IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Creating certificates for SSHSentinel hosts

From: Jussi Torhonen (jt_at_ssh.com)
Date: Thu Mar 14 2002 - 07:02:49 CET

Jason A. Pattie wrote:
> Is it possible to generate certificates on a different machine than the
> SSHSentinel host that certificate will be used for? I tried following
> the instructions in the X.509 Installation Guide in order to export the
> PKCS#12 formatted file. However, SSHSentinel complains that the file is
> in an invalid format.

Here's how we've prepared PKCS #12 certificate files under OpenSSL based CA:

-----------------------------------------------------------------------

1)
# Create a certificate request for SSH Sentinel client:

cd /usr/share/ssl/misc
./CA.pl -newcert

# You'll be asked to give a password to protect the private keys.
# Keep that password in your mind.

-----------------------------------------------------------------------

2)
# Sign the certificate request with OpenSSL mini-CA:

./CA.pl -signcert

# To sign the request, you must first give that certificate request
# password made in step 1), and next the password of OpenSSL Root CA
# cert private keys.

-----------------------------------------------------------------------

3)
# Copy the cert into /etc/ipsec.d/ directory for FreeSWAN:

cp -p newcert.pem /etc/ipsec.d/sentinel_cert.pem

-----------------------------------------------------------------------

4)
# Combine a PKCS#12 file, that includes OpenSSL Root CA certificate,
# SSH Sentinel client certificate and the private key:

openssl pkcs12 \
         -export \
         -inkey newreq.pem \
         -in newcert.pem \
         -name "My OpenSSL user certificate" \
         -certfile demoCA/cacert.pem \
         -caname "My OpenSSL Root CA certificate" \
         -out pkcs12_envelope_for_SSH_Sentinel.p12

# To create the envelope, you must first give the password of user
# certificate private keys generated in step 1). Then you must give
# a new password to protect the PKCS#12 envelope being created. You'll
# need this password later to import the data into SSH Sentinel VPN
# client.

-----------------------------------------------------------------------

In SSH Sentinel v1.3 you can either right-click Key Management -> My
Keys -> Import, or drag & drop that .p12 file onto My Keys to import it.
The password specified earlier in step 4) will be queried.

Our FreeSWAN/x509patch/OpenSSL interop guide in still under
construction, but please keep on checking http://www.ipsec.com for the
updates.

Best regards,
Jussi Torhonen, SSH Sentinel Team, http://www.ipsec.com
SSH Communications Security Corp, http://www.ssh.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST