minor changes to isakmpd(8)

Fri, 15 Feb 2019 19:35:59 -0800 

Use an It tag to label the additional steps referred to at the beginning
of step 2:
"This step, as well as the next one, needs to be done for every peer.
Furthermore the last step will need to be done once for each ID you want
the peer to have"

Change the file name passed to openssl for extfile to indicate cloned
file is used.

For FQDN certificates use change the CERTFQDN field.

Add instructions on how to check the subjectAltName field of a certificate.

s/fashion/convention.


Sevan

Index: sbin/isakmpd/isakmpd.8
===================================================================
RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v
retrieving revision 1.120
diff -u -p -r1.120 isakmpd.8
--- sbin/isakmpd/isakmpd.8      17 Apr 2018 12:13:29 -0000      1.120
+++ sbin/isakmpd/isakmpd.8      16 Feb 2019 02:27:13 -0000
@@ -607,6 +607,8 @@ Encoding the ID in the common name is re
 # openssl req -new -key /etc/isakmpd/private/local.key \e
        -out /etc/isakmpd/private/10.0.0.1.csr
 .Ed
+.It
+Generate signed certificates from Certificate Signing Requests (CSRs)
 .Pp
 Now take these certificate signing requests to your CA and process
 them as below.
@@ -626,12 +628,12 @@ with 10.0.0.1, then run:
 # openssl x509 -req \e
        -days 365 -in 10.0.0.1.csr \e
        -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e
-       -CAcreateserial -extfile /etc/ssl/x509v3.cnf \e
+       -CAcreateserial -extfile ~/tmp_x509v3.cnf \e
        -extensions x509v3_IPAddr -out 10.0.0.1.crt
 .Ed
 .Pp
 For a FQDN certificate, replace
-.Dv $ENV::CERTIP
+.Dv $ENV::CERTFQDN
 with the hostname and run:
 .Bd -literal -offset indent
 # openssl x509 -req \e
@@ -651,6 +653,18 @@ in
 A similar setup will be required if
 .Xr isakmpd.conf 5
 is being used instead.
+To verify the
+.Va subjectAltName
+of the certificate matches the
+.Ic srcid
+referenced in
+.Xr ipsec.conf 5
+use:
+.Bd -literal -offset indent
+# openssl x509 -noout -text -in somehost.somedomain.crt
+.Ed
+.It
+Copy certificates into place
 .Pp
 Put the certificate (the file ending in .crt) in
 .Pa /etc/isakmpd/certs/
@@ -721,7 +735,7 @@ has the same mode requirements as
 .Pa isakmpd.conf .
 .It Pa /etc/isakmpd/pubkeys/
 The directory in which trusted public keys are kept.
-The keys must be named in the fashion described above.
+The keys must be named in the convention described above.
 .It Pa /var/run/isakmpd.fifo
 The FIFO used to manually control
 .Nm isakmpd .

Reply via email to