[Openswan Users]
Generating X 509 certificate problem on Debian Sarge OpenSwan
2.1.3-1
Joost Kraaijeveld
J.Kraaijeveld at Askesis.nl
Mon Oct 11 19:45:12 CEST 2004
Hi all,
I want to generate a x 509 certificate on a Debian Sarge machine for connecting Windows 2000 Roadwarriors. I followed the recipe as described below to the letter (I copy and pasted all text, did not type anything) after installing OpenSwan ~2 weeks ago. In step 2 of creating the client certificate (/usr/bin/openssl ca -in client01Req.pem -days 730 -out client01Cert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile caKey.pem.locked )I get the follwing error:
..
failed to update database
TXT_DB error number 2
Anyone any idea what to do?
Groeten,
Joost Kraaijeveld
Askesis B.V.
Molukkenstraat 14
6524NB Nijmegen
tel: 024-3888063 / 06-51855277
fax: 024-3608416
e-mail: J.Kraaijeveld at Askesis.nl
web: www.askesis.nl
Recipe:
cd /etc/ipsec.d/
mkdir ca
cd ca
(edit /usr/share/openssl.cnf and change directory ./DemoCA in /etc/ipsec.d/ca/)
/usr/bin/openssl req -x509 -days 1460 -newkey rsa:1024 -keyout caKey.pem.locked -out caCert.pem -passin pass:foobar -passout pass:foobar
/usr/bin/openssl rsa -passin pass:foobar -passout pass:foobar -in caKey.pem.locked -out caKey.pem
touch index.txt
echo "01" > serial
mkdir newcerts
First the gateway certificates:
/usr/bin/openssl req -newkey rsa:1024 -keyout gatewayKey.pem.locked -out gatewayReq.pem -passin pass:foobar -passout pass:foobar
/usr/bin/openssl ca -in gatewayReq.pem -days 730 -out gatewayCert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile caKey.pem.locked
cp gatewayCert.pem /etc/ipsec.d/certs/
/usr/bin/openssl rsa -passin pass:foobar -passout pass:foobar -in gatewayKey.pem.locked -out gatewayKey.pem
cp gatewayKey.pem* /etc/ipsec.d/private/
cp caCert.pem /etc/ipsec.d/cacerts/
edit /etc/ipsec.secrets and add:
: RSA /etc/ipsec.d/private/gatewayKey.pem.locked "foobar"
add to ipsec.conf:
conn roadwarrior
right=%any
rightca=%same
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv
leftrsasigkey=%cert
left=82.161.125.16
#otherwise remote clients wont work
leftnexthop=82.161.124.1
leftcert=/etc/ipsec.d/certs/gatewayCert.pem
auto=add
authby=rsasig
pfs=yes
rekey=yes
conn roadwarrior-net
right=%any
rightca=%same
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv
leftrsasigkey=%cert
left=82.161.125.16
#otherwise remote clients wont work
leftnexthop=82.161.124.1
leftsubnet=172.31.0.0/16
leftcert=/etc/ipsec.d/certs/gatewayCert.pem
auto=add
authby=rsasig
pfs=yes
rekey=yes
service ipsec restart
per client:
cd /etc/ipsec.d/ca
/usr/bin/openssl req -newkey rsa:1024 -keyout client01Key.pem.locked -out client01Req.pem -passin pass:foobar -passout pass:foobar
/usr/bin/openssl ca -in client01Req.pem -days 730 -out client01Cert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile caKey.pem.locked
/usr/bin/openssl pkcs12 -export -inkey client01Key.pem.locked -in client01Cert.pem -name askesis -certfile caCert.pem -caname "Askesis CA" -out client01Cert.p12 -passin pass:foobar -passout pass:foobar
More information about the Users
mailing list