Hi there I've been trying to get all my certificates and things in place so I can use encryptions schemes other than preshared keys.
I've been following the instructions shown at: http://www.evolvedatacom.nl/freeswan-3.html, and I want to check the basic sequence. 1. Create Certificate authority 2. Move CA certificate (cacert.pem) to /etc/ipsec.d/cacerts 3. Create the freeswan certificate. 4. Sign the freeswan certificate. 5. Move the private key generated (newreq.pem) to /etc/ipsec.d/private/freeswan-priv.pem 6. Move the signed cert (newcert.pem) to /etc/ipsec.d/free-swan.cert.pem 7. Create and x.509 DER certificate (openssl x509 -in /etc/ipsec.d/freeswan-cert.pem -outform DER -out /etc/x509cert.der) 8. Add RSA certificate and password line to /etc/ipsec.secrets 9. Create the 'RoadWarrior' certificate 10. Sign the roadwarrior certificate. 11. Move the private key created here to /etc/ipsec.d/private/client-priv.pem 12. Move the signed certificate created here to /etc/ipsec.d/client-cert.pem 13. Create the CRL certificate (openssl ca -gencrl -crldays xx -out /etc/ipsec.d/crls/crl.pem) 14. Create .p12 format certificates of RoadWarrier Certificate (openssl pkcs12 -export -in /etc/ipsec.d/client-cert.pem -inkey /etc/ipsec.d/private/client-priv.pem -certfile usr/lib/ssl/misc/demoCA/cacert.pem -out /tmp/client.p12) I'm having problems getting stage 10 to work. I think I have created a Roadwarrior certificate, but when I sign it, the resultant file newcert.pem is 0 bytes long: root]# /usr/share/ssl/misc/CA -sign gives the error ERROR:There is already a certificate for /C=GB/ST=London/L=....... I've been through the process once and got it wrong, I'm not 100% sure what stage I'm at. I think I have to recreate a roadwarrior file from the certificates I already have installed ? Can anyone help me untangle it ? Gavin.
