Has anyone had any experience using openca with Netscreen products?
Yes, we tested NS208 and NS500.
I'm trying to use OpenCA to issue certificates to netscreen remote (which is infact an OEM version of SafeNet SoftRemote) and to a Netscreen 500 'security appliance'.
First I've had to remove the 'subjectAltName=${ENV::subjectAltName}' from the VPN role configureation otherwise the certificate cannot be issued. I assume this is because the netscreen software doesn't require an email address in the request (and there's nowhere to put it). The same is also true of the web server role (the Netscreen 500 uses SSL for management).
This is not really correct. You can add an IP address and a DNS name to the subject alternative name which makes sense for VPN gateway.
Netscreen Remote's SCEP client will not talk to the SCEP implementation in OpenCA. It'll get the CA certificate no bother, but will not make requests, the format of the reply is wrong.
Ok, first a translation question, means "no bother" it works or it doesn't work? Sorry my english dictionaries don't contain this phrase but I think it means that it works.
If the software reports that the format is wrong then the software perhaps include a similar bug like the first versions of OpenCA. OpenCA only accepts requests with newlines after 72 characters. Perhaps the software only accepts answers without newlines? The standard allows both formats and SSCEP, CISCO and the NetScreen boxes work.
Does there be any comments from the vendor?
Once I've enrolled certificates sucessfully the netscreen remote client attempts to establish the vpn - the NS500 accepts the certificate and sends back a response - the Netscreen Remote software rejects this with the message:-
Certificate doesn't match Phase 1 ID. Certificate data used. Cannot match Phase 1 ID with Policy Entry: Certificate ID DOMAIN=
Sounds like the VPN gateway is not configured but I cannot test it because our testequipment is back at NetScreen.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
