|ISAKMPD(8)||AerieBSD 1.0 Refernce Manual||ISAKMPD(8)|
# openssl req -x509 -days 365 -newkey rsa:1024 \e -keyout /etc/ssl/private/ca.key \e -out /etc/ssl/ca.crt
opensslreq will prompt for information that will be incorporated into the certificate request. The information entered comprises a Distinguished Name (DN). There are quite a few fields, but some can be left blank. For some fields there will be a default value; if \&. is entered, the field will be left blank.
# openssl req -new -key /etc/isakmpd/private/local.key \e -out /etc/isakmpd/private/10.0.0.1.csr
Now take these certificate signing requests to your CA and process them as below. A subjectAltName extension field should be added to the certificate. Replace 10.0.0.1 with the IP address which isakmpd will use as the certificate identity.
# env CERTIP=10.0.0.1 openssl x509 -req \e -days 365 -in 10.0.0.1.csr \e -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e -CAcreateserial -extfile /etc/ssl/x509v3.cnf \e -extensions x509v3_IPAddr -out 10.0.0.1.crt
For a FQDN certificate, do:
# env CERTFQDN=somehost.somedomain openssl x509 -req \e -days 365 -in somehost.somedomain.csr \e -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e -CAcreateserial -extfile /etc/ssl/x509v3.cnf \e -extensions x509v3_FQDN -out somehost.somedomain.crt
If CERTFQDN is being used, make sure that the subjectAltName field of the certificate is specified using srcid in ipsec.conf(5). A similar setup will be required if isakmpd.conf(5) is being used instead. Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/.
|AerieBSD 1.0 Reference Manual||August 26 2008||ISAKMPD(8)|