
+	-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
+	-CAcreateserial -extfile /etc/ssl/x509v3.cnf \e
+	-extensions x509v3_FQDN -out somehost.somedomain.crt
+.Ed
+.Pp
+Or with
+.Xr certpatch 8 :
+.Bd -literal -offset indent
+# certpatch -t fqdn -i somehost.somedomain \e
+	-k /etc/ssl/private/ca.key \e
+	somehost.somedomain.crt somehost.somedomain.crt
+.Ed
+.Pp
+(This assumes the previous steps were used to create a request for
+somehost.somedomain instead of 10.0.0.1.)
+.Pp
+Put the certificate (the file ending in .crt) in
+.Pa /etc/isakmpd/certs/
+on your local system.
+Also carry over the CA cert
+.Pa /etc/ssl/ca.crt
+and put it in
+.Pa /etc/isakmpd/ca/ .
+.El
+.Pp
+To revoke certificates, create a Certificate Revocation List (CRL) file
+and install it in the
+.Pa /etc/isakmpd/crls/
+directory.
+See
+.Xr openssl 1
+and the
+.Sq crl
+subcommand for more info.
+.Pp
+It is also possible to store trusted public keys to make them directly
+usable by
+.Nm ,
+bypassing the need to use X509 certificates.
+The keys should be saved in PEM format (see
+.Xr openssl 1 )
+and named and stored after this easy formula:
+.Pp
+.Bl -tag -width "for_ufqdn_identitiesXX" -offset 3n -compact
+.It For IPv4 identities:
+/etc/isakmpd/pubkeys/ipv4/A.B.C.D
+.It For IPv6 identities:
+/etc/isakmpd/pubkeys/ipv6/abcd:abcd::ab:bc
+.It For FQDN identities:
+/etc/isakmpd/pubkeys/fqdn/foo.bar.org
+.It For UFQDN identities:
+/etc/isakmpd/pubkeys/ufqdn/user@foo.bar.org
+.El
 .Sh FILES
 .Bl -tag -width Ds
 .It /etc/isakmpd/ca/