Re: [Users] Trouble loading x509 certificate

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Aug 05 2002 - 13:48:14 CEST

• Next message: Thorsten Mauch: "AW: [Users] linux -> win2000 problem"
• Previous message: Peter Schuller: "[Users] FreeS/WAN disk activity"
• In reply to: Henning Riis Rasmussen: "[Users] Trouble loading x509 certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Henning Riis Rasmussen wrote:
> Hi all,
>
> I'm trying to use x509 certificates, and have some trouble with that.
>
> I'm using kernel 2.4.18, FreeS/WAN 1.97 patched with NAT-T 0.2 and x509
> 0.9.10.
>
> I have generated my certificates like this:
>
> CA.sh -newca
>
> CA.sh -newreq
>
> CA.sh -sign
>
> Copied the resulting CA certifacte "cacert.pem" to /etc/ipsec.d and told

cacert.pem must be copied to /etc/ipsec.d/cacerts

> ipsec.conf to load it with:
>
> leftcert=/etc/ipsec.d/cacert.pem
>
> ("Left" is the local FreeS/WAN gateway).
>
> This goes well.
>

You must create a FreeS/WAN certificate signed by the CA,
put it into /etc/ipsec.d and load it via ipsec.conf with

leftcert=freeswanCert.pem

The corresponding private key goes into /etc/ipsec.d/private
and is loaded via ipsec.secrets:

: RSA freeswanKey.pem "<optional passphrase>"

> The host (roadwarrer) certificate I have renamed "hrr_cert.pem" and copied
> to /etc/ipsec.d.
>
You don't need to store the roadwarrior certificate locally.

rightid=<roadwarrior id>
rightrsasigkey=%cert

is all you need but you could also use

rightcert=hrr_cert.pem

> I try to load this via /etc/ipsec.secrets (last line in that file):
>
> : RSA /etc/ipsec.d/hrr_cert.pem
>
> But get a debug error from pluto saying
>
> "L1 - version: ASN1 tag 0x02 expected, but is 0x30" and
>
> And another error saying
>
> "error in PKCS#1 private key".
>
> What am I doing wrong?
>
> Regards,
> Henning
>
>
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Thorsten Mauch: "AW: [Users] linux -> win2000 problem"
• Previous message: Peter Schuller: "[Users] FreeS/WAN disk activity"
• In reply to: Henning Riis Rasmussen: "[Users] Trouble loading x509 certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:36 CEST