KeyNote-Version: 2 Comment: IKE policy file v2.0 (X.509 auth), by Raptor Authorizer: "POLICY" Licensees: "x509-base64:\ MIIBtzCCASACAQAwDQYJKoZIhvcNAQEEBQAwJDELMAkGA1UEBhMCaXQxFTATBgNV\ BAoTDG1lZGlhc2VydmljZTAeFw0wMzAxMTAxMzM0MDZaFw0wNDAxMTAxMzM0MDZa\ MCQxCzAJBgNVBAYT cnZpY2UwgZ8wDQYJKoZI\ hvcNAQEBBQADgY0A THIS IS THE CA 6cDnk/xJb10bOSYDT8Ht\ +Fs9RUSix3kvCBy8 CERTIFICATE Wr9d8YPrCiUWmM1qVuW7\ j8JsoNUcsJLnCDlV /T8kyGrGpVW/Z9BK24DX\ 4eM7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAUFfQS60X8rMTkZGFMVfy/3wKaSF7\ E36dGToMzr2Bl3QFYD2V3vY+4fSw9KQVS1hDAl8mCqqZ5tkTXGsSIRzEzTn6w7W2\ qAUrnpfW1TqdGO/hpSzhtvNkR8uAFms5WfzX/1aXwca5aeKJobLWXRiBmtlJu6ra\ AcoYFVccLfXuuFI=" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; ################################################################################ # README.PKI checklist. # ################################################################################ # # 1) Make sure you have an RSA-enabled isakmpd (this is the default). # # 2) Create your own CA as root (ca.key is the private key, ca.csr is the # certificate signing request, and ca.crt is the signed certificate). # # openssl genrsa -out /etc/ssl/private/ca.key 1024 # openssl req -new -key /etc/ssl/private/ca.key \ # -out /etc/ssl/private/ca.csr # openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ # -signkey /etc/ssl/private/ca.key \ # -out /etc/ssl/ca.crt # # 3) Create keys and certificates for your isakmpd peers (the 1.1.1.1 below # symbolizes the ID, and should be changed for each invocation). # # openssl genrsa -out /etc/isakmpd/private/local.key 1024 # openssl req -new -key /etc/isakmpd/private/local.key \ # -out /etc/isakmpd/private/1.1.1.1.csr # # Now take these certificate signing requests to your CA and process # them: you have to add some extensions to the certificate in order to # make it usable for isakmpd, which is why you will need to run certpatch. # # openssl x509 -req -days 365 -in 1.1.1.1.csr -CA /etc/ssl/ca.crt \ # -CAkey /etc/ssl/private/ca.key -CAcreateserial \ # -out 1.1.1.1.crt # certpatch -i 1.1.1.1 -k /etc/ssl/private/ca.key \ # 1.1.1.1.crt 1.1.1.1.crt # # Put the signed certificate in /etc/isakmpd/certs/ on your local system. # Also copy the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/. # # 4) See to that your config files will point out the directories where # you keep certificates (see isakmpd-x509.conf.* for details). # # 5) Remember to properly set private key permissions (chmod 600)! # ################################################################################