IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] howto certify a request by 2 different ca?

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Jul 02 2002 - 18:37:37 CEST

Yes, a X.509 certificate request can be signed by
two or more different CAs, resulting in several certificates
for the same host. But a X.509 certificate can never carry
several signatures. The /etc/x509cert.der default
certificate is deprecated because a FreeS/WAN host
can now have several certificates signed by different
CAs and one ore several matching private keys.

A not so trivial example:

You generate a RSA private/public key pair #1, save
the private key in key1.pem and put the public key
into a certificate request req1.pem. This certificate
request is signed by two CAs A and B, resulting in the
X.509 certificates cert1A.pem and cert1B.pem.

You generate a second RSA private/public key pair #2,
save the private key in key2.pem and let the certificate
request req2.pem be signed by CA C, resulting in a X.509
certificate cert2C.pem.

You put the two private keys into ipsec.secrets:

: RSA key1.pem

: RSA key2.pem

You define e.g. four connections in ipsec.conf
using different certificates for the FreeS/WAN
gateway:

conn %default
      left=%defaultroute
      leftsubnet=<my subnet>
      leftcert=cert1A.pem # FreeS/WAN's default certificate
      rightrsasigkey=%cert # Certificate expected to be sent by peer
      auto=add

conn hostX
      right=<IP of hostX>
      rightid=<ID of hostX>

conn hostY
      right=<IP of hostY>
      rightid=<ID of hostY>

conn hostZ
      right=<IP of hostZ>
      rightid=<ID of hostZ>
      leftcert=cert1B.pem

conn hostU
      right=<IP of hostU>
      rightid=<ID of hostU>
      leftcert=cert2C.pem

hostX and hostY will both get the default certificate cert1A.pem
signed by CA A. hostZ will receive cert1B.pem signed by CA B
and hostU will get cert2C.pem signed by CA C. Since the public key
is also contained in the private key file, FreeS/WAN will know
by looking for a matching public key that for the connections
to hostX, hostY and hostZ it must sign the hash with the matching
key1.pem but the connection to hostU with key2.pem.

As you can see this new scheme is quite flexible.

Regards

Andreas

Bernhard Thoni wrote:
> hello everybody,
> is it possible to sign a x509-certificate request (for a freeswan
> host-certificate) by two different ca? and how?;
> i once read on the list (or was it somewhere else?...), that
> the file /etc/x509cert.der (which is the x509 host certificate issued by
> the ca )will be deprecated;
> or do we have to make the cross-certification of ca`s?
> thanx a lot in advance,
> greetings,
> bernie
>

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST