blob: 4b7d9f13a631aa729d2335a1680022d56b7f6a35 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $
$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $
1 Make sure you have an RSA-enabled isakmpd. An easy way to do this
is to install a dynamically linkable version of libcrypto from
OpenSSL and install it where the run-time linker can find it.
2 Create your own CA as root.
openssl genrsa -out /etc/ssl/private/ca.key 1024
openssl req -new -key /etc/ssl/private/ca.key \
-out /etc/ssl/private/ca.csr
You are now being asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank. For some fields there will be a default
value, if you enter '.', the field will be left blank.
openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \
-signkey /etc/ssl/private/ca.key \
-out /etc/ssl/ca.crt
3 Create keys and certificates for your isakmpd peers. This step as well
as the next one, needs to be done for every peer. Furthermore the
last step will need to be done once for each ID you want the peer
to have. The 10.0.0.1 below symbolizes that ID, and should be
changed for each invocation. You will be asked for a DN for each
run too. See to encode the ID in the common name too, so it gets
unique.
openssl genrsa -out /etc/isakmpd/private/local.key 1024
openssl req -new -key /etc/isakmpd/private/local.key \
-out /etc/isakmpd/private/10.0.0.1.csr
Now take these certificate signing requests to your CA and process
them like below. You have to add some extensions to the certificate
in order to make it usable for isakmpd, which is why you will need
to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd
will be using for identity.
openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \
-CAkey /etc/ssl/private/ca.key -CAcreateserial \
-out 10.0.0.1.crt
certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \
10.0.0.1.crt 10.0.0.1.crt
Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/
on your local system. Also carry over the CA cert /etc/ssl/ca.crt
and put it in /etc/isakmpd/ca/.
4 See to that your config files will point out the directories where
you keep certificates. I.e. add something like this to
/etc/isakmpd/isakmpd.conf:
# Certificates stored in PEM format
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
|