Differences

This shows you the differences between two versions of the page.

--- wiki:vpn_pki [2020/02/21 11:53]
127.0.0.1 external edit
+++ — (current)
@@ Line 1: / Line 1: @@
-====== VPN - PKI management ======
-The following are command examples that may be used to create secrets for the VPN connection.
-It is assumed that these commands are typed on the VPN server side (not on the gateway)
-===== IPsec / strongswan =====
-==== Root certification authority =====
-First, create a root certification authority. It will be used to sign the VPN server and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).
-<code bash>
-# Work in /etc/ipsec.d
-cd /etc/ipsec.d
-# Create a 4096 bit private key
-ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
-chmod 600 private/rootca.pem
-# Create a 10 year certificate
-ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem
-</code>
-==== VPN server certificate ====
-Then, create a certificate and private key that will be used by the VPN server:
-<code bash>
-# Create a 2048 bit VPN private key
-ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
-chmod 600 private/vpnkey.pem
-# Create a 2 year VPN certificate
-ipsec pki --pub --in private/vpnkey.pem --type rsa \
-    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem
-</code>
-==== Client certificates ====
-Still on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.
-<code bash>
-# Create a 2048 bit client private key
-ipsec pki --gen --type rsa --size 2048 --outform pem >private/ifemto_XXXXXX.pem
-chmod 600 private/ifemto_XXXXXX.pem
-# Create a 2 year client certificate
-ipsec pki --pub --in private/ifemto_XXXXXX.pem --type rsa \
-    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem
-</code>
-==== P12 Packaging ====
-The Wirnet™ iFemtoCell uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
-<code bash>
-openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.pem -name "ifemto 0x2eXXXXXX" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
-Enter Export Password:
-Verifying - Enter Export Password:
-</code>
-The password will have to be entered in the client configuration file (''client.conf'')
-===== OpenVPN =====
-[[https://github.com/OpenVPN/easy-rsa|EasyRSA]] can be used to quickly generate secrets for the VPN server.
-It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.
-A DH file has to be generated with:
-<code bash>
-openssl dhparam -out dh2048.pem 2048
-</code>

Wanesy™ SPN (End Of Life)

User Tools

Site Tools

Differences

Page Tools