[Openswan Users] ####: [Openswan dev] X.509
Peter
lli at tecomtech.com
Thu Nov 16 20:00:08 EST 2006
Dear Paul,
Thanks for your reply.
I solved this problem. The error is misconfiguration of ipsec.conf:
left=1.1.1.1
leftcert=A.cert
right=1.1.1.2
rightcert=B.cert
In host 1.1.1.1, the /etc/ipsec.d/private directory should have the A.pem,
but I place B.pem in it. So it cannot locate RSA signature. FT!
Thank you and Paul Wouters.
_____
发件人: Christian Brechbühler [mailto:brechbuehler at gmail.com]
发送时间: 2006年11月17日 3:00
收件人: AntZ
抄送: Paul Wouters; users at openswan.org
主题: Re: [Openswan Users] [Openswan dev] X.509 in openswan
On 11/16/06, Christian Brechbühler <brechbuehler at gmail.com> wrote:
keep the certificate on a separate host, if you can.
For clarity: I meant "keep the certificate authority (CA) on a separate
host".
Guard it well. Here's where you create and sign the various peer's
certificates. Make sure you distribute the certificates to their owners in
a secure way, e.g., floppy, CD-ROM; ssh/scp/sftp is probably OK too.
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061117/f4b94f84/attachment-0001.html
More information about the Users
mailing list