In this chapter we will install openssl, create a Certification Authority, the FreeSWAN Certificate and a X.509
Certificate for the roadwarrior. The certificates are used to authenticate the roadwarrior against the FreeSWAN
gateway. With this setup we use locally stored certificates.
To install openssl in debian type apt-get install openssl. If you use another distro refer to the
documentation on how to install it or download the source of openssl and install it manually.
To sign the certificates a Certificate Authority (CA) is needed.
The next command creates a Certificate Authority
cd /usr/lib/ssl/misc/ ; ./CA.sh -newca
When asked for a filename, simply hit Enter.
This will create the following output:
matrix:/usr/lib/ssl/misc# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
......++++++
...++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:<CA_PASSWORD>
Verifying password - Enter PEM pass phrase:<CA_PASSWORD>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Delft
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Evolve Datacom B.V.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Evolve Datacom CA
Email Address []:ca@evolvedatacom.nl
matrix:/usr/lib/ssl/misc#
Now that the CA has been created we can start making the FreeSWAN Certificate.
cd /usr/lib/ssl/misc ; ./CA.sh -newreq
This results in the following output:
matrix:/usr/lib/ssl/misc# /usr/lib/ssl/misc/CA.sh -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..............++++++
..........................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:<FREESWAN_PASSWORD>
Verifying password - Enter PEM pass phrase:<FREESWAN_PASSWORD>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Delft
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Evolve Datacom B.V.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:FreeSWAN Certificate
Email Address []:fc@evolvedatacom.nl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[PRESS ENTER]
An optional company name []:[PRESS ENTER]
Request (and private key) is in newreq.pem
matrix:/usr/lib/ssl/misc#
matrix:/usr/lib/ssl/misc# /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:<CA_PASSWORD>
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'NL'
stateOrProvinceName :PRINTABLE:'Zuid Holland'
localityName :PRINTABLE:'Delft'
organizationName :PRINTABLE:'Evolve Datacom B.V.'
commonName :PRINTABLE:'FreeSWAN Certificate'
emailAddress :IA5STRING:'ca@evolvedatacom.nl'
Certificate is to be certified until Mar 25 14:35:43 2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=NL, ST=Zuid Holland, L=Delft, O=Evolve Datacom B.V., CN=Evolve Datacom
CA/Email=ca@evolvedatacom.nl
Validity
Not Before: Mar 25 14:35:43 2002 GMT
Not After : Mar 25 14:35:43 2003 GMT
Subject: C=NL, ST=Zuid Holland, L=Delft, O=Evolve Datacom B.V., CN=FreeSWAN
Certificate/Email=ca@evolvedatacom.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c7:1b:6d:90:10:92:15:b5:61:6f:3b:a9:a3:98:
3f:fb:35:88:c3:aa:d0:ba:76:40:2a:0f:9c:df:11:
cf:e9:55:f4:93:53:9e:c1:ce:ed:24:18:5b:84:c8:
19:6e:eb:08:99:97:09:55:4e:7a:56:f0:de:07:ec:
0c:77:be:e7:74:0a:c4:08:91:cd:3a:ff:5c:5b:f6:
64:1b:a5:7d:d1:51:a9:12:75:37:ec:cc:19:ea:03:
f2:f9:dc:0c:68:10:59:80:2a:66:7c:73:37:d4:9d:
9b:3a:1b:b2:9c:56:fe:0b:e2:52:42:24:52:47:f4:
a1:6e:9c:33:ac:f8:70:0e:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
40:D5:90:D3:7F:A1:28:01:EF:5A:D5:ED:5A:C3:7F:4C:F8:0A:29:6A
X509v3 Authority Key Identifier:
keyid:2E:5B:BB:B3:11:E2:BD:5F:FE:EC:1D:14:AB:6F:69:D8:FE:A6:50:12
DirName:/C=NL/ST=Zuid Holland/L=Delft/O=Evolve Datacom B.V./CN=Evolve Datacom
CA/Email=ca@evolvedatacom.nl
serial:00
Signature Algorithm: md5WithRSAEncryption
2e:60:1a:45:4e:ac:66:38:21:10:25:79:67:c3:9f:a9:99:73:
ce:8a:28:5d:06:a9:c7:4e:78:3e:94:da:dc:59:e7:fa:00:7c:
38:69:47:c1:58:52:78:bc:a5:21:86:16:bb:2f:b3:8d:19:79:
fb:98:1c:d1:b7:8c:67:50:09:7a:7b:34:7c:92:d4:5b:0d:98:
5e:ed:42:66:1f:02:35:5f:9d:f1:2f:52:b0:b3:63:f9:d6:8b:
12:a6:20:84:60:25:0c:21:a3:59:4c:5e:d5:3d:00:65:f9:1a:
3c:12:3e:52:57:d8:22:83:e9:00:27:e4:3e:50:9d:b4:c7:cd:
77:14
-----BEGIN CERTIFICATE-----
MIIDvzCCAyigAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCTkwx
FTATBgNVBAgTDFp1aWQgSG9sbGFuZDEOMAwGA1UEBxMFRGVsZnQxHDAaBgNVBAoT
E0V2b2x2ZSBEYXRhY29tIEIuVi4xGjAYBgNVBAMTEUV2b2x2ZSBEYXRhY29tIENB
MSIwIAYJKoZIhvcNAQkBFhNjYUBldm9sdmVkYXRhY29tLm5sMB4XDTAyMDMyNTE0
MzU0M1oXDTAzMDMyNTE0MzU0M1owgZUxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxa
dWlkIEhvbGxhbmQxDjAMBgNVBAcTBURlbGZ0MRwwGgYDVQQKExNFdm9sdmUgRGF0
YWNvbSBCLlYuMR0wGwYDVQQDExRGcmVlU1dBTiBDZXJ0aWZpY2F0ZTEiMCAGCSqG
SIb3DQEJARYTY2FAZXZvbHZlZGF0YWNvbS5ubDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAxxttkBCSFbVhbzupo5g/+zWIw6rQunZAKg+c3xHP6VX0k1Oewc7t
JBhbhMgZbusImZcJVU56VvDeB+wMd77ndArECJHNOv9cW/ZkG6V90VGpEnU37MwZ
6gPy+dwMaBBZgCpmfHM31J2bOhuynFb+C+JSQiRSR/ShbpwzrPhwDqcCAwEAAaOC
AR4wggEaMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRA1ZDTf6EoAe9a1e1aw39M+AopajCB
vwYDVR0jBIG3MIG0gBQuW7uzEeK9X/7sHRSrb2nY/qZQEqGBmKSBlTCBkjELMAkG
A1UEBhMCTkwxFTATBgNVBAgTDFp1aWQgSG9sbGFuZDEOMAwGA1UEBxMFRGVsZnQx
HDAaBgNVBAoTE0V2b2x2ZSBEYXRhY29tIEIuVi4xGjAYBgNVBAMTEUV2b2x2ZSBE
YXRhY29tIENBMSIwIAYJKoZIhvcNAQkBFhNjYUBldm9sdmVkYXRhY29tLm5sggEA
MA0GCSqGSIb3DQEBBAUAA4GBAC5gGkVOrGY4IRAleWfDn6mZc86KKF0GqcdOeD6U
2txZ5/oAfDhpR8FYUni8pSGGFrsvs40ZefuYHNG3jGdQCXp7NHyS1FsNmF7tQmYf
AjVfnfEvUrCzY/nWixKmIIRgJQwho1lMXtU9AGX5GjwSPlJX2CKD6QAn5D5QnbTH
zXcU
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
Now we will create the PGPNet certificate, this is about the same as we have done in the FreeSWAN
Certificate.
cd /usr/lib/ssl/misc ; ./CA.sh -newreq
Output:
matrix:/usr/lib/ssl/misc# /usr/lib/ssl/misc/CA.sh -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..++++++
....++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:<ROADWARRIOR_PASSWORD>
Verifying password - Enter PEM pass phrase:<ROADWARRIOR_PASSWORD>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Delft
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Evolve Datacom B.V.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Wouter Prins
Email Address []:wouter.prins@evolvedatacom.nl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
matrix:/usr/lib/ssl/misc#
matrix:/usr/lib/ssl/misc# /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:<CA_PASSWORD>
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'NL'
stateOrProvinceName :PRINTABLE:'Zuid Holland'
localityName :PRINTABLE:'Delft'
organizationName :PRINTABLE:'Evolve Datacom B.V.'
commonName :PRINTABLE:'Wouter Prins'
emailAddress :IA5STRING:'wouter.prins@evolvedatacom.nl'
Certificate is to be certified until Mar 25 14:42:13 2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=NL, ST=Zuid Holland, L=Delft, O=Evolve Datacom B.V., CN=Evolve Datacom
CA/Email=ca@evolvedatacom.nl
Validity
Not Before: Mar 25 14:42:13 2002 GMT
Not After : Mar 25 14:42:13 2003 GMT
Subject: C=NL, ST=Zuid Holland, L=Delft, O=Evolve Datacom B.V., CN=Wouter
Prins/Email=wouter.prins@evolvedatacom.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:37:3a:ad:8c:e4:54:5f:91:cc:c7:c2:8f:30:
26:fe:21:0f:b3:23:a2:1c:33:2a:61:e1:a8:97:6e:
64:ee:f1:43:a2:e8:eb:a2:24:48:9e:30:cc:be:d3:
51:1c:9f:a5:a4:65:52:60:f7:8d:e2:c7:8b:e3:ee:
37:b2:c1:aa:8e:ef:1d:c5:77:54:05:27:ed:c6:6f:
37:12:35:c3:bb:c0:78:9f:4e:e8:5c:ac:e1:ba:11:
d1:80:b3:cf:5f:6b:31:dd:f0:96:14:f4:11:1f:83:
8b:2b:43:ac:d3:a0:35:ba:97:e0:ac:2c:7d:56:1a:
85:39:28:eb:b4:a5:03:fb:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:F1:B2:EC:83:31:48:0F:08:4C:DA:0F:8E:A6:18:B2:18:E9:E0:4E
X509v3 Authority Key Identifier:
keyid:2E:5B:BB:B3:11:E2:BD:5F:FE:EC:1D:14:AB:6F:69:D8:FE:A6:50:12
DirName:/C=NL/ST=Zuid Holland/L=Delft/O=Evolve Datacom B.V./CN=Evolve Datacom
CA/Email=ca@evolvedatacom.nl
serial:00
Signature Algorithm: md5WithRSAEncryption
5f:dc:51:fb:f4:35:b9:16:f7:cc:2e:1b:42:47:22:2d:99:7b:
56:35:40:fa:bd:d6:ee:42:80:54:7f:e4:65:c4:b0:6e:31:26:
b3:c3:2d:7e:b3:a2:af:c6:dd:54:d6:4f:0d:7c:f9:43:37:76:
d4:04:4d:8a:93:72:98:50:1e:8c:ce:e5:42:e2:a0:06:6c:c1:
f7:de:b5:0f:e0:35:96:e4:ef:4d:b8:30:dc:a9:53:68:88:c3:
ea:81:3e:37:0a:84:62:80:60:84:83:c9:c1:c6:34:e9:e1:38:
d8:69:cb:0b:b2:22:1c:91:5a:9c:a7:03:ca:49:a7:b3:68:0c:
26:97
-----BEGIN CERTIFICATE-----
MIIDwTCCAyqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCTkwx
FTATBgNVBAgTDFp1aWQgSG9sbGFuZDEOMAwGA1UEBxMFRGVsZnQxHDAaBgNVBAoT
E0V2b2x2ZSBEYXRhY29tIEIuVi4xGjAYBgNVBAMTEUV2b2x2ZSBEYXRhY29tIENB
MSIwIAYJKoZIhvcNAQkBFhNjYUBldm9sdmVkYXRhY29tLm5sMB4XDTAyMDMyNTE0
NDIxM1oXDTAzMDMyNTE0NDIxM1owgZcxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxa
dWlkIEhvbGxhbmQxDjAMBgNVBAcTBURlbGZ0MRwwGgYDVQQKExNFdm9sdmUgRGF0
YWNvbSBCLlYuMRUwEwYDVQQDEwxXb3V0ZXIgUHJpbnMxLDAqBgkqhkiG9w0BCQEW
HXdvdXRlci5wcmluc0Bldm9sdmVkYXRhY29tLm5sMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCdNzqtjORUX5HMx8KPMCb+IQ+zI6IcMyph4aiXbmTu8UOi6Oui
JEieMMy+01Ecn6WkZVJg943ix4vj7jeywaqO7x3Fd1QFJ+3GbzcSNcO7wHifTuhc
rOG6EdGAs89fazHd8JYU9BEfg4srQ6zToDW6l+CsLH1WGoU5KOu0pQP7GQIDAQAB
o4IBHjCCARowCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l
cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP7xsuyDMUgPCEzaD46mGLIY6eBO
MIG/BgNVHSMEgbcwgbSAFC5bu7MR4r1f/uwdFKtvadj+plASoYGYpIGVMIGSMQsw
CQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQ4wDAYDVQQHEwVEZWxm
dDEcMBoGA1UEChMTRXZvbHZlIERhdGFjb20gQi5WLjEaMBgGA1UEAxMRRXZvbHZl
IERhdGFjb20gQ0ExIjAgBgkqhkiG9w0BCQEWE2NhQGV2b2x2ZWRhdGFjb20ubmyC
AQAwDQYJKoZIhvcNAQEEBQADgYEAX9xR+/Q1uRb3zC4bQkciLZl7VjVA+r3W7kKA
VH/kZcSwbjEms8MtfrOir8bdVNZPDXz5Qzd21ARNipNymFAejM7lQuKgBmzB9961
D+A1luTvTbgw3KlTaIjD6oE+NwqEYoBghIPJwcY06eE42GnLC7IiHJFanKcDykmn
s2gMJpc=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
matrix:/usr/lib/ssl/misc#
To create the CA's revocation list:
Make sure the /etc/ipsec.d/crls directory exists when executing the following command.
openssl ca -gencrl -out /etc/ipsec.d/crls/crl.pem
This creates an empty revocation list with a validity that is listed in openssl.cnf
If you want to revoke a certificate you can do this as follows:
openssl ca -revoke certificate.pem
Then the revocation list has to be regenerated using the following command:
openssl ca -gencrl -crldays xx -out /etc/ipsec.d/crls/crl.pem
Where xx is the number of days.
If for some reason, you want to view the contents of the crl then it can be listed with the following
command:
openssl crl -in /etc/ipsec.d/crls/crl.pem -noout -text
In order to import the created certificates into PGPNet we need to convert them to a readable format that PGPNet
understands and supports.
First we need to export the public key to .p12 format. This format is also supported in Internet Explorer and
Netscape. If for some reason you also want it in IE or netscape use this. =)
openssl pkcs12 -export -in /etc/ipsec.d/client-cert.pem -inkey /etc/ipsec.d/private/client-priv.pem -certfile
/usr/lib/ssl/misc/demoCA/cacert.pem -out /tmp/client.p12
matrix: # openssl pkcs12 -export -in /etc/ipsec.d/client-cert.pem -inkey
/etc/ipsec.d/private/client-priv.pem
-certfile /usr/lib/ssl/misc/demoCA/cacert.pem -out /tmp/client.p12
Enter PEM pass phrase:<ROADWARRIOR_PASSWORD>
Enter Export Password:<EXPORT_PASSWORD>
Verifying password - Enter Export Password:
matrix: #
The freeswan-cert.pem created by openssl can'tbe imported into PGPNet straight away. This is because
PGPkeys does not accept certificates in DER format. It has to be in base64 format to import them into
PGPkeys.
The following command will convert it from DER format to base64 format.
openssl x509 -in /etc/ipsec.d/freeswan-cert.pem -out /tmp/freeswan-cert.pem
To check if everything has gone like it should, restart pluto (ipsec setup restart) and check for any errors
it might generate.
ipsec setup restart ; tail -n 50 /var/log/auth.log
The output should look similar to this:
Mar 25 16:04:46 matrix Pluto[6520]: shutting down
Mar 25 16:04:46 matrix Pluto[6520]: forgetting secrets
Mar 25 16:04:46 matrix Pluto[6520]: "client-evolve": deleting connection
Mar 25 16:04:46 matrix Pluto[6520]: shutting down interface ipsec0/ppp0 [Gateway IP here]
Mar 25 16:04:47 matrix ipsec__plutorun: Starting Pluto subsystem...
Mar 25 16:04:47 matrix Pluto[6784]: Starting Pluto (FreeS/WAN Version 1.96)
Mar 25 16:04:47 matrix Pluto[6784]: including X.509 patch (Version 0.9.9)
Mar 25 16:04:47 matrix Pluto[6784]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 25 16:04:47 matrix Pluto[6784]: loaded cacert file 'cacert.pem' (1294 bytes)
Mar 25 16:04:47 matrix Pluto[6784]: Changing to directory '/etc/ipsec.d/crls'
Mar 25 16:04:47 matrix Pluto[6784]: loaded crl file 'crl.pem' (520 bytes)
Mar 25 16:04:47 matrix Pluto[6784]: loaded my X.509 cert file '/etc/x509cert.der' (963 bytes)
Mar 25 16:04:47 matrix Pluto[6784]: loaded host cert file '/etc/ipsec.d/client-cert.pem' (3689 bytes)
Mar 25 16:04:47 matrix Pluto[6784]: loaded host cert file '/etc/ipsec.d/freeswan-cert.pem' (3683 bytes)
Mar 25 16:04:47 matrix Pluto[6784]: added connection description "client-evolve"
Mar 25 16:04:47 matrix Pluto[6784]: listening for IKE messages
Mar 25 16:04:47 matrix Pluto[6784]: adding interface ipsec0/ppp0 [Gateway IP here]
Mar 25 16:04:47 matrix Pluto[6784]: loading secrets from "/etc/ipsec.secrets"
Mar 25 16:04:47 matrix Pluto[6784]: loaded private key file '/etc/ipsec.d/private/freeswan-priv.pem' (1675
bytes)