Wanesy™ SPN (End Of Life)

User Tools

Site Tools

Trace: delivery_note delivery_note pki

Sidebar

Kerlink Wiki Home Page

Introduction

Firmware management:

LoRa network management

Interfaces:

Gateway administration

Support and resources:

Contact support

www.kerlink.com

wiki:webui:administration:openvpn:pki

This is an old revision of the document!

Table of Contents

VPN - PKI management

The following are command examples that may be used to create secrets for the VPN connection.

It is assumed that these commands are typed on the VPN server side (not on the gateway)

IPsec / strongswan

Root certification authority

First, create a root certification authority. It will be used to sign the VPN server and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here). 

# Work in /etc/ipsec.d
cd /etc/ipsec.d
 
# Create a 4096 bit private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
chmod 600 private/rootca.pem
 
# Create a 10 year certificate
ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem

VPN server certificate

Then, create a certificate and private key that will be used by the VPN server: 

# Create a 2048 bit VPN private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
chmod 600 private/vpnkey.pem
 
# Create a 2 year VPN certificate
ipsec pki --pub --in private/vpnkey.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem

Client certificates

Still on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN. 

# Create a 2048 bit client private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/ifemto_XXXXXX.pem
chmod 600 private/ifemto_XXXXXX.pem
 
# Create a 2 year client certificate
ipsec pki --pub --in private/ifemto_XXXXXX.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem

P12 Packaging

The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: 

openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.pem -name "ifemto 0x2eXXXXXX" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
Enter Export Password:
Verifying - Enter Export Password:

The password will have to be entered in the client configuration file (client.conf)

OpenVPN

EasyRSA can be used to quickly generate secrets for the VPN server.

It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the pkcs12 <file> directive of the server configuration file.

A DH file has to be generated with: 

openssl dhparam -out dh2048.pem 2048
wiki/webui/administration/openvpn/pki.1584110487.txt.gz · Last modified: 2020/03/13 15:41 by ghi

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki