diff options
author | Othmar Gsenger <otti@anytun.org> | 2008-05-25 09:50:42 +0000 |
---|---|---|
committer | Othmar Gsenger <otti@anytun.org> | 2008-05-25 09:50:42 +0000 |
commit | 71da41451212389bea25d67bc5da696b6d194bff (patch) | |
tree | a3b20decbd8bc9e47640af5fa4b39f731477955a /keyexchange/isakmpd-20041012/README.PKI | |
parent | improved presentation again (diff) |
moved keyexchange to http://anytun.org/svn/keyexchange
Diffstat (limited to 'keyexchange/isakmpd-20041012/README.PKI')
-rw-r--r-- | keyexchange/isakmpd-20041012/README.PKI | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/keyexchange/isakmpd-20041012/README.PKI b/keyexchange/isakmpd-20041012/README.PKI deleted file mode 100644 index 4b7d9f1..0000000 --- a/keyexchange/isakmpd-20041012/README.PKI +++ /dev/null @@ -1,60 +0,0 @@ -$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $ -$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $ - -1 Make sure you have an RSA-enabled isakmpd. An easy way to do this - is to install a dynamically linkable version of libcrypto from - OpenSSL and install it where the run-time linker can find it. - -2 Create your own CA as root. - - openssl genrsa -out /etc/ssl/private/ca.key 1024 - openssl req -new -key /etc/ssl/private/ca.key \ - -out /etc/ssl/private/ca.csr - - You are now being asked to enter information that will be incorporated - into your certificate request. What you are about to enter is what is - called a Distinguished Name or a DN. There are quite a few fields but - you can leave some blank. For some fields there will be a default - value, if you enter '.', the field will be left blank. - - openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ - -signkey /etc/ssl/private/ca.key \ - -out /etc/ssl/ca.crt - -3 Create keys and certificates for your isakmpd peers. This step as well - as the next one, needs to be done for every peer. Furthermore the - last step will need to be done once for each ID you want the peer - to have. The 10.0.0.1 below symbolizes that ID, and should be - changed for each invocation. You will be asked for a DN for each - run too. See to encode the ID in the common name too, so it gets - unique. - - openssl genrsa -out /etc/isakmpd/private/local.key 1024 - openssl req -new -key /etc/isakmpd/private/local.key \ - -out /etc/isakmpd/private/10.0.0.1.csr - - Now take these certificate signing requests to your CA and process - them like below. You have to add some extensions to the certificate - in order to make it usable for isakmpd, which is why you will need - to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd - will be using for identity. - - openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \ - -CAkey /etc/ssl/private/ca.key -CAcreateserial \ - -out 10.0.0.1.crt - certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \ - 10.0.0.1.crt 10.0.0.1.crt - - Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ - on your local system. Also carry over the CA cert /etc/ssl/ca.crt - and put it in /etc/isakmpd/ca/. - -4 See to that your config files will point out the directories where - you keep certificates. I.e. add something like this to - /etc/isakmpd/isakmpd.conf: - - # Certificates stored in PEM format - [X509-certificates] - CA-directory= /etc/isakmpd/ca/ - Cert-directory= /etc/isakmpd/certs/ - Private-key= /etc/isakmpd/private/local.key |