Luthienstar Networks Wiki

User Tools

Site Tools

Trace:
docs:ipsec:racoon_x509

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
docs:ipsec:racoon_x509 [2013/09/27 18:35] – created rootdocs:ipsec:racoon_x509 [2013/09/27 19:43] (current) root
Line 1: Line 1:
 ====== Racoon setup with X.509 Certificates ====== ====== Racoon setup with X.509 Certificates ======
 +
 +<code>Informations in this document mainly come from a document made by Leonardo Ciociano</code>
  
 Racoon supports X.509 certificates for authentication process. These certificates may be validated by a certification authority (CA). The configuration is similar to that using [[docs:ipsec:racoon_psk|PSK]]. It just differs on the authentication section. Racoon supports X.509 certificates for authentication process. These certificates may be validated by a certification authority (CA). The configuration is similar to that using [[docs:ipsec:racoon_psk|PSK]]. It just differs on the authentication section.
  
-------------------------------------------------------------------------- +<code>path certificate "/etc/racoon/certs";
-path certificate "/etc/racoon/certs";+
  
 remote 192.168.2.100 { remote 192.168.2.100 {
Line 25: Line 26:
         authentication_algorithm hmac_sha1;         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;         compression_algorithm deflate;
-} +}</code>
- +
----------------------------------------------------------------------------+
  
-Certificate and private key are stored in /etc/racoon/certs.  The certificates and the certificate revocation list (CRL) are stored in PEM format, generated by openssl.  To create a certificate, see section "How to generate a certificate"  If the certificate should be validated with a CA (verify_cert on; by default), then the CA certificate also should be stored in this directory.  For openssl finds the certificate, it should be linked.+Certificate and private key are stored in ''/etc/racoon/certs''. The certificates and the certificate revocation list (CRL) are stored in PEM format, generated by openssl. If the certificate should be validated with a CA (verify_cert on; by default), then the CA certificate also should be stored in this directory. For openssl finds the certificate, it should be linked.
  
-ln -s CAfile.pem `openssl x509 -noout -hash < CAfile.pem`.0+<code>ln -s CAfile.pem `openssl x509 -noout -hash < CAfile.pem`.0</code>
  
 If the certificate should be checked with the CRL, the CRL should be stored in the same directory with a similar link. If the certificate should be checked with the CRL, the CRL should be stored in the same directory with a similar link.
  
-ln -s CRLfile.pem `openssl x509 -noout -hash < CAfile.pem`.r0+<code>ln -s CRLfile.pem `openssl x509 -noout -hash < CAfile.pem`.r0</code>
  
 When we work with certificates and private keys, is important to know that racoon can't decrypt a private key. So, the private key should be available in plain text. When we work with certificates and private keys, is important to know that racoon can't decrypt a private key. So, the private key should be available in plain text.
-With this command we can decrypt a private key and store it in a file. 
- 
-openssl rsa -in my_private_key.pem -out my_private_key.pem 
-read RSA key 
-Enter PEM pass phrase: password 
-writing RSA key 
docs/ipsec/racoon_x509.1380299751.txt.gz · Last modified: 2013/09/27 18:35 by root
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki