Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates

From: Jussi Torhonen (jt_at_ssh.com)
Date: Thu Mar 28 2002 - 09:28:56 CET

Next message: Robert Richter: "[Users] no packet routed from eth0 to ipsec0 on freeswan box"
Previous message: Andreas Steffen: "Re: [Users] x.509 and ipsec.secrets"
In reply to: Jason A. Pattie: "[Users] SSHSentinel and OpenSSL generated X.509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jason A. Pattie wrote:
>
> Interestingly, if I generate a certificate request after the manner of
> the SSHSentinel/FreeS/WAN interoperability guide, sign it using the
> demoCA OpenSSL certificate authority, and reimport the signed
> certificate into SSHSentinel, the connection works perfectly. So the
> only thing I can think of is that something is different concerning the
> OpenSSL generated certificates than those generated by SSHSentinel. I
> noticed that the file size of the OpenSSL generated certificate is
> approximately twice as large as the size of the SSHSentinel generated
> certificate.
>
> Has anyone successfully gotten a connection to work with a PKCS#12
> imported OpenSSL generated certificate into SSHSentinel?

Yes, we have. Please check our brand new document:

http://www.ssh.com/products/sentinel/SSH-Sentinel-1.3-FreeSWAN.pdf

> Also, in the documentation for SSHSentinel 1.3beta-1/2, the old way of
> generating a certificate request from SSHSentinel and then signing it by
> OpenSSL CA and then reimporting it is the documented way of getting
> SSHSentinel to work. But then, what is the point of being able to
> import a PKCS#12 file if it doesn't work, or am I missing something?
> (like command-line arguments to openssl when generating/signing the
> request/certificate)

Find your OpenSSL issued user certificate under My Keys. Does the trust
chain look ok or does it say 'not trusted'?

Find your OpenSSL CA certificate under Trusted Certificates ->
Certification Authorities. Check the Properties of that CA cert. Those
two last options must be selected: 'Trust in certification path
verification' and 'Accept connections authenticated with a certificate
issued by this CA'.

If your OpenSSL CA issues CRL, check 'Issues certificate revocation
lists (CRL)' option as well as declare that CRL LDAP entry point under
Directory Services.

If you cannot get your PKCS#12 cert package to be imported, please send
it and tha passphrase to our sentinel-support_at_ssh.com and we will take a
look on it. SSH Sentinel v1.3 should import PKCS#12 certs without a problem.

Best regards, Jussi Torhonen, SSH Sentinel Team, http://www.ipsec.com SSH Communications Security Corp, http://www.ssh.com

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: Robert Richter: "[Users] no packet routed from eth0 to ipsec0 on freeswan box"
Previous message: Andreas Steffen: "Re: [Users] x.509 and ipsec.secrets"
In reply to: Jason A. Pattie: "[Users] SSHSentinel and OpenSSL generated X.509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST