$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $ $EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $ 1 Make sure you have an RSA-enabled isakmpd. An easy way to do this is to install a dynamically linkable version of libcrypto from OpenSSL and install it where the run-time linker can find it. 2 Create your own CA as root. openssl genrsa -out /etc/ssl/private/ca.key 1024 openssl req -new -key /etc/ssl/private/ca.key \ -out /etc/ssl/private/ca.csr You are now being asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, if you enter '.', the field will be left blank. openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ -signkey /etc/ssl/private/ca.key \ -out /etc/ssl/ca.crt 3 Create keys and certificates for your isakmpd peers. This step as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. The 10.0.0.1 below symbolizes that ID, and should be changed for each invocation. You will be asked for a DN for each run too. See to encode the ID in the common name too, so it gets unique. openssl genrsa -out /etc/isakmpd/private/local.key 1024 openssl req -new -key /etc/isakmpd/private/local.key \ -out /etc/isakmpd/private/10.0.0.1.csr Now take these certificate signing requests to your CA and process them like below. You have to add some extensions to the certificate in order to make it usable for isakmpd, which is why you will need to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd will be using for identity. openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \ -CAkey /etc/ssl/private/ca.key -CAcreateserial \ -out 10.0.0.1.crt certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \ 10.0.0.1.crt 10.0.0.1.crt Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/. 4 See to that your config files will point out the directories where you keep certificates. I.e. add something like this to /etc/isakmpd/isakmpd.conf: # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ Private-key= /etc/isakmpd/private/local.key