openssl [Lnk: NCa]

To generate certificates, it is necessary to have a certificate authority (CA). Setting up a certificate authority works pretty simple, if you use a shellscript, that is provided with openssl. In my case this shellscript resides in /usr/share/ssl/misc/ and is called CA. The command

./CA -newca

will create a new CA.

Every client that wants to connect to the VPN-box, will require a certificate. The VPN-box itself needs a certificate. You can do this with this two really simple commands:

./CA -newcert

./CA -signcert

In order to keep things organized, rename or copy the key-file and the cert-file:

cp newcert.pem workstation1.pem

cp newreq.pem workstation1.key

In order to use the certificate with racoon, it is necessary to strip the password from the private key-file, as racoon does not support private key-files, which will require a password. Do that with

openssl rsa -in workstation1.key -out workstation1.decrypted.key

As windows-clients do not like the pem-format, we export the certificates for the windows-clients to the p12 format (the p12 contains both, private key and certificate-file), as this format can be imported easily in windows:

openssl pkcs12 -export -in workstation1.pem -inkey \

workstation1.key -cert-file demoCA/cacert.pem -out \

workstation1.p12

Note that in the above example, it is assumed, that the root certificate resides in ./demoCA/cacert.pem.