====== Racoon setup with X.509 Certificates ======

<code>Informations in this document mainly come from a document made by Leonardo Ciociano</code>

Racoon supports X.509 certificates for authentication process. These certificates may be validated by a certification authority (CA). The configuration is similar to that using [[docs:ipsec:racoon_psk|PSK]]. It just differs on the authentication section.

<code>path certificate "/etc/racoon/certs";

remote 192.168.2.100 {
        exchange_mode main;
        certificate_type x509 "my_certificate.pem" "my_private_key.pem";
	verify_cert on;
        my_identifier asn1dn;
	peers_identifier asn1dn;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha256;
                authentication_method rsasig;
                dh_group modp4096;
        }
}

sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any {
        pfs_group modp4096;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}</code>

Certificate and private key are stored in ''/etc/racoon/certs''. The certificates and the certificate revocation list (CRL) are stored in PEM format, generated by openssl. If the certificate should be validated with a CA (verify_cert on; by default), then the CA certificate also should be stored in this directory. For openssl finds the certificate, it should be linked.

<code>ln -s CAfile.pem `openssl x509 -noout -hash < CAfile.pem`.0</code>

If the certificate should be checked with the CRL, the CRL should be stored in the same directory with a similar link.

<code>ln -s CRLfile.pem `openssl x509 -noout -hash < CAfile.pem`.r0</code>

When we work with certificates and private keys, is important to know that racoon can't decrypt a private key. So, the private key should be available in plain text.