Use chained X.509 certificates
(an end entity certificate signed by intermediate CA).


This page shows two cases to use chained X.509 certificates for Rockhopper.
sample0

Advance preparation:


  1. Create a intermediate CA (SubCA1).

    The following image shows the example operation to create an intermediate CA (a Sub CA) by TinyCA. Click an image to zoom in.

    testca0

    To manage certificates by Tiny CA, please read "Documents/Tips: Managing certificates by Tiny CA."


  2. Create and export certificate files.
    sample0  - RootCA1: rootca1-cert.pem (X.509, PEM)
     - SubCA1: subca1-cert.pem (X.509, PEM)
     - gateway1.example.com: gateway1.example.com-cert.pem (X.509, PEM)
     - remotehost1@sales.example.com: remotehost1.sales.example.com-cert.pem (X.509, PEM)






Case (1): VPN peers exchange end entity certificates and an intermediate CA's certificate.

sample0 In this case, VPN gateway (gateway1.example.com) doesn't keep SubCA1's certificate beforehand and Remote host1 (remotehost1.sales.example.com) transmits it in the IKE_AUTH exchange.

You need to create a PEM-encoded file including certificates for both SubCA1 and Remote host1 (remotehost1@sales.example.com) to upload them to Rockhopper by Web Console. This file is for Remote host1 (remotehost1@sales.example.com).

# cp remotehost1.sales.example.com-cert.pem chained-remotehost1-my-certs.pem
# cat subca1-cert.pem >> chained-remotehost1-my-certs.pem

In this PEM-encoded file, a PEM-encoded text block (*1) of this local peer's certificate (i.e. the end entity certificate) must appear first and all PEM-encoded text blocks of intermediate CAs' certificates follow it. These intermediate CA certificates are also sent to the remote peer.

(*1): The text block begins with the -----BEGIN CERTIFICATE----- line and ends with the -----END CERTIFICATE----- line.



Configure VPN nodes by Rockhopper Web console.



VPN Gateway (gateway1.example.com):


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]

  3. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Key Format: PEM(Base64-encoding) - File
    My Certificate(X.509, *.pem): gateway1.example.com-cert.pem
    RSA private key(*.pem): gateway1.example.com-pkey.pem
    RSA Private Key's Password: password

  4. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): rootca1-cert.pem

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



Remote host (remotehost1@sales.example.com):


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]

  3. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Key Format: PEM(Base64-encoding) - File
    My Certificate(X.509, *.pem): chained-remotehost1-my-certs.pem
    RSA private key(*.pem): remotehost1.sales.example.com-pkey.pem
    RSA Private Key's Password: password

  4. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): rootca1-cert.pem

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.





Case (2): VPN peers exchange only end entity certificates.

sample0 In this case, both VPN peers need to keep SubCA1's certificate beforehand, so you need to create a PEM-encoded file including certificates for both SubCA1 and RootCA1 to upload them to Rockhopper by Web Console. This file is for both VPN gateway (gateway1.example.com) and Remote host1 (remotehost1@sales.example.com).

# cp subca1-cert.pem chained-ca-certs.pem
# cat rootca1-cert.pem >> chained-ca-certs.pem

In this PEM-encoded file (chained-ca-certs.pem), multiple certificates for a root CA and intermediate CAs are allowed. First, PEM-encoded text blocks (*2) for all intermediate CAs must appear before a PEM-encoded text block for the root CA in the same file. The root CA's text block must be the last one. These intermediate CA certificates are not exchanged between VPN peers.

(*2): Each text block begins with the -----BEGIN CERTIFICATE----- line and ends with the -----END CERTIFICATE----- line.



Configure VPN nodes by Rockhopper Web console.



VPN Gateway (gateway1.example.com):


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]

  3. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Key Format: PEM(Base64-encoding) - File
    My Certificate(X.509, *.pem): gateway1.example.com-cert.pem
    RSA private key(*.pem): gateway1.example.com-pkey.pem
    RSA Private Key's Password: password

  4. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): chained-ca-certs.pem

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



Remote host (remotehost1@sales.example.com):


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]

  3. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Key Format: PEM(Base64-encoding) - File
    My Certificate(X.509, *.pem): remotehost1.sales.example.com-cert.pem
    RSA private key(*.pem): remotehost1.sales.example.com-pkey.pem
    RSA Private Key's Password: password

  4. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): chained-ca-certs.pem

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



Back to Top