X509 cetificate! HELP!D!=!-!)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

X509 cetificate! HELP!D!=!-!)

Doug Frippon
Hi, I am trying to generate certificate that i,ll be using for a ipsec
segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD
for this on the OBSD side and the security filter on Windows. If I use
a pre-shared key everything is fine but with the certificate I'm
almost became mad. I'd like to know how to create X.509 certificate
with subjectAltName.If anybody has a How to, it will be welcome. ( If
i understand well, I need one CA one for the daemon and one per user
that will connect.) Thx Doug2die4
BTW I'm using openssl v0.9.7g and Certpatch is not include anymore
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 cetificate! HELP!D!=!-!)

Brian Candler
On Wed, Mar 08, 2006 at 03:10:23PM -0500, Doug Frippon wrote:
> Hi, I am trying to generate certificate that i,ll be using for a ipsec
> segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD
> for this on the OBSD side and the security filter on Windows. If I use
> a pre-shared key everything is fine but with the certificate I'm
> almost became mad. I'd like to know how to create X.509 certificate
> with subjectAltName.

Did you try:
http://www.google.com/search?q=openssl+subjectaltname

You'll see lots of pages there explaining how to do it.

If you want a simplified solution, I suggest TinyCA:
http://tinyca.sm-zone.net/

This really just the openssl CA, but with a perl GUI (gtk) wrapper around
it. You can easily configure it so that it prompts you for a subjectAltName
at the time that each certificate is signed; this can contain either a
domain name, an IP address, or an E-mail address.

If you want it *really* easy, then just burn a CD of roCA:
http://www.intrusion-lab.net/roca/

This is a bootable Knoppix (Linux) CD with TinyCA pre-installed. Just add a
USB flash pen and you have a standalone fully-functioning openssl CA with
fluffy GUI, without installing anything. I find a second USB pen is useful
for copying CSRs to the CA and copying the certificates back again.

HTH,

Brian.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 cetificate! HELP!D!=!-!)

Doug Frippon
I most admit that I haven`t tried that search exactly but I ve got
this error with ISAKMPD adn try with that instead of openssl.
Thx
But I'd like to know what should I do with all the certs that I have
to create. Which should go on the host pc (my OBSD where the CA is and
etc...) and wich on the user pc
THX

On 3/8/06, Brian Candler <[hidden email]> wrote:

> On Wed, Mar 08, 2006 at 03:10:23PM -0500, Doug Frippon wrote:
> > Hi, I am trying to generate certificate that i,ll be using for a ipsec
> > segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD
> > for this on the OBSD side and the security filter on Windows. If I use
> > a pre-shared key everything is fine but with the certificate I'm
> > almost became mad. I'd like to know how to create X.509 certificate
> > with subjectAltName.
>
> Did you try:
> http://www.google.com/search?q=openssl+subjectaltname
>
> You'll see lots of pages there explaining how to do it.
>
> If you want a simplified solution, I suggest TinyCA:
> http://tinyca.sm-zone.net/
>
> This really just the openssl CA, but with a perl GUI (gtk) wrapper around
> it. You can easily configure it so that it prompts you for a subjectAltName
> at the time that each certificate is signed; this can contain either a
> domain name, an IP address, or an E-mail address.
>
> If you want it *really* easy, then just burn a CD of roCA:
> http://www.intrusion-lab.net/roca/
>
> This is a bootable Knoppix (Linux) CD with TinyCA pre-installed. Just add a
> USB flash pen and you have a standalone fully-functioning openssl CA with
> fluffy GUI, without installing anything. I find a second USB pen is useful
> for copying CSRs to the CA and copying the certificates back again.
>
> HTH,
>
> Brian.
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 cetificate! HELP!D!=!-!)

Brian Candler
On Thu, Mar 09, 2006 at 09:13:05AM -0500, Doug Frippon wrote:
> I most admit that I haven`t tried that search exactly but I ve got
> this error with ISAKMPD adn try with that instead of openssl.
> Thx
> But I'd like to know what should I do with all the certs that I have
> to create. Which should go on the host pc (my OBSD where the CA is and
> etc...) and wich on the user pc

Well, you originally asked how to use OpenSSL to create certificates with
subjectAltName.

You are now asking a different question, which is very specific to OpenBSD's
IPSEC/IKE implementation. I'd suggest that you are more likely to get an
answer on an OpenBSD mailing list.

When you post there, make sure you post your full pluto/isakmpd config, a
dump of your certificates, and all the relevant log entries which are
generated when you attempt to bring up a connection.

If you have a working configuration using PSK, then you could post that too,
as it probably only needs a few tweaks to turn it into a certificate-based
one.

Regards,

Brian.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 cetificate! HELP!D!=!-!)

Doug Frippon
I'm not sure that I should post it on a OpenBSD mailling list because
my ISAKMPD is working well with pre-shared key. The only bog come from
the certificate. I know that I should create a CA certificate, a
certificate for the OBSD and one for the remote user. but what should
I export to OpenBSD and remote user??? and I did a search with openssl
and altSubjectName that why I didn't found anything!! My bad. In
simple word, my question is does my two host need to have their
certificate, the remote certificate, the CA certificate, and their
private key???
I think it must have the remote cert, the local cert and the
corresponding priv key but not sure about CA cert???
Thx to all for help!!!

On 3/9/06, Brian Candler <[hidden email]> wrote:

> On Thu, Mar 09, 2006 at 09:13:05AM -0500, Doug Frippon wrote:
> > I most admit that I haven`t tried that search exactly but I ve got
> > this error with ISAKMPD adn try with that instead of openssl.
> > Thx
> > But I'd like to know what should I do with all the certs that I have
> > to create. Which should go on the host pc (my OBSD where the CA is and
> > etc...) and wich on the user pc
>
> Well, you originally asked how to use OpenSSL to create certificates with
> subjectAltName.
>
> You are now asking a different question, which is very specific to OpenBSD's
> IPSEC/IKE implementation. I'd suggest that you are more likely to get an
> answer on an OpenBSD mailing list.
>
> When you post there, make sure you post your full pluto/isakmpd config, a
> dump of your certificates, and all the relevant log entries which are
> generated when you attempt to bring up a connection.
>
> If you have a working configuration using PSK, then you could post that too,
> as it probably only needs a few tweaks to turn it into a certificate-based
> one.
>
> Regards,
>
> Brian.
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 cetificate! HELP!D!=!-!)

Brian Candler
On Thu, Mar 09, 2006 at 10:46:51AM -0500, Doug Frippon wrote:
> I'm not sure that I should post it on a OpenBSD mailling list because
> my ISAKMPD is working well with pre-shared key. The only bog come from
> the certificate. I know that I should create a CA certificate, a
> certificate for the OBSD and one for the remote user. but what should
> I export to OpenBSD and remote user???

That's very much an application question.

I don't use OBSD so I can only talk in generalities. OBSD needs to have a
private key, and it needs to have a certificate containing the public key
corresponding to its private key. The same applies at the client end.

Additionally, both OBSD and the client need to have the root CA certificate
for your CA in the right place.

How exactly you do this is very much a question on how you configure OBSD,
and how you configure the client.

> and I did a search with openssl
> and altSubjectName that why I didn't found anything!! My bad. In
> simple word, my question is does my two host need to have their
> certificate, the remote certificate, the CA certificate, and their
> private key???

Almost. Each host needs to have their own private key, their own
certificate, and the CA certificate, in the right places. When the isakmp
exchange takes place, each side will present its certificate to the other
side. So you don't need to store the other side's certificate anywhere.

Brian.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 cetificate! HELP!D!=!-!)

Doug Frippon
Thx Brian that's exactly what I was trying to figure out. For the part
on where cert goes and how to tell apps to use it it's ok but almost
from the begining, I though that my cert have been made incorrectly so
that's why I was postinghere. From that point I should be able to make
it work. thanks to you for all the help you provide me.
Doug2die4 =-)

On 3/9/06, Brian Candler <[hidden email]> wrote:

> On Thu, Mar 09, 2006 at 10:46:51AM -0500, Doug Frippon wrote:
> > I'm not sure that I should post it on a OpenBSD mailling list because
> > my ISAKMPD is working well with pre-shared key. The only bog come from
> > the certificate. I know that I should create a CA certificate, a
> > certificate for the OBSD and one for the remote user. but what should
> > I export to OpenBSD and remote user???
>
> That's very much an application question.
>
> I don't use OBSD so I can only talk in generalities. OBSD needs to have a
> private key, and it needs to have a certificate containing the public key
> corresponding to its private key. The same applies at the client end.
>
> Additionally, both OBSD and the client need to have the root CA certificate
> for your CA in the right place.
>
> How exactly you do this is very much a question on how you configure OBSD,
> and how you configure the client.
>
> > and I did a search with openssl
> > and altSubjectName that why I didn't found anything!! My bad. In
> > simple word, my question is does my two host need to have their
> > certificate, the remote certificate, the CA certificate, and their
> > private key???
>
> Almost. Each host needs to have their own private key, their own
> certificate, and the CA certificate, in the right places. When the isakmp
> exchange takes place, each side will present its certificate to the other
> side. So you don't need to store the other side's certificate anywhere.
>
> Brian.
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]