[Openswan Users] CA server issue with cisco

Paul Wouters paul at xelerance.com
Tue May 20 15:23:55 EDT 2008

On Tue, 20 May 2008, Ming-Ching Tiew wrote:

> > Is it using OCSP? There is support for that.
> >
> Thanks for the information. I did some checking on OCSP. It seems that OCSP has more to do with certificate status, while I am have seen here, is more of a certificate management stuff but perform over http.
> On checking, I found something on SCEP and an implementation called OpenSCEP. I will verify to see if the OpenSCEP will meet this ( because the doc I have on the Cisco IPSEC does not specifically mention the word SCEP, it just say ca enrolment using http ).

They might mean just a CRL based on a CRL certificate attribute pointing to a http server serving the crl.
See crlcheckinterval= and strictcrl= options in ipsec.conf.

(from the openswan book):

To use dynamic CRL fetching, you must ensure Openswan is compiled with
support for possix threads, curl and optionally ldap. These can be enabled
in Makefile.inc by setting HAVE_THREADS, USE_LIBCURL and USE_LDAP to true.

Your CA certificate (and all signed host certificates) need to be created
with an additional CRL distribution section in your openssl.cnf file so
that all certificates know about the type and location of the dynamic
CRL's. Add the following line to the [usr_cert] section of openssl.cnf:

	crlDistributionPoints= @crl_dp
And add a new crl_dp section with all dynamic CRL methods and locations you wish to use:
	[ crl_dp ]

	URI.2="ldap://ldap.yourorganisation.org/o=Xelerance, c=CA?certificateRevocationList?base?(objectClass=certificationAuthority)"

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list