Re: IPSEC setup problem

Fri, 27 Apr 2007 09:13:05 -0700 

Hannah Schroeter pisze:

Hello!

I've tried to setup an IPSEC client connection. However, I see that it
doesn't work because the X509 certificate I've been given by my CA has no
subjAltName extension. And I'm not sure whether I'll be able to get them
to add one for me.

So, is there any reason why one can't bring ipsecctl/isakmpd to find the
certificate to use by the certificate DN or e.g. its emailAdress part?

And btw... Why can you specify a USER_FQDN as srcid type in ipsec.conf(5),
but not add something like that as subjAltName attribute to an X509
certificate (I see that only IP or FQDN are available as extensions in
the default /etc/ssl/x509v3.cnf and I see no mention of something that
looks like USER_FQDN in the openssl(1) manpage either).

Kind regards,

Hannah.



Here's a simple script that I'm using for generating certificates.
http://brodewicz.pl/files/create_certs.sh

Regards.

--
RafaE Brodewicz
[EMAIL PROTECTED]

Reply via email to