Differences

This shows you the differences between two versions of the page.

--- wiki:webui:administration:openvpn:pki [2021/09/22 13:17]
tda
+++ wiki:webui:administration:openvpn:pki [2021/09/22 15:57] (current)
tda
@@ Line 50: / Line 50: @@
     | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem
 </code>
+==== P12 Packaging (PKCS#12) ====
+It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.
+The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
+<code bash>
+# openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
+</code>
+<code bash>
+Enter Export Password:
+Verifying - Enter Export Password:
+</code>
+The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive.
 \\
@@ Line 339: / Line 355: @@
 Organization Name []:Kerlink
 Organizational Unit Name []:DSC
-Common Name []:server
+Common Name []:client
 Email Address []:tda@kerlink.fr
 </code>
@@ Line 357: / Line 373: @@
 <code bash>
-# cd /root/CA/certs/
+# cd /root/ca/certs/
 # openssl verify -CAfile ca.crt client.crt
 </code>
@@ Line 363: / Line 379: @@
 === Generate the Diffie-Hellman (DH) parameters ===
 <code bash>
-# cd /root/CA
+# cd /root/ca
 # openssl dhparam -out dh2048.pem 2048
 </code>
@@ Line 501: / Line 517: @@
 \\
 \\
-===== P12 Packaging (PKCS#12) =====
+==== P12 Packaging (PKCS#12) ====
-It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.
+It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key. \\
+This will be referenced in the ''pkcs12 <file>'' directive in the server and client's configuration file.
 The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
+For the server:
 <code bash>
-# openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
+# openssl pkcs12 -export -inkey private/server.key -in certs/server.crt  -certfile certs/ca.crt -out server.p12
 </code>
 <code bash>
@@ Line 514: / Line 532: @@
 Verifying - Enter Export Password:
 </code>
+The password will have to be entered in the server configuration file (''server-openvpn.conf'') using the ''askpass'' directive.
-The password will have to be entered in the client configuration file (''client-openvpn.conf'')
+For the client:
+<code bash>
+# openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12
+</code>
+<code bash>
+Enter Export Password:
+Verifying - Enter Export Password:
+</code>
+The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive.
+\\
 \\
+Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/.
 \\

Wanesy™ SPN (End Of Life)

User Tools

Site Tools

Differences

Page Tools