User Tools
wiki:webui:administration:openvpn:pki
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:webui:administration:openvpn:pki [2021/09/22 13:26] tda |
wiki:webui:administration:openvpn:pki [2021/09/22 15:57] (current) tda |
||
|---|---|---|---|
| Line 50: | Line 50: | ||
| | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem | | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem | ||
| </code> | </code> | ||
| + | |||
| + | ==== P12 Packaging (PKCS#12) ==== | ||
| + | |||
| + | It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file. | ||
| + | |||
| + | The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: | ||
| + | |||
| + | <code bash> | ||
| + | # openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12 | ||
| + | </code> | ||
| + | <code bash> | ||
| + | Enter Export Password: | ||
| + | Verifying - Enter Export Password: | ||
| + | </code> | ||
| + | |||
| + | The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive. | ||
| \\ | \\ | ||
| Line 501: | Line 517: | ||
| \\ | \\ | ||
| \\ | \\ | ||
| - | ===== P12 Packaging (PKCS#12) ===== | + | ==== P12 Packaging (PKCS#12) ==== |
| - | It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file. | + | It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key. \\ |
| + | This will be referenced in the ''pkcs12 <file>'' directive in the server and client's configuration file. | ||
| The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: | The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: | ||
| + | For the server: | ||
| <code bash> | <code bash> | ||
| - | # openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12 | + | # openssl pkcs12 -export -inkey private/server.key -in certs/server.crt -certfile certs/ca.crt -out server.p12 |
| + | </code> | ||
| + | <code bash> | ||
| + | Enter Export Password: | ||
| + | Verifying - Enter Export Password: | ||
| + | </code> | ||
| + | The password will have to be entered in the server configuration file (''server-openvpn.conf'') using the ''askpass'' directive. | ||
| + | |||
| + | For the client: | ||
| + | <code bash> | ||
| + | # openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12 | ||
| </code> | </code> | ||
| <code bash> | <code bash> | ||
| Line 517: | Line 545: | ||
| The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive. | The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive. | ||
| \\ | \\ | ||
| + | \\ | ||
| + | Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/. | ||
| \\ | \\ | ||
wiki/webui/administration/openvpn/pki.1632309963.txt.gz · Last modified: 2021/09/22 13:26 by tda
Page Tools
