summaryrefslogtreecommitdiff
path: root/keyexchange/isakmpd-20041012/README.PKI
diff options
context:
space:
mode:
Diffstat (limited to 'keyexchange/isakmpd-20041012/README.PKI')
-rw-r--r--keyexchange/isakmpd-20041012/README.PKI60
1 files changed, 60 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/README.PKI b/keyexchange/isakmpd-20041012/README.PKI
new file mode 100644
index 0000000..4b7d9f1
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/README.PKI
@@ -0,0 +1,60 @@
+$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $
+$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $
+
+1 Make sure you have an RSA-enabled isakmpd. An easy way to do this
+ is to install a dynamically linkable version of libcrypto from
+ OpenSSL and install it where the run-time linker can find it.
+
+2 Create your own CA as root.
+
+ openssl genrsa -out /etc/ssl/private/ca.key 1024
+ openssl req -new -key /etc/ssl/private/ca.key \
+ -out /etc/ssl/private/ca.csr
+
+ You are now being asked to enter information that will be incorporated
+ into your certificate request. What you are about to enter is what is
+ called a Distinguished Name or a DN. There are quite a few fields but
+ you can leave some blank. For some fields there will be a default
+ value, if you enter '.', the field will be left blank.
+
+ openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \
+ -signkey /etc/ssl/private/ca.key \
+ -out /etc/ssl/ca.crt
+
+3 Create keys and certificates for your isakmpd peers. This step as well
+ as the next one, needs to be done for every peer. Furthermore the
+ last step will need to be done once for each ID you want the peer
+ to have. The 10.0.0.1 below symbolizes that ID, and should be
+ changed for each invocation. You will be asked for a DN for each
+ run too. See to encode the ID in the common name too, so it gets
+ unique.
+
+ openssl genrsa -out /etc/isakmpd/private/local.key 1024
+ openssl req -new -key /etc/isakmpd/private/local.key \
+ -out /etc/isakmpd/private/10.0.0.1.csr
+
+ Now take these certificate signing requests to your CA and process
+ them like below. You have to add some extensions to the certificate
+ in order to make it usable for isakmpd, which is why you will need
+ to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd
+ will be using for identity.
+
+ openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \
+ -CAkey /etc/ssl/private/ca.key -CAcreateserial \
+ -out 10.0.0.1.crt
+ certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \
+ 10.0.0.1.crt 10.0.0.1.crt
+
+ Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/
+ on your local system. Also carry over the CA cert /etc/ssl/ca.crt
+ and put it in /etc/isakmpd/ca/.
+
+4 See to that your config files will point out the directories where
+ you keep certificates. I.e. add something like this to
+ /etc/isakmpd/isakmpd.conf:
+
+ # Certificates stored in PEM format
+ [X509-certificates]
+ CA-directory= /etc/isakmpd/ca/
+ Cert-directory= /etc/isakmpd/certs/
+ Private-key= /etc/isakmpd/private/local.key