diff options
| author |   sthen <sthen@openbsd.org> | 2014-03-11 15:25:34 +0000 |
|---|---|---|
| committer | sthen <sthen@openbsd.org> | 2014-03-11 15:25:34 +0000 |
| commit | 56f99fc95703cbcea4bec1b46bf317d4375fe14f (patch) | |
| tree | 03da38b91d80ca471a97c995063fa9fd23c64283 | |
| parent | bugfix update to 1.4.6 (diff) | |
| download | wireguard-openbsd-56f99fc95703cbcea4bec1b46bf317d4375fe14f.tar.xz wireguard-openbsd-56f99fc95703cbcea4bec1b46bf317d4375fe14f.zip | |
For CA generation, go back to using a two-step procedure to create a CSR and
then self-sign it rather than using the "openssl req" shortcut. This allows
us to specify -extfile and thus set the correct certificate extensions so
that stricter SSL implementations will trust this as a CA cert, and matches
how things are done in ssl(8). This is basically a partial revert of r1.77.
Researched by chrisz@, tweak/ok jmc@ ok beck@
| -rw-r--r-- | sbin/isakmpd/isakmpd.8 | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index be88fc18fb0..32d5b399aa0 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.113 2013/11/14 08:47:21 bentley Exp $ +.\" $OpenBSD: isakmpd.8,v 1.114 2014/03/11 15:25:34 sthen Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. @@ -30,7 +30,7 @@ .\" .\" Manual page, using -mandoc macros .\" -.Dd $Mdocdate: November 14 2013 $ +.Dd $Mdocdate: March 11 2014 $ .Dt ISAKMPD 8 .Os .Sh NAME @@ -640,15 +640,12 @@ to be signed by the CA. .It Create your own Certificate Authority (CA). .Pp -Create a self-signed root certificate. -The CA certificate is named -.Pa ca.crt , -and its private key -.Pa ca.key : +First, create a private key for the CA, and a Certificate Signing Request +(CSR) to enable the CA to sign its own key: .Bd -literal -offset indent -# openssl req -x509 -days 365 -newkey rsa:2048 \e - -keyout /etc/ssl/private/ca.key \e - -out /etc/ssl/ca.crt +# openssl genrsa -out /etc/ssl/private/ca.key 2048 +# openssl req -new -key /etc/ssl/private/ca.key \e + -out /etc/ssl/private/ca.csr .Ed .Pp .Ic openssl req @@ -659,6 +656,15 @@ There are quite a few fields, but some can be left blank. For some fields there will be a default value; if .Sq \&. is entered, the field will be left blank. +.Pp +After the CSR has been generated, it is used to create and sign +a certificate for the CA: +.Bd -literal -offset indent +# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \e + -signkey /etc/ssl/private/ca.key \e + -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \e + -out /etc/ssl/ca.crt +.Ed .It Create Certificate Signing Requests (CSRs) for IKE peers. The CSRs are signed with a pre-generated private key. |