Generating RSA Credentials
If you are not using one of the PSK authentication modes, RSA credentials will need to be generated for the VPN gateway and possibly the Client as well. The only RSA authentication method that does not require Client credentials to operate is the Hybrid Authentication Method.
To generate RSA credentials, use the openssl tool to create a certificate authority, a private key and a signed certificate. Although the detailed use of the openssl command line tool is beyond the scope of this document, here is an example of how RSA server credentials might be created ...
mkdir -p demoCA/newcerts
echo "00" > demoCA/serial
openssl genrsa > certs/ca.key
openssl genrsa > certs/vpngw.key
openssl req -days 1825 -x509 -new -key certs/ca.key > certs/ca.crt
openssl req -new -key certs/vpngw.key > certs/vpngw.csr
openssl ca -in certs/vpngw.csr -keyfile certs/ca.key \
-cert certs/ca.crt -out certs/vpngw.crt
After the server credentials have been created, you will need to move the server certificate and private key files to the certificate path specified in your racoon configuration file. The certificate authority public certificate should be given to each user that will be connecting to the gateway.
Copyright © 2010, Shrew Soft Inc