On Sat, Feb 27, 2016 at 05:03:19PM +0100, igor.kos wrote: > I have created certificates in accordance to isakmpd man page: > > # env CERTIP=10.0.0.1 openssl x509 -req \ > -days 365 -in 10.0.0.1.csr \ > -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ > -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ > -extensions x509v3_IPAddr -out 10.0.0.1.crt > > But in certificate there is no 10.0.0.1 IP addr, instead there is: > > openssl x509 -in /etc/isakmpd/certs/10.0.0.1.crt -text > > .....something..... > X509v3 extensions: > X509v3 Subject Alternative Name: > IP Address:0.0.0.0 > ....somethnig else.... > > > So, 10.0.0.1 defined as: env CERTIP=10.0.0.1 is not here. That is, > because in /etc/ssl/x509v3.cnf is defined 0.0.0.0: > > # default settings > CERTPATHLEN = 1 > CERTUSAGE = digitalSignature,keyCertSign,cRLSign > EXTCERTUSAGE = serverAuth,clientAuth > CERTIP = 0.0.0.0 > CERTFQDN = nohost.nodomain > > Value of CERTIP in x509v3 is important. We can change value in > /etc/ssl/x509v3.cnf and put CERTIP = 10.0.0.1 (ie our IP addr) > > But then, procedure mentioned in man pages is not correct. >
i've updated isakmpd(8) to describe how to do this. thanks to stuart henderson (sthen@) for providing the fix. jmc
