On Thu, 2002-06-20 at 19:46, natecars at real-time.com wrote: > On 20 Jun 2002, Mike Hicks wrote: > > Working along a different tack, I just installed FreeS/WAN on the > > firewall itself. It has a signed certificate from Thawte for the web > > sign-on page it uses, and I was wondering if it's possible to use that > > same cert for IPsec. If it's possible, do I have to extract > > information from the certificate somehow, or can I just point to it in > > a configuration file somewhere? > > Yeah, it's possible. But, it means each endpoint you connect to will need > to have a cert from that CA (for the simplest configuration). I really > recommend setting up your own CA for your VPN, check out: > > http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509 > > It's really easy to set up a CA. I followed the instructions you have there, but it seems that the certificates I've generated and signed don't get recognized as being signed (I get the error "Issuer CA certificate not found" from pluto). I have my CA cert in /etc/ipsec.d/cacerts (in both PEM and DER format, just for grins), and it does show up when I do `ipsec auto --listcacerts'. I can still connect if I have a copy of the remote certificate in /etc/ipsec.d and make reference to it in /etc/ipsec.conf I suppose it might just be a bug in the version of FreeS/WAN that I have, though.. -- _ _ _ _ _ ___ _ _ _ ___ _ _ __ The future isn't what it / \/ \(_)| ' // ._\ / - \(_)/ ./| ' /(__ used to be. \_||_/|_||_|_\\___/ \_-_/|_|\__\|_|_\ __) [ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020621/eaaf08b3/attachment.pgp