summaryrefslogtreecommitdiff
path: root/keyexchange/isakmpd-20041012/README.PKI
diff options
context:
space:
mode:
authorOthmar Gsenger <otti@anytun.org>2007-12-08 20:59:57 +0000
committerOthmar Gsenger <otti@anytun.org>2007-12-08 20:59:57 +0000
commitf84dc62cc602eacb0daee3e9918a68b711ba94f0 (patch)
tree1acbdabf30b2ece1da880386da6a4b7c002669c3 /keyexchange/isakmpd-20041012/README.PKI
parent* added AuthTag class (diff)
removed isakmpd
Diffstat (limited to 'keyexchange/isakmpd-20041012/README.PKI')
-rw-r--r--keyexchange/isakmpd-20041012/README.PKI60
1 files changed, 0 insertions, 60 deletions
diff --git a/keyexchange/isakmpd-20041012/README.PKI b/keyexchange/isakmpd-20041012/README.PKI
deleted file mode 100644
index 4b7d9f1..0000000
--- a/keyexchange/isakmpd-20041012/README.PKI
+++ /dev/null
@@ -1,60 +0,0 @@
-$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $
-$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $
-
-1 Make sure you have an RSA-enabled isakmpd. An easy way to do this
- is to install a dynamically linkable version of libcrypto from
- OpenSSL and install it where the run-time linker can find it.
-
-2 Create your own CA as root.
-
- openssl genrsa -out /etc/ssl/private/ca.key 1024
- openssl req -new -key /etc/ssl/private/ca.key \
- -out /etc/ssl/private/ca.csr
-
- You are now being asked to enter information that will be incorporated
- into your certificate request. What you are about to enter is what is
- called a Distinguished Name or a DN. There are quite a few fields but
- you can leave some blank. For some fields there will be a default
- value, if you enter '.', the field will be left blank.
-
- openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \
- -signkey /etc/ssl/private/ca.key \
- -out /etc/ssl/ca.crt
-
-3 Create keys and certificates for your isakmpd peers. This step as well
- as the next one, needs to be done for every peer. Furthermore the
- last step will need to be done once for each ID you want the peer
- to have. The 10.0.0.1 below symbolizes that ID, and should be
- changed for each invocation. You will be asked for a DN for each
- run too. See to encode the ID in the common name too, so it gets
- unique.
-
- openssl genrsa -out /etc/isakmpd/private/local.key 1024
- openssl req -new -key /etc/isakmpd/private/local.key \
- -out /etc/isakmpd/private/10.0.0.1.csr
-
- Now take these certificate signing requests to your CA and process
- them like below. You have to add some extensions to the certificate
- in order to make it usable for isakmpd, which is why you will need
- to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd
- will be using for identity.
-
- openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \
- -CAkey /etc/ssl/private/ca.key -CAcreateserial \
- -out 10.0.0.1.crt
- certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \
- 10.0.0.1.crt 10.0.0.1.crt
-
- Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/
- on your local system. Also carry over the CA cert /etc/ssl/ca.crt
- and put it in /etc/isakmpd/ca/.
-
-4 See to that your config files will point out the directories where
- you keep certificates. I.e. add something like this to
- /etc/isakmpd/isakmpd.conf:
-
- # Certificates stored in PEM format
- [X509-certificates]
- CA-directory= /etc/isakmpd/ca/
- Cert-directory= /etc/isakmpd/certs/
- Private-key= /etc/isakmpd/private/local.key