Just the CA and server cert need to be installed on the OpenBSD side. On Thu, Apr 13, 2017 at 3:10 AM, Markus Rosjat <ros...@ghweb.de> wrote:
> just to be clear I don't need to install the client cert on the openbsd > machine? > > And since this is eating up my time I might switch back to ikev1 and > isakmpd. At least there I know I get it done > > regards > > markus > > > Am 13.04.2017 um 10:13 schrieb Markus Rosjat: > >> As I stated befor I did all the cert installing for the local machine >> store I will try to create some more certs with diffrent "names" just to >> see if this makes a diffrence. I might be wrong what the real FQDN is or >> better what windows believe it should be :) >> >> regards >> >> Markus >> >> Am 12.04.2017 um 17:21 schrieb Bobby Johnson: >> >>> If you're doing pure certificate auth, not eap I think you need both >>> certs. They do need to be installed under the local computer account. >>> Install the CA cert in the trusted root CA store, put the machine cert in >>> the personal store. I also think it may be necessary to put the full >>> asn1_dn of the server and client certs in the src_id and dst_id lines of >>> the iked config. >>> >>> >>> On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson <s...@spacehopper.org> >>> wrote: >>> >>> On 2017-04-12, Markus Rosjat <ros...@ghweb.de> wrote: >>>> >>>>> Am 12.04.2017 um 11:49 schrieb Martijn van Duren: >>>>> >>>>>> On 04/12/17 11:42, Stuart Henderson wrote: >>>>>> >>>>>>> On 2017-04-11, Markus Rosjat <ros...@ghweb.de> wrote: >>>>>>> >>>>>>>> I think the problem is with the windows site because it tells me >>>>>>>> there >>>>>>>> is no certificate to be found. I added the certificate to local >>>>>>>> >>>>>>> machine >>>> >>>>> store -> own certificates (at least in the german UI is no personal >>>>>>>> >>>>>>> folder) >>>> >>>>> >>>>>>> I think you're adding this cert to the wrong one of the many cert >>>>>>> >>>>>> stores >>>> >>>>> on Windows. It worked for me in trusted CAs, though there may be a >>>>>>> >>>>>> better >>>> >>>>> option that also works. >>>>>>> >>>>>>> One thing that also bit me was that I had to put them in the >>>>>> system-wide >>>>>> store and not in the personal store. >>>>>> >>>>>> >>>>> well I put the CA certs in the trusted CA Folder and the cert for the >>>>> machine in "Eigene Zertifikate" in the local machine store >>>>> >>>>> it seems to be a problem on the windows site thought >>>>> >>>> >>>> You only want the CA certificate, not the machine certificate. >>>> >>> >>> >> > -- > Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT
