diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/README.PKI')
-rw-r--r-- | keyexchange/isakmpd-20041012/README.PKI | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/README.PKI b/keyexchange/isakmpd-20041012/README.PKI new file mode 100644 index 0000000..4b7d9f1 --- /dev/null +++ b/keyexchange/isakmpd-20041012/README.PKI @@ -0,0 +1,60 @@ +$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $ +$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $ + +1 Make sure you have an RSA-enabled isakmpd. An easy way to do this + is to install a dynamically linkable version of libcrypto from + OpenSSL and install it where the run-time linker can find it. + +2 Create your own CA as root. + + openssl genrsa -out /etc/ssl/private/ca.key 1024 + openssl req -new -key /etc/ssl/private/ca.key \ + -out /etc/ssl/private/ca.csr + + You are now being asked to enter information that will be incorporated + into your certificate request. What you are about to enter is what is + called a Distinguished Name or a DN. There are quite a few fields but + you can leave some blank. For some fields there will be a default + value, if you enter '.', the field will be left blank. + + openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ + -signkey /etc/ssl/private/ca.key \ + -out /etc/ssl/ca.crt + +3 Create keys and certificates for your isakmpd peers. This step as well + as the next one, needs to be done for every peer. Furthermore the + last step will need to be done once for each ID you want the peer + to have. The 10.0.0.1 below symbolizes that ID, and should be + changed for each invocation. You will be asked for a DN for each + run too. See to encode the ID in the common name too, so it gets + unique. + + openssl genrsa -out /etc/isakmpd/private/local.key 1024 + openssl req -new -key /etc/isakmpd/private/local.key \ + -out /etc/isakmpd/private/10.0.0.1.csr + + Now take these certificate signing requests to your CA and process + them like below. You have to add some extensions to the certificate + in order to make it usable for isakmpd, which is why you will need + to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd + will be using for identity. + + openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \ + -CAkey /etc/ssl/private/ca.key -CAcreateserial \ + -out 10.0.0.1.crt + certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \ + 10.0.0.1.crt 10.0.0.1.crt + + Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ + on your local system. Also carry over the CA cert /etc/ssl/ca.crt + and put it in /etc/isakmpd/ca/. + +4 See to that your config files will point out the directories where + you keep certificates. I.e. add something like this to + /etc/isakmpd/isakmpd.conf: + + # Certificates stored in PEM format + [X509-certificates] + CA-directory= /etc/isakmpd/ca/ + Cert-directory= /etc/isakmpd/certs/ + Private-key= /etc/isakmpd/private/local.key |