From: Patrick B. <bal...@i3...> - 2003-06-16 12:34:33
|
Hello, I have to make a vpn connexion with a peer which can only use x509 certificates. How can i configure my devil-linux freeswan to do so ? How can i generate my own certificate autority ? How can i generate my host certificate ? How do i configure ipsec.conf ? Thanks a lot. -- ______________________________________________________________________ | | | | L'intelligence est la chose _ \|/ | Patrick BALESTRA | | au monde la mieux partagée. O --0-- | Responsable informatique | | En effet, personne ne se _/\ /|\ | | | plaint d'en manquer ! (>(_)/==_~' | I3S, UMR 6070 du CNRS | | //\ | \_/_\ | | |.........................\_/ `--'\_/.......| | |-------------------------------------------| Tel : 04 92 94 27 81 | | email : bal...@i3... | Fax : 04 92 94 28 98 | ---------------------------------------------------------------------- |
From: Friedrich L. <fl...@fl...> - 2003-06-16 13:01:29
|
Patrick Balestra wrote: > I have to make a vpn connexion with a peer which can only use x509 > certificates. Devil-Linux has the x509 patch for FreeSwan. > How can i configure my devil-linux freeswan to do so ? > How can i generate my own certificate autority ? > How can i generate my host certificate ? > How do i configure ipsec.conf ? I guess http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html http://www.google.com/search?q=freeswan+ipsec.conf+x509 http://www.google.com/search?q=openssl+ca+creating+certificate Or search the list archive at http://sourceforge.net/mailarchive/forum.php?forum_id=658 -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Patrick B. <bal...@i3...> - 2003-06-16 13:48:39
|
Hello, Friedrich Lobenstock a écrit: > Patrick Balestra wrote: > >> I have to make a vpn connexion with a peer which can only use x509 >> certificates. > > > Devil-Linux has the x509 patch for FreeSwan. I saw that in the "Changes" file. >> How can i configure my devil-linux freeswan to do so ? >> How can i generate my own certificate autority ? >> How can i generate my host certificate ? >> How do i configure ipsec.conf ? > > > I guess > http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html > http://www.google.com/search?q=freeswan+ipsec.conf+x509 > http://www.google.com/search?q=openssl+ca+creating+certificate Yes. But when i try to create a new CA on my devil-linux box, i get : # openssl req -x509 -days 1460 -newkey rsa:2048 -keyout caKey.pem -out caCert.pem Using configuration from /usr/ssl/openssl.cnf Unable to load config info Generating a 2048 bit RSA private key ........+++ ....................................................+++ writing new private key to 'caKey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- unable to find 'distinguished_name' in config problems making Certificate Request 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 16161:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: The file /usr/ssl/openssl.cnf doesn't exist. Where can i get this file ? > Or search the list archive at > http://sourceforge.net/mailarchive/forum.php?forum_id=658 I haven't found such a thread in the archives... Thanks. -- ______________________________________________________________________ | | | | L'intelligence est la chose _ \|/ | Patrick BALESTRA | | au monde la mieux partagée. O --0-- | Responsable informatique | | En effet, personne ne se _/\ /|\ | | | plaint d'en manquer ! (>(_)/==_~' | I3S, UMR 6070 du CNRS | | //\ | \_/_\ | | |.........................\_/ `--'\_/.......| | |-------------------------------------------| Tel : 04 92 94 27 81 | | email : bal...@i3... | Fax : 04 92 94 28 98 | ---------------------------------------------------------------------- |
From: Friedrich L. <fl...@fl...> - 2003-06-16 15:13:02
|
Patrick Balestra wrote: > > The file /usr/ssl/openssl.cnf doesn't exist. > Where can i get this file ? It is not wise to deploy a CA directly on your firewall! Better run this on a computer behind the firewall that's better not connected to the LAN - as a matter of security. Otherwise if anybody manages to compromise your CA you will not even notice them when they can create certificates for themself. If you really want to run your CA on the firewall then search for this the file openssl.cnf on your computer and copy it to /etc on the firewall and use openssl -config /etc/openssl.cnf > > Or search the list archive at > > http://sourceforge.net/mailarchive/forum.php?forum_id=658 > > I haven't found such a thread in the archives... And what about this? http://sourceforge.net/mailarchive/message.php?msg_id=2338986 -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Patrick B. <bal...@i3...> - 2003-06-18 09:11:53
|
Hello Friedrich Lobenstock a écrit: > Patrick Balestra wrote: > >> >> The file /usr/ssl/openssl.cnf doesn't exist. >> Where can i get this file ? > > > It is not wise to deploy a CA directly on your firewall! Better > run this on a computer behind the firewall that's better not > connected to the LAN - as a matter of security. Otherwise if > anybody manages to compromise your CA you will not even notice > them when they can create certificates for themself. > > If you really want to run your CA on the firewall then search for > this the file openssl.cnf on your computer and copy it to /etc > on the firewall and use > openssl -config /etc/openssl.cnf OK. thanks. >> > Or search the list archive at >> > http://sourceforge.net/mailarchive/forum.php?forum_id=658 >> >> I haven't found such a thread in the archives... > > > And what about this? > http://sourceforge.net/mailarchive/message.php?msg_id=2338986 The title of this thread doesn't reflect its content... So i did'nt read it. Thanks a lot. -- ______________________________________________________________________ | | | | L'intelligence est la chose _ \|/ | Patrick BALESTRA | | au monde la mieux partagée. O --0-- | Responsable informatique | | En effet, personne ne se _/\ /|\ | | | plaint d'en manquer ! (>(_)/==_~' | I3S, UMR 6070 du CNRS | | //\ | \_/_\ | | |.........................\_/ `--'\_/.......| | |-------------------------------------------| Tel : 04 92 94 27 81 | | email : bal...@i3... | Fax : 04 92 94 28 98 | ---------------------------------------------------------------------- |