Table of Contents

VPN - PKI management

The following are command examples that may be used to create secrets for the VPN connection.

It is assumed that these commands are typed on the server on which the VPN daemon will be installed.

IPsec / strongswan

Root certification authority

First, create a root certification authority. This will be used to sign the VPN and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).

# Work in /etc/ipsec.d
cd /etc/ipsec.d
 
# Create a 4096 bit private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
chmod 600 private/rootca.pem
 
# Create a 10 year certificate
ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem

VPN server certificate

Then, create a certificate and private key that will be used by the VPN server:

# Create a 2048 bit VPN private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
chmod 600 private/vpnkey.pem
 
# Create a 2 year VPN certificate
ipsec pki --pub --in private/vpnkey.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem

Client certificates

Still, on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.

# Create a 2048 bit client private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/ibts_060434.pem
chmod 600 private/ibts_060434.pem
 
# Create a 2 year client certificate
ipsec pki --pub --in private/ibts_060434.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-lpbs-060434" --outform pem > certs/ibts_060434.pem

P12 Packaging

The Wirnet iBTS and iFemtoCell use the secrets in a PKCS#12 encoded file. To generate one .p12 file from the generated certificates/keys:

openssl pkcs12 -export -inkey private/ibts_060434.pem -in certs/ibts_060434.pem -name "iBTS 0x2e060434" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ibts_060434.p12
Enter Export Password:
Verifying - Enter Export Password:

The password will have to be entered in the client configuration file (the one that is ciphered, see Setting up the VPN client).

OpenVPN

EasyRSA can be used to quickly generate secrets for the VPN server.

It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the pkcs12 <file> directive of the server configuration file.

A DH file has to be generated with

openssl dhparam -out dh2048.pem 2048

Next

Next step is VPN server configuration.