● The PKIX certificate with racoon(转寄) - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: georgehill (人生不定式), 信区: Linux
标  题: The PKIX certificate with racoon(转寄)
发信站: BBS 荔园晨风站 (Sat Sep 16 11:34:12 2000), 站内信件

【以下文字转载自 georgehill 的信箱】
【原文由 georgehill.bbs@smth.org 所发表】
发信人: hhuu (什么是水，就是water啊), 信区: FreeBSD
标  题: The PKIX certificate with racoon(转寄)
发信站: BBS 水木清华站 (Sat Sep 16 00:19:27 2000)

The PKIX certificate with racoon

Shoichi Sakane, KAME Project

$Id: index.html,v 1.4 2000-09-12 16:47:48+09 sakane Exp $

Japanese version is here.

Introduction

This document is described how to use the PKIX certificate with racoon, IKE
daemon. IKE allows to use several certificate for encryption
and authentication. At the moment, racoon only supports RSA signature
authentication method in all modes of phase 1 exchanges. For
example, the certificates are exchanged by 5th and 6th messages in the case of
the main mode. Both the initiator and the responder have to
prepare own certificate before sending it. The certificate is placed to the
certificate repository in PEM format. Racoon can get it from the
local file system at the moment. SCEP may be supported in the future.
Racoon version is required kame-20000904-*-snap or later. But it is recommended
to use latest version of KAME stack. Racoon leave all
cryptographic algorithm with libcrypto.a of OpenSSL. The version is required
OpenSSL0.9.5a or later is required. We don't support
OpenSSL0.9.4. There are some trouble about X.509v3 certificate handling in
OpenSSL0.9.4.

What can racoon do ?

     Main/Aggressive/Base mode with RSA signature authentication.
     X.509v3 certificate in PEM format.
     Sending the certificate or not.
     Getting peer's certificate in the local file system.
     Verify the subjectName or the subjectAltName as the identifier.
     Verify the issuer's chain or not.

Configuration

To use RSA signature authentication method, you have to define the following
directives in a configuration file of racoon. For example,
negotiation the IPsec keys with 194.100.55.1 (isakmp-test.ssh.fi), with
UserFQDN "sakane@kame.net" as subjectAltNameas.

        path certificate "/usr/local/openssl/certs";
        remote 194.100.55.1
        {
                exchange_mode main;
                certificate_type x509 "sakane@kame.net.cert"
"sakane@kame.net.priv";
                identifier certname;
                proposal {
                        encryption_algorithm des;
                        hash_algorithm md5;
                        authentication_method rsasig;
                        dh_group modp768;
                }
        }

The first line specifies the directory as the certificate repository to put all
certificates. You have to put your certificate, your private key and
all of issuer's certificate. In the following description, the directory is
called "CERT directory" for convenience.
"certificate_type" directive specifies the type of certificate, and the both
file name of own certificate/private key. You have to put them into
CERT directory.
"identifier" directive specifies the ID value. It is carried onto the peer by
ID payload. The peer may compare between the value and the
subjectName (subjectAltName) in the certificate.
"authentication_method" direcivie specifies the authentication method in use.
When you use a certificate, you have to define "rsasig".
If the peer don't send any certificate, you can get the certificate from your
local disk. "peers_certfile" directive can allow it. If you don't
want to verify the certificate, you have to set "no" into "verify_cert"
directive. If you don't want to send the certificate, you have to set "no"
into "send_cert" directive.

        path certificate "/usr/local/openssl/certs";
        remote 194.100.55.1
        {
                exchange_mode main;
                certificate_type x509 "sakane@kame.net.cert"
"sakane@kame.net.priv";
                peers_certfile "isakmp-test@ssh.fi.cert";
                identifier certname;
                verify_cert no;
                send_cert no;
                proposal {
                        encryption_algorithm des;
                        hash_algorithm md5;
                        authentication_method rsasig;
                        dh_group modp768;
                }
        }

To get your cert

This section is described how to get a certificate by OpenSSL0.9.5a.

   1.Make a new private/public key pair. For example, 1024bits private key can
be generated and stored into privkey.pem in PEM format
     by the following command:

       % openssl genrsa -out privkey.pem 1024

   2.Make a PKCS#10 request, which is to be signed by your public key. The
following example uses SHA1 as signature algorithm, RSA
     with 1024bits and stored into request.pem in PEM format.

       % openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout
privkey.pem -outform PEM -out request.pem
       Using configuration from /usr/local/openssl/openssl.cnf
       Generating a 1024 bit RSA private key
       .........................+++++
       ........+++++
       writing new private key to 'privkey.pem'
       -----
       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a
DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter '.', the field will be left blank.
       -----
       Country Name (2 letter code) [AU]:JP
       State or Province Name (full name) [Some-State]:Kanagawa
       Locality Name (eg, city) []:Fujisawa
       Organization Name (eg, company) [Internet Widgits Pty Ltd]:WIDE Project
       Organizational Unit Name (eg, section) []:KAME Project
       Common Name (eg, YOUR name) []:Shoichi Sakane
       Email Address []:sakane@ydc.co.jp

       Please enter the following 'extra' attributes
       to be sent with your certificate request
       A challenge password []:
       An optional company name []:

   3.Send the PKCS#10 request to the CA. Then retrieve your authorized
certificate and stored into CERT directory. For example to use ssh
     certificate testing site. Connect to below URL.

             http://isakmp-test.ssh.fi/cgi-bin/nph-real-cert/cert.pem

     And paste the content of request.pem. Don't forget to input your
subjectAltName.
   4.Alternatively, you can sign your certificate by yourself. For example,
reqest.pem is a PKCS#10 request file in PEM format.

       % openssl x509 -req -in reqest.pem -signkey privkey.pem -out cert.pem

Issuer's certificate

You have to put some issuer's certificates into CERT directory. It is a unique
method to save them in OpenSSL. For example, the filename of
the certificate is ssh-ca1.pem. You have to type the following magic word after
changing CERT directory.

  % ln -s ssh-ca1.pem `openssl x509 -noout -hash -in ssh-ca1.pem`.0

--
  行列中        作不朽文章
  谈笑间        论古今英雄
  痴狂里        诉红尘情爱
  来去时        不枉一生风流
                        ---------  bbs.ntu.edu.tw

※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.161.33]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店