-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While upgrading a client to use OpenCA to generate certificates, we ran
into a problem. The OpenCA certificates that were generated for the
users did not contain e-mail addresses in the Subject. We used the
batch processor available in OpenCA to generate certificates for all the
users, all at once. OpenCA appeared to place the emailAddress as an
X.509 Subject Alternative Name.
Long story short, we found out that we had to add
'[EMAIL PROTECTED]' to each road warrior connection entry of
the form:
conn userA-rw
leftsubnet=192.168.0.0/16
[EMAIL PROTECTED] <-- new line that made SSHSentinel work
rightcert=certs/userACert.pem
rightsubnetwithin=192.168.2.0/24
auto=add
Prior to switching to OpenCA, we used openssl directory with its demoCA
capabilities to build the FreeS/WAN / SSHSentinel certificates. These
apparently were formatted differently, having the emailAddress existing
as part of the Subject, whereas certificates generated by OpenCA do not
contain the emailAddress as part of the subject but instead have an
additional SN=<#> (e.g., SN=8) after the CN=... part of the Subject.
Does the Subject need to contain the emailAddress field in order for
FreeS/WAN and SSHSentinel to be happy without specifying the rightid
explicitly?
Also, what would be the ramifications of moving to using
'rightrsasigkey=%cert' and a single road warrior connection entry
instead of specifying 'rightcert=certs/userXCert.pem' for each and every
user? Currently we use a 'conn' entry per user in order to be able to
view the logs easily. Is there a way to know what user generates each
log entry instead of having:
Feb 6 17:57:47 firewall.company pluto[1234]: "company-rw"[1] 1.2.3.4
#25: IPsec SA established
"company-rw" for each log entry?
Thanks
- --
Jason A. Pattie
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+Qvd8uYsUrHkpYtARAtySAJ93oH3FlP3FnY0r7nPqbQQphf3UKgCffcza
KcypuDPaqpP6xRm4QQI/sYo=
=07eC
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
