Hi, On Fri, Dec 16, 2005 at 09:48:06AM +0000, Gordon Ross wrote: > I'm trying to setup an isakmpd VPN using x509 keys between two OpenBSD > 3.8 boxes. > > To start with, I followed the instructions at > http://www.openbsdsupport.org/vpn-ipsec.html to setup an initial VPN > using pre-shared secrets. This works fine.
well, I'd say vpn(8) is a good starting point... > Then I create CSR/KEYs for the peers & get the CSR signed by the CA to > give me a cert. This, in theory, I understand. However: > > 1) The man page for isakmpd says "The CSRs are signed with a > pre-generated private key. By default, the system startup script rc(8) > generates a key-pair when starting..." Why ? Why are the peer CSRs > signed with the pre-generated private key ? I would have thought that > getting the CA to sign them would be OK. After all, if all the peers > trust the CA, then any certificate signed by the CA should be trusted. > What's wrong with my logic ? mh, "signed" might a bit unclear. The pre-generated private key is "bound" to the CSR, ie. this is the private key to be used with the resulting x509 certificate. > 2) Just to confirm... (Assume I have peer1 & peer2) I create a cert for > peer1 and put it in /etc/isakmpd/certs/ on peer1. There is no need to > copy it to peer2 (because the cert is signed by the CA, and the CA is > trusted by both peers) Correct ? yes.
