From: Whit Blauvelt (whit_at_transpect.com)
Date: Wed Sep 04 2002 - 03:53:58 CEST
Running through the recipes here. Now trying the Nate Carlson method from
http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509
for creating the certs. And I get to the message:
"rightrsasigkey RSA public-key data malformed (input does not begin with
format prefix)"
Now, that was what I got when I pointed ipsec.conf to the key file because
when I just had "rightrsasigkey=%cert" I got "no RSA public key known."
Looks like a perfectly formed file to me, but I haven't studied the RFCs on
this. Is openssl going to be coughing up bad certs?
Um, is there some change in openssl-0.9.6e that's leading to the problems
with Sentinel and now with FS that I'm seeing no matter what path I try to
follow through this process? I'm currently running FS 1.97 plus
x509patch-0.9.10 since that was the last version compatible with the NAT-T
patch two weeks ago, and the remote system is remote - I don't like to boot
up with a new kernel on a production system without being there in person.
But this should work, right?
I suppose I could go off and spend a few days studying the certification
standards and options - but then I still wouldn't know how thoroughly they
are implemented here. Is the x509patch-0.9.10 just too out-of-date at this
point?
It looks like different folks come up with different processes which they
get to work with them for the certificates. It sure would be nice to have a
single document that gave the process in the order it needs to be done, but
with the options at each step spelled out and enough theory to intelligently
debug when stuff (inevitably, in my recent experience) goes wrong.
Whit
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Sep 04 2002 - 06:19:56 CEST