Hello,
I would like to ask some help.
It is not clear to me from the below man pages and I couldn't find answer on
the net either: where shall I place the local certificate file (including the
public key) and the private key if I would like to authenticate both sides with
an X.509 certificate?(So, no PSK, no private-public key pair, only
certificates.)
In what format (pem or crt) and under what name do I need to store the local
cert file(s) under /etc/iked/certs/?
Do I need to store the private key that was used to generate the certificate as
/etc/iked/private/local.key?How shall I store more certificates and private
keys in case I have more local endpoints (more tunnels)?How are these cert
files matched by openiked with the configured policies if I have more policies
(more ikev2 [name])?Could you please send me an example with file names and
paths where both sides are using certificates to authenticate.
Have I understood correctly, that there is no need to store anything from the
remote peer as its pubkey is sent in the 2nd IKEv2 exchange and be verified by
openiked against the signed AUTH payload?
Regards, Agoston
http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/iked.conf.5
- rsa
- Use RSA public key authentication with SHA1 as the hash.
http://man.openbsd.org/iked.8
- /etc/iked/certs/
- The directory where IKE certificates are kept, both the local
certificate(s)...
/etc/iked/private/
- The directory where local private keys used for public key authentication
are kept. The file local.key is used to store the local private key.