Differences

This shows you the differences between two versions of the page.

--- wiki:vpn_pki [2019/09/25 16:26]
ghi removed
+++ — (current)
@@ Line 1: / Line 1: @@
-====== VPN - PKI management ======
-The following are command examples that may be used to create secrets for the VPN connection.
-It is assumed that these commands are typed on the server on which the VPN daemon will be installed.
-===== IPsec / strongswan =====
-==== Root certification authority =====
-First, create a root certification authority. This will be used to sign the VPN and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).
-<code bash>
-# Work in /etc/ipsec.d
-cd /etc/ipsec.d
-# Create a 4096 bit private key
-ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
-chmod 600 private/rootca.pem
-# Create a 10 year certificate
-ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem
-</code>
-==== VPN server certificate ====
-Then, create a certificate and private key that will be used by the VPN server:
-<code bash>
-# Create a 2048 bit VPN private key
-ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
-chmod 600 private/vpnkey.pem
-# Create a 2 year VPN certificate
-ipsec pki --pub --in private/vpnkey.pem --type rsa \
-    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem
-</code>
-==== Client certificates ====
-Still, on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.
-<code bash>
-# Create a 2048 bit client private key
-ipsec pki --gen --type rsa --size 2048 --outform pem >private/ibts_060434.pem
-chmod 600 private/ibts_060434.pem
-# Create a 2 year client certificate
-ipsec pki --pub --in private/ibts_060434.pem --type rsa \
-    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-lpbs-060434" --outform pem > certs/ibts_060434.pem
-</code>
-==== P12 Packaging ====
-The Wirnet iBTS and iFemtoCell use the secrets in a PKCS#12 encoded file. To generate one ''.p12'' file from the generated certificates/keys:
-<code bash>
-openssl pkcs12 -export -inkey private/ibts_060434.pem -in certs/ibts_060434.pem -name "iBTS 0x2e060434" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ibts_060434.p12
-Enter Export Password:
-Verifying - Enter Export Password:
-</code>
-The password will have to be entered in the client configuration file (the one that is ciphered, see [[wiki:vpn_client#provencore_configuration|Setting up the VPN client]]).
-===== OpenVPN =====
-[[https://github.com/OpenVPN/easy-rsa|EasyRSA]] can be used to quickly generate secrets for the VPN server.
-It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.
-A DH file has to be generated with
-<code bash>
-openssl dhparam -out dh2048.pem 2048
-</code>
-===== Next =====
-Next step is [[ wiki:vpn_server|VPN server configuration]].

Wirnet™ i-series

User Tools

Site Tools

Differences

Page Tools