Hmm. I follow your suggestion about maintaining certs on a separate system. Actually, that is my intent but it looked like OpenSSH was going to be necessary to do the format changing (DER, pem etc.). I've found a compiled Windows version and, since I'll be maintaining certs on a Windows system, I think I'll use that. That only leaves fswcert (used to extract the key and DN and to format the result suitable for .secrets file).
Would you be so kind as to post (or email me if you don't want to post for some reason) the fswcert compiled for DCD? Your help is very much appreciated. Keith > -----Original Message----- > From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 17, 2002 5:35 PM > To: Keith Laidlaw; LEAF > Subject: Re: [Leaf-user] OpenSSL and fswcert > > > > I'm just about to set up ipsec509. All the docs seem to indicate that > > OpenSSL is the tool to use to set up the certs. I see that certs can be > > issued by a MS website, but I think the format of the certs must be > changed > > (from DER to ???) and OpenSSL is mentioned to do the > conversion. Further, > > fswcert is mentioned as the tool to install the certs (I think). > > > > I don't have OpenSSL or fswcert and I only have a standalone > devel system > > (slink w/ 2.0.36 I think). > > > > In the same way that SSH needs a few tools to get it up and running > > (sshkey), is there a .lrp for the tools to get ipsec509 up and running > (with > > OpenSSH and fswcert) or must I find a way to build these or, better yet, > are > > these unnecessary? > > The whole of OpenSSL is pretty big, and I don't believe it's been packaged > for LRP. I haven't packaged the required OpenSSL utilities for > x.509 IPSec > functionality because: > > - I don't acutally use x.509 Certificates...this support was > compiled at the > request of someone on the LEAF-user list. > > - I don't generally like doing things like managing certificates (or even > RSA host-keys) directly on the firewall box. > > - It's pretty easy to either install OpenSSL on any handy linux > system, and > it's much more appropriate on a "full" distribution. > > - I guess I figured anyone seriously using x.509 support for linux would > have copies of these around somewhere already... > > You should be able to install & compile OpenSSL on your development system > pretty easily...IIRC, it compiled on my Debian Slink system without issue. > > If you just need the openssl/fswcert binaries, I can probably > post them, but > they're pretty big (900K/500K), and I don't know what (if any) other > programs are required to run (no special libraries are required, however, > both programs should run OK on a default Dachstein system). > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
