Generating RSA Credentials

If you are not using one of the PSK authentication modes, RSA credentials will need to be generated for the VPN gateway and possibly the Client as well. The only RSA authentication method that does not require Client credentials to operate is the Hybrid Authentication Method.

To generate RSA credentials, use the openssl tool to create a certificate authority, a private key and a signed certificate. Although the detailed use of the openssl command line tool is beyond the scope of this document, here is an example of how RSA server credentials might be created ...

mkdir certs

mkdir -p demoCA/newcerts

touch demoCA/index.txt

echo "00" > demoCA/serial

umask 077

openssl genrsa > certs/ca.key

openssl genrsa > certs/vpngw.key

umask 022

openssl req -days 1825 -x509 -new -key certs/ca.key > certs/ca.crt

openssl req -new -key certs/vpngw.key > certs/vpngw.csr

openssl ca -in certs/vpngw.csr -keyfile certs/ca.key \

-cert certs/ca.crt -out certs/vpngw.crt

After the server credentials have been created, you will need to move the server certificate and private key files to the certificate path specified in your racoon configuration file. The certificate authority public certificate should be given to each user that will be connecting to the gateway.