[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd and reading x509 certs

To: Gordon Chalmers <gordonc@kestral.com.au>
Subject: Re: isakmpd and reading x509 certs
From: Marcus Watts <mdw@umich.edu>
Date: Thu, 04 Sep 2003 21:34:50 -0400
Cc: Rob Pickering <rob@rpanetwork.co.uk>, misc@openbsd.org

If you have it talking to windows XP it's unlikely you
have things real wrong.  But, if you think there's a question,
To check your CA's key for sanity:
	openssl rsa -check -in /etc/ssl/private/ca.key -noout

To see the public key in your cert & from the private key file, try:
	openssl x509 -in /etc/ssl/private/ca.crt -pubkey -noout
	openssl rsa -in /etc/ssl/ca.crt -pubout

To review your certificate including all options,
	openssl x509 -in ca.crt -noout -text
Posting this is probably more useful than posting how you made
your certificate; for instance, your x509v3.cnf appears to be looking
in your environment for $CERTPATHLEN and $CERTUSAGE which you neglected
to tell us.  Also, you must have done an "openssl genrsa" command
beforehand even though you didn't say so.  It's possible to collapse
your 3 genrsa/req/x509 commands down to one command doing something
like this:
	openssl req -x509 -new -out ca2.crt -nodes -keyout ca2.key -newkey rsa:1024
but I don't think that's going to make any difference for you.

The sequence you posted appears to be intended to create a
self-contained certificate authority with one self-signed certificate.
Are you trying to use that directly, or are you creating additional
certificates using it?

With isakmpd - I'm not real familiar with it, but I think I know how
it "should" be using x509 certificates -- I would expect that
each end should have:
	list of CA certificates for authorities it will trust as
		signers (directly or indirectly) for certs from
		the other end.
	0 or more of:
	{
		CA certificate chain above its own certificate
		its own certificate
		its own private key
	} - 0 or more of these

In use, I presume isakmp has some sort of negotiation protocol that
involves receiving a list of certificate authorities the other side
trusts, selecting a local private key & certificate, using that to sign
something, and sending the signature, its own certificate, and a
possibly empty chain of certificate authorities connecting its own
certificate to whatever the other end claims to trust back to the other
side.  At least, that's (more or less) how ssl works, although in
practice usually only the web server has a certificate.

The list of remote signers that each end trusts does not have to
include whatever signed its own certificates.  I think I've seen
inconsistent windows behavior regarding the CA chain for any local
certificate+private keys: sometimes it seems to want to have that
chain, sometimes it does not.  The openssl equivalent to this is the
"verify" command, but I don't know if windows even makes anything
like this functionality accessible from a comand-line interface.

				-Marcus Watts

Follow-Ups:
- Re: solved isakmpd and reading x509 certs
  - From: Gordon Chalmers <gordonc@kestral.com.au>

References:
- Re: isakmpd and reading x509 certs
  - From: Gordon Chalmers <gordonc@kestral.com.au>

Prev by Date: Re: Booting above 1024...
Next by Date: new openbsd book (implementing the secure unix platform)
Prev by thread: Re: isakmpd and reading x509 certs
Next by thread: Re: solved isakmpd and reading x509 certs
Index(es):
- Date
- Thread