$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $
$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $

1	Make sure you have an RSA-enabled isakmpd.  An easy way to do this
	is to install a dynamically linkable version of libcrypto from
	OpenSSL and install it where the run-time linker can find it.

2	Create your own CA as root.

	openssl genrsa -out /etc/ssl/private/ca.key 1024
	openssl req -new -key /etc/ssl/private/ca.key \
		-out /etc/ssl/private/ca.csr

	You are now being asked to enter information that will be incorporated
	into your certificate request.  What you are about to enter is what is
	called a Distinguished Name or a DN.  There are quite a few fields but
	you can leave some blank.  For some fields there will be a default
	value, if you enter '.', the field will be left blank.

	openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \
		-signkey /etc/ssl/private/ca.key \
		-out /etc/ssl/ca.crt

3	Create keys and certificates for your isakmpd peers.  This step as well
	as the next one, needs to be done for every peer.  Furthermore the
	last step will need to be done once for each ID you want the peer
	to have.  The 10.0.0.1 below symbolizes that ID, and should be
	changed for each invocation.  You will be asked for a DN for each
	run too.  See to encode the ID in the common name too, so it gets
	unique.

	openssl genrsa -out /etc/isakmpd/private/local.key 1024
	openssl req -new -key /etc/isakmpd/private/local.key \
		-out /etc/isakmpd/private/10.0.0.1.csr

	Now take these certificate signing requests to your CA and process
	them like below.  You have to add some extensions to the certificate
	in order to make it usable for isakmpd, which is why you will need
	to run certpatch.  Replace 10.0.0.1 with the IP-address which isakmpd
	will be using for identity.

	openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \
		-CAkey /etc/ssl/private/ca.key -CAcreateserial \
		-out 10.0.0.1.crt
	certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \
		10.0.0.1.crt 10.0.0.1.crt

	Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/
	on your local system.  Also carry over the CA cert /etc/ssl/ca.crt
	and put it in /etc/isakmpd/ca/.

4	See to that your config files will point out the directories where
	you keep certificates.  I.e. add something like this to
	/etc/isakmpd/isakmpd.conf:

	# Certificates stored in PEM format
	[X509-certificates]
	CA-directory=		/etc/isakmpd/ca/
	Cert-directory=		/etc/isakmpd/certs/
	Private-key=		/etc/isakmpd/private/local.key