Re: X509 cetificate! HELP!D!=!-!)
I most admit that I haven`t tried that search exactly but I ve got this error with ISAKMPD adn try with that instead of openssl. Thx But I'd like to know what should I do with all the certs that I have to create. Which should go on the host pc (my OBSD where the CA is and etc...) and wich on the user pc THX On 3/8/06, Brian Candler [EMAIL PROTECTED] wrote: On Wed, Mar 08, 2006 at 03:10:23PM -0500, Doug Frippon wrote: Hi, I am trying to generate certificate that i,ll be using for a ipsec segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD for this on the OBSD side and the security filter on Windows. If I use a pre-shared key everything is fine but with the certificate I'm almost became mad. I'd like to know how to create X.509 certificate with subjectAltName. Did you try: http://www.google.com/search?q=openssl+subjectaltname You'll see lots of pages there explaining how to do it. If you want a simplified solution, I suggest TinyCA: http://tinyca.sm-zone.net/ This really just the openssl CA, but with a perl GUI (gtk) wrapper around it. You can easily configure it so that it prompts you for a subjectAltName at the time that each certificate is signed; this can contain either a domain name, an IP address, or an E-mail address. If you want it *really* easy, then just burn a CD of roCA: http://www.intrusion-lab.net/roca/ This is a bootable Knoppix (Linux) CD with TinyCA pre-installed. Just add a USB flash pen and you have a standalone fully-functioning openssl CA with fluffy GUI, without installing anything. I find a second USB pen is useful for copying CSRs to the CA and copying the certificates back again. HTH, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509 cetificate! HELP!D!=!-!)
On Thu, Mar 09, 2006 at 09:13:05AM -0500, Doug Frippon wrote: I most admit that I haven`t tried that search exactly but I ve got this error with ISAKMPD adn try with that instead of openssl. Thx But I'd like to know what should I do with all the certs that I have to create. Which should go on the host pc (my OBSD where the CA is and etc...) and wich on the user pc Well, you originally asked how to use OpenSSL to create certificates with subjectAltName. You are now asking a different question, which is very specific to OpenBSD's IPSEC/IKE implementation. I'd suggest that you are more likely to get an answer on an OpenBSD mailing list. When you post there, make sure you post your full pluto/isakmpd config, a dump of your certificates, and all the relevant log entries which are generated when you attempt to bring up a connection. If you have a working configuration using PSK, then you could post that too, as it probably only needs a few tweaks to turn it into a certificate-based one. Regards, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509 cetificate! HELP!D!=!-!)
I'm not sure that I should post it on a OpenBSD mailling list because my ISAKMPD is working well with pre-shared key. The only bog come from the certificate. I know that I should create a CA certificate, a certificate for the OBSD and one for the remote user. but what should I export to OpenBSD and remote user??? and I did a search with openssl and altSubjectName that why I didn't found anything!! My bad. In simple word, my question is does my two host need to have their certificate, the remote certificate, the CA certificate, and their private key??? I think it must have the remote cert, the local cert and the corresponding priv key but not sure about CA cert??? Thx to all for help!!! On 3/9/06, Brian Candler [EMAIL PROTECTED] wrote: On Thu, Mar 09, 2006 at 09:13:05AM -0500, Doug Frippon wrote: I most admit that I haven`t tried that search exactly but I ve got this error with ISAKMPD adn try with that instead of openssl. Thx But I'd like to know what should I do with all the certs that I have to create. Which should go on the host pc (my OBSD where the CA is and etc...) and wich on the user pc Well, you originally asked how to use OpenSSL to create certificates with subjectAltName. You are now asking a different question, which is very specific to OpenBSD's IPSEC/IKE implementation. I'd suggest that you are more likely to get an answer on an OpenBSD mailing list. When you post there, make sure you post your full pluto/isakmpd config, a dump of your certificates, and all the relevant log entries which are generated when you attempt to bring up a connection. If you have a working configuration using PSK, then you could post that too, as it probably only needs a few tweaks to turn it into a certificate-based one. Regards, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509 cetificate! HELP!D!=!-!)
On Thu, Mar 09, 2006 at 10:46:51AM -0500, Doug Frippon wrote: I'm not sure that I should post it on a OpenBSD mailling list because my ISAKMPD is working well with pre-shared key. The only bog come from the certificate. I know that I should create a CA certificate, a certificate for the OBSD and one for the remote user. but what should I export to OpenBSD and remote user??? That's very much an application question. I don't use OBSD so I can only talk in generalities. OBSD needs to have a private key, and it needs to have a certificate containing the public key corresponding to its private key. The same applies at the client end. Additionally, both OBSD and the client need to have the root CA certificate for your CA in the right place. How exactly you do this is very much a question on how you configure OBSD, and how you configure the client. and I did a search with openssl and altSubjectName that why I didn't found anything!! My bad. In simple word, my question is does my two host need to have their certificate, the remote certificate, the CA certificate, and their private key??? Almost. Each host needs to have their own private key, their own certificate, and the CA certificate, in the right places. When the isakmp exchange takes place, each side will present its certificate to the other side. So you don't need to store the other side's certificate anywhere. Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509 cetificate! HELP!D!=!-!)
Thx Brian that's exactly what I was trying to figure out. For the part on where cert goes and how to tell apps to use it it's ok but almost from the begining, I though that my cert have been made incorrectly so that's why I was postinghere. From that point I should be able to make it work. thanks to you for all the help you provide me. Doug2die4 =-) On 3/9/06, Brian Candler [EMAIL PROTECTED] wrote: On Thu, Mar 09, 2006 at 10:46:51AM -0500, Doug Frippon wrote: I'm not sure that I should post it on a OpenBSD mailling list because my ISAKMPD is working well with pre-shared key. The only bog come from the certificate. I know that I should create a CA certificate, a certificate for the OBSD and one for the remote user. but what should I export to OpenBSD and remote user??? That's very much an application question. I don't use OBSD so I can only talk in generalities. OBSD needs to have a private key, and it needs to have a certificate containing the public key corresponding to its private key. The same applies at the client end. Additionally, both OBSD and the client need to have the root CA certificate for your CA in the right place. How exactly you do this is very much a question on how you configure OBSD, and how you configure the client. and I did a search with openssl and altSubjectName that why I didn't found anything!! My bad. In simple word, my question is does my two host need to have their certificate, the remote certificate, the CA certificate, and their private key??? Almost. Each host needs to have their own private key, their own certificate, and the CA certificate, in the right places. When the isakmp exchange takes place, each side will present its certificate to the other side. So you don't need to store the other side's certificate anywhere. Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
X509 cetificate! HELP!D!=!-!)
Hi, I am trying to generate certificate that i,ll be using for a ipsec segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD for this on the OBSD side and the security filter on Windows. If I use a pre-shared key everything is fine but with the certificate I'm almost became mad. I'd like to know how to create X.509 certificate with subjectAltName.If anybody has a How to, it will be welcome. ( If i understand well, I need one CA one for the daemon and one per user that will connect.) Thx Doug2die4 BTW I'm using openssl v0.9.7g and Certpatch is not include anymore __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509 cetificate! HELP!D!=!-!)
On Wed, Mar 08, 2006 at 03:10:23PM -0500, Doug Frippon wrote: Hi, I am trying to generate certificate that i,ll be using for a ipsec segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD for this on the OBSD side and the security filter on Windows. If I use a pre-shared key everything is fine but with the certificate I'm almost became mad. I'd like to know how to create X.509 certificate with subjectAltName. Did you try: http://www.google.com/search?q=openssl+subjectaltname You'll see lots of pages there explaining how to do it. If you want a simplified solution, I suggest TinyCA: http://tinyca.sm-zone.net/ This really just the openssl CA, but with a perl GUI (gtk) wrapper around it. You can easily configure it so that it prompts you for a subjectAltName at the time that each certificate is signed; this can contain either a domain name, an IP address, or an E-mail address. If you want it *really* easy, then just burn a CD of roCA: http://www.intrusion-lab.net/roca/ This is a bootable Knoppix (Linux) CD with TinyCA pre-installed. Just add a USB flash pen and you have a standalone fully-functioning openssl CA with fluffy GUI, without installing anything. I find a second USB pen is useful for copying CSRs to the CA and copying the certificates back again. HTH, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]