I have created certificates in accordance to isakmpd man page:

# env CERTIP=10.0.0.1 openssl x509 -req \
 -days 365 -in 10.0.0.1.csr \
 -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
 -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
 -extensions x509v3_IPAddr -out 10.0.0.1.crt

But in certificate there is no 10.0.0.1 IP addr, instead there is:

openssl x509 -in /etc/isakmpd/certs/10.0.0.1.crt -text

.....something.....
X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:0.0.0.0
....somethnig else....


So, 10.0.0.1 defined as: env CERTIP=10.0.0.1 is not here. That is,
because in /etc/ssl/x509v3.cnf is defined 0.0.0.0:

# default settings
CERTPATHLEN             = 1
CERTUSAGE               = digitalSignature,keyCertSign,cRLSign
EXTCERTUSAGE            = serverAuth,clientAuth
CERTIP                  = 0.0.0.0
CERTFQDN                = nohost.nodomain

Value of CERTIP in x509v3 is important. We can change value in
/etc/ssl/x509v3.cnf and put CERTIP = 10.0.0.1 (ie our IP addr)

But then, procedure mentioned in man pages is not correct.

Reply via email to