Re: [Users] x.509-patch + non OpenSSL-CA

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Aug 26 2002 - 17:51:36 CEST

• Previous message: Sandy Harris: "[Users] Humor: why OE is a Bad Thing"
• In reply to: bbj17_at_gmx.de: "[Users] x.509-patch + non OpenSSL-CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

In principle it is possible to use any CA to generate certificates
for FreeS/WAN. Your problem seems to be the private key. I see
three possible scenarios but I don't which are are supported by
the Novell Netware CA:

1) Generate the private key and a certificate request using
    openssl. Import the certificate request into the Novell
    Netware CA which will generate the certificate by using
    the user data and the public key from the request and signing
    it with the CA's private key.

2) The Novell Netware CA can generate private keys. In this case
    it might be possible to export both the private key and the
    host certificate in PKCS#12 or PKCS#7 format. Use openssl pkcs12
    or openssl pkcs7, respectively to split this file into its
    components. (See also section 5.1 of my "Installation and
    Configuration Guide).

3) If the Novell CA issues certificates using an automatic
    Certificate Enrollment Protocol (e.g. SCEP) then you will be
    in bad luck since presently FreeS/WAN does not offer SCEP
    support.

Regards

Andreas

bbj17_at_gmx.de wrote:
> Hi,
>
> I have a IPSec-FreeSWAN gateway + W2K Roadwarriors. The autheniticate by
> certificates (x.509-patch). Everything works fine.
>
> Now I have to to use an existing Novell Netware 5.1 CA for signing
> certificates and not the openssl-linux-one.
> Is it possible to use certs from other CAs than openssl?
> Under Netware I can export the selfsigned CA-cert + cert for a user-object.
> So for the FreeSWAN Gateway I have to create a user to give it a
> certificate.
>
> I get every cert in .der format. How can I get the private-Key?
>
> Someone used an other CA before???
>

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Previous message: Sandy Harris: "[Users] Humor: why OE is a Bad Thing"
• In reply to: bbj17_at_gmx.de: "[Users] x.509-patch + non OpenSSL-CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 22:20:02 CEST