On 2007/12/04 21:48, Jean-Girard Pailloncy wrote: > > The key are manage by isakmp, and I would like to use a PKI to manage the > keys. Then to migrate the keys to the VPN servers (file or LDAP ?).
I think you're missing part of the puzzle. For the client OS you're talking about, I think you're looking at using X509 certificates; this doesn't involve copying keys. Generate the keys directly on the machines that will use them; then generate CSR to send to the CA, which returns a signed certificate. All endpoints (client and server equally) have their private key, their individual certificate signed by the CA, and the CA's own certificate. There's no need to go copying all the certs all over the place. Private keys stay private; there's no need for any machine to have a copy, other than the single endpoint directly using it. Please take a look at the section "SETTING UP AN IKE PUBLIC KEY INFRASTRUCTURE (PKI)" in isakmpd(8) if you haven't already. I think many people find a little bit of scripting is enough to tie things together.
