Rockhopper VPN
IPsec/IKEv2-based VPN software for Linux
Use chained X.509 certificates
(an end entity certificate signed by intermediate CA).
This page shows two cases to use chained X.509 certificates for Rockhopper.
Advance preparation:
-
Create a intermediate CA (SubCA1).
The following image shows the example operation to create an intermediate CA (a Sub CA) by TinyCA. Click an image to zoom in.
To manage certificates by Tiny CA, please read "Documents/Tips: Managing certificates by Tiny CA."
-
Create and export certificate files.
- RootCA1: rootca1-cert.pem (X.509, PEM)
- SubCA1: subca1-cert.pem (X.509, PEM)
- gateway1.example.com: gateway1.example.com-cert.pem (X.509, PEM)
- remotehost1@sales.example.com: remotehost1.sales.example.com-cert.pem (X.509, PEM)
Case (1): VPN peers exchange end entity certificates and an intermediate CA's certificate.
In this case, VPN gateway (gateway1.example.com) doesn't keep
SubCA1's certificate beforehand and
Remote host1 (remotehost1.sales.example.com) transmits it in the IKE_AUTH exchange. You need to create a PEM-encoded file including certificates for both SubCA1 and Remote host1 (remotehost1@sales.example.com) to upload them to Rockhopper by Web Console. This file is for Remote host1 (remotehost1@sales.example.com).
|
# cp remotehost1.sales.example.com-cert.pem chained-remotehost1-my-certs.pem
# cat subca1-cert.pem >> chained-remotehost1-my-certs.pem |
In this PEM-encoded file, a PEM-encoded text block (*1) of this local peer's certificate (i.e. the end entity certificate) must appear first and all PEM-encoded text blocks of intermediate CAs' certificates follow it. These intermediate CA certificates are also sent to the remote peer.
(*1): The text block begins with the
Configure VPN nodes by Rockhopper Web console.
VPN Gateway (gateway1.example.com):
-
Open Rockhopper Web Console and login.
-
Load a VPN realm's configuration.
- VPN Configuration[Tab] > VPN Realms[Left-Tree]
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Key Format: PEM(Base64-encoding) - File
My Certificate(X.509, *.pem): gateway1.example.com-cert.pem
RSA private key(*.pem): gateway1.example.com-pkey.pem
RSA Private Key's Password: password
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): rootca1-cert.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
Remote host (remotehost1@sales.example.com):
-
Open Rockhopper Web Console and login.
-
Load a VPN realm's configuration.
- VPN Configuration[Tab] > VPN Realms[Left-Tree]
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Key Format: PEM(Base64-encoding) - File
My Certificate(X.509, *.pem): chained-remotehost1-my-certs.pem
RSA private key(*.pem): remotehost1.sales.example.com-pkey.pem
RSA Private Key's Password: password
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): rootca1-cert.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
Case (2): VPN peers exchange only end entity certificates.
In this case, both VPN peers need to
keep SubCA1's certificate beforehand,
so you need to create a PEM-encoded file including certificates for both
SubCA1 and RootCA1
to upload them to Rockhopper by Web Console.
This file is for both
VPN gateway (gateway1.example.com) and
Remote host1 (remotehost1@sales.example.com).
|
# cp subca1-cert.pem chained-ca-certs.pem
# cat rootca1-cert.pem >> chained-ca-certs.pem |
In this PEM-encoded file (chained-ca-certs.pem), multiple certificates for a root CA and intermediate CAs are allowed. First, PEM-encoded text blocks (*2) for all intermediate CAs must appear before a PEM-encoded text block for the root CA in the same file. The root CA's text block must be the last one. These intermediate CA certificates are not exchanged between VPN peers.
(*2): Each text block begins with the
Configure VPN nodes by Rockhopper Web console.
VPN Gateway (gateway1.example.com):
-
Open Rockhopper Web Console and login.
-
Load a VPN realm's configuration.
- VPN Configuration[Tab] > VPN Realms[Left-Tree]
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Key Format: PEM(Base64-encoding) - File
My Certificate(X.509, *.pem): gateway1.example.com-cert.pem
RSA private key(*.pem): gateway1.example.com-pkey.pem
RSA Private Key's Password: password
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): chained-ca-certs.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
Remote host (remotehost1@sales.example.com):
-
Open Rockhopper Web Console and login.
-
Load a VPN realm's configuration.
- VPN Configuration[Tab] > VPN Realms[Left-Tree]
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Key Format: PEM(Base64-encoding) - File
My Certificate(X.509, *.pem): remotehost1.sales.example.com-cert.pem
RSA private key(*.pem): remotehost1.sales.example.com-pkey.pem
RSA Private Key's Password: password
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): chained-ca-certs.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.