Generating X.509 Certificates using openssl

 

 

Setting up openssl and building your Root CA

 

1. Install and compile openssl
   
   
2. Add /usr/local/ssl/bin and /usr/local/ssl/misc to your path
   
   
3. Make a new directory to place your Certificates. Change into this directory.
   
   
4. Edit the file /usr/local/ssl/openssl.cnf and change the following entries:
1. default_days =          3650
2. default_bits   =          2048
   This sets 10 year validity on your root CA with 2048 bits.

 

5. Now generate your Root CA using the command “sh CA.sh –newca”
   
   
6. Edit the file /usr/local/ssl/openssl.cnf and change the following entry:
1. default_days =          1825

This sets 5 year validity on your certificates

Generating and installing the Certificate for your FreeSwan gateway

 

1. Generate a private key and Certificate Request for your FreeSwan Gateway using “sh CA.sh –newreq”
   
   
2. Sign the request using “sh CA.sh –sign”
   
   
3. Rename the two files “newreq.pem” & “newcert.pem” to something meanigful. These are the files needed for your Freeswan gateway.
   
   
4. Extract your private key using “fswcert –k newreq.pem”. Place this data into your “/etc/ipsec.secrets” file.
   
   
5. Install your gateway’s certificate in binary DER format: “openssl x509 –in newcert.pem –outform der –out /etc/x509cert.der”
   
   
6. Install your Root CA in DER format: “openssl x509 –in demoCA/cacert.pem –outform DER –out /etc/ipsec.d/cacerts/RootCA.der”
   
   
7. Generate a Certificate revocation list: “openssl ca –gencrl –out crl.pem”
   
   
8. Install the crl: “mv crl.pem /etc/ipsec.d/crls”
   
   
9. Restart FreeSwan

 

 

Generating and installing the Certificate for your Windows 2000 Client

 

1. Generate a private key and Certificate Request for your FreeSwan Gateway using “sh CA.sh –newreq”
   
   
2. Sign the request using “sh CA.sh –sign”
   
   
3. Rename the two files “newreq.pem” & “newcert.pem” to something meanigful. These are the files needed for your Windows Client
   
   
4. Pack the files you need into a PKCS#12 file: “openssl pkcs12 –export –in newcert.pem –inkey newreq.pem –certfile demoCA/cacert.pem –out W2000.p12”
   
   
5. Get the ID for your Gateway (Freeswan) side: “openssl x509 –in newcert.pem –noout –subject”. Place this ID in your FreeSwan Configuration.
   
   
6. Get the RootCA ID for your Client (W2000) side: After installing the certificates using the Management Console use the MMC to get the DSN of the Root CA.

Cut and paste this ID into your ipsec.conf. You should use the name Windows shows you, as W2k uses a slightly different syntax.