I have created certificates in accordance to isakmpd man page: # env CERTIP=10.0.0.1 openssl x509 -req \ -days 365 -in 10.0.0.1.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 10.0.0.1.crt
But in certificate there is no 10.0.0.1 IP addr, instead there is: openssl x509 -in /etc/isakmpd/certs/10.0.0.1.crt -text .....something..... X509v3 extensions: X509v3 Subject Alternative Name: IP Address:0.0.0.0 ....somethnig else.... So, 10.0.0.1 defined as: env CERTIP=10.0.0.1 is not here. That is, because in /etc/ssl/x509v3.cnf is defined 0.0.0.0: # default settings CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign,cRLSign EXTCERTUSAGE = serverAuth,clientAuth CERTIP = 0.0.0.0 CERTFQDN = nohost.nodomain Value of CERTIP in x509v3 is important. We can change value in /etc/ssl/x509v3.cnf and put CERTIP = 10.0.0.1 (ie our IP addr) But then, procedure mentioned in man pages is not correct.