>>> On 16 December 2005 at 10:55:53, in message <[EMAIL PROTECTED]>, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > On Fri, Dec 16, 2005 at 09:48:06AM +0000, Gordon Ross wrote: >> I'm trying to setup an isakmpd VPN using x509 keys between two OpenBSD >> 3.8 boxes. >> >> To start with, I followed the instructions at >> http://www.openbsdsupport.org/vpn-ipsec.html to setup an initial VPN >> using pre-shared secrets. This works fine. > > well, I'd say vpn(8) is a good starting point...
I discovered that later on. I'm not used to man pages containing HOWTOs.. >> Then I create CSR/KEYs for the peers & get the CSR signed by the CA to >> give me a cert. This, in theory, I understand. However: >> >> 1) The man page for isakmpd says "The CSRs are signed with a >> pre-generated private key. By default, the system startup script rc(8) >> generates a key-pair when starting..." Why ? Why are the peer CSRs >> signed with the pre-generated private key ? I would have thought that >> getting the CA to sign them would be OK. After all, if all the peers >> trust the CA, then any certificate signed by the CA should be trusted. >> What's wrong with my logic ? > > mh, "signed" might a bit unclear. The pre-generated private key > is "bound" to the CSR, ie. this is the private key to be used with > the resulting x509 certificate. I think penny is starting to drop. Few more coffees and it might make some sense.. GTG
