On 2024/07/30 20:19, J Doe wrote: > On 2024-07-30 19:39, Stuart Henderson wrote: > > > On 2024-07-30, J Doe <gene...@nativemethods.com> wrote: > > > As a result with continuing to experiment with my configuration, I ran > > > into a new issue. I followed the instructions in the OpenBSD FAQ[0] for > > > an X.509 configuration - in particular the following (with hostnames for > > > my server and Mac): > > > > > > server1# ikectl ca vpn certificate client1.domain create > > > server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/ > > > server1# ikectl ca vpn certificate client1.domain export > > > > BTW this is a shortcut that ikectl implements to make things easy, > > although it does mean that the client's "private" key actually ends > > up on the server. > > > > The traditional way of doing this is exactly like an X509 cert for a > > web server, i.e. the client generates a private key and cert signing > > request, the key is never transferred off the machine, only the CSR > > which is taken to the CA. The CA then uses that to produce a cert > > which is signed by the CA and sent back. > > > > See the X.509 AUTHENTICATION section in isakmpd(8) for some gory > > details which are mostly hidden if you use "ikectl ca". > > > > > server1# tar -C /tmp -xzf client1.domain.tgz *pfx > > > server1# cp /tmp/export/client1.domain.pfx \ > > > /var/www/htdocs/client1.domain.pfx > > > > > > ...so on my OpenBSD server I have the client's X.509 certificate and the > > > CA certificate at: /etc/iked/certs. > > > > > > I then removed the _client_ certificate from this location on the server > > > and attempted connecting from the Mac and it authenticated. > > > > > > My new question is - shouldn't the server reject a X.509 authentication > > > attempt if the _client_ certificate is not on the server ? > > > > No, that's not how it is expected to work, you don't need the client cert > > on the server, just a way to validate that it's correct (by checking the > > CA's signature and, IIUC, checking the subjectAltName against srcid). > > > Hi Stuart, > > Thanks for your reply. > > Ok, I will make a note to read through the X.509 AUTHENTICATION section > in: man 8 isakmpd. > > In regards to your last paragraph, where you state: > > "... just a way to validate that it's correct (by checking the CA's > signature ..." > > ... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the > _server_ that the client should _not_ be able to authenticate, or is > validating the CA's signature not dependent on that ?
As far as I know that's correct, I don't think there's anywhere else that it should be picking up the CA cert from.
