[Swan-dev] Including "ipsec ca"
Matt Rogers
mrogers at redhat.com
Tue Jul 14 01:12:30 EEST 2015
I've pushed a branch called ipsec_ca with the WIP python code that makes up
the 'ipsec ca' command. Right now it's not install-able to be used with
the ipsec wrapper, so if you want to test it out, you can run _ipsec_ca under
the programs/_ipsec_ca/ directory.
'ipsec ca' is a tool for users that need a simple self-signed CA to issue
certificates for IPsec hosts. It's not intended to be an all-purpose
x509 tool, but for a user to get up and running with certificates quickly.
So as an alternative to fiddling with openssl or certutil the entire process
is two commands:
Creating the CA:
$ sudo ./_ipsec_ca new-ca "test-ca" "CN=HQ,O=bigcorp,OU=IT" --dir .
creating a new CA "test-ca"
subject: "CN=HQ,O=bigcorp,OU=IT"
serial: random
saved ./test-ca/ca_HQ_2030447307.key
saved ./test-ca/ca_HQ_2030447307.crt
Issuing a new host cert:
$ sudo ./_ipsec_ca new-cert "test-ca" "CN=remotehost,O=bigcorp,OU=IT" --dir . --p12 --san "remotehost.bigcorp.com"
creating a new host certificate
ca: "test-ca"
subject: "CN=remotehost,O=bigcorp,OU=IT"
serial: random
Enter PKCS password:
saved ./test-ca/remotehost.p12
The .p12 can then be distributed to the host and imported. The new-cert
command can be used any time aftwards (specifying 'test-ca') to add additional hosts.
$ sudo ipsec import ./test-ca/remotehost.p12
Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number: 1467971738 (0x577f789a)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "OU=IT,O=bigcorp,CN=HQ"
Validity:
Not Before: Tue Jul 14 01:00:44 2015
Not After : Fri Jul 08 01:00:44 2016
Subject: "OU=IT,O=bigcorp,CN=remotehost"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c6:c7:1f:c8:5a:54:29:f9:9f:0f:64:3f:39:55:bd:c9:
69:39:9f:e8:a9:6f:50:64:25:7e:4d:a0:23:ed:84:71:
af:52:04:a4:7c:7c:db:3d:f3:b5:17:a9:05:53:5a:00:
c4:0d:cf:fd:80:7c:f7:aa:c4:c0:4a:40:da:98:0e:e9:
6b:07:b7:fa:2b:e4:ae:17:b9:bb:0e:17:38:1f:70:65:
6f:a8:e0:2d:71:63:1d:35:12:5b:0b:20:c2:de:42:11:
42:79:7c:03:12:24:61:50:41:d4:5c:47:69:2d:0a:91:
c9:4b:76:48:e1:90:04:c6:91:ce:da:a1:cf:15:0f:81:
c9:f3:d9:80:39:1a:cb:19:0f:43:61:5e:a7:78:58:59:
9a:0c:5c:20:3a:f8:36:cb:49:72:54:b1:d0:1f:50:70:
55:7b:b8:d2:ca:4a:b3:06:48:37:6e:d8:83:05:b2:e0:
fa:7d:05:70:b3:71:34:89:8f:39:ac:56:e7:29:74:e4:
61:a7:ff:7b:7f:0c:f9:38:b2:40:44:25:5b:fb:4f:d7:
41:39:49:b1:58:35:ef:00:61:25:25:a3:51:2e:69:55:
a7:a7:48:2b:22:9d:14:c9:64:2a:f3:03:80:6d:8b:eb:
71:73:65:87:00:75:8f:48:01:10:da:f2:b6:7e:95:fe:
3a:26:71:1c:ac:54:56:cc:b5:c2:7b:62:7a:b6:76:38:
80:73:b7:81:8d:e8:48:3f:15:9a:f1:32:64:9e:c7:1e:
14:27:9f:30:69:1e:65:18:8f:f0:0e:bd:9c:88:7b:f3:
cb:a6:8a:e3:f7:b0:c7:81:e7:7b:c4:3a:67:80:bd:15:
57:bc:b4:25:85:ac:de:6c:d3:ec:b2:0f:c0:d8:5f:61:
7a:f3:57:fc:27:0e:3c:80:a4:10:27:b9:aa:93:31:3b:
24:e1:ad:d4:16:8b:c9:82:53:04:45:bd:95:66:d7:01:
ca:3e:ef:98:9f:c8:1e:78:8a:98:77:ca:1d:eb:97:ad:
dc:57:08:fe:ac:f1:ea:ae:d2:6f:59:20:34:62:2a:8f:
a0:b9:2f:29:ac:ce:17:37:d4:47:35:b8:0d:0d:e5:bd:
04:54:0e:e6:dc:f3:69:18:71:b7:5a:d4:7e:3e:13:b6:
1f:76:06:4e:b4:ea:16:d2:40:4d:66:33:51:9e:57:45:
b2:70:c3:fb:89:8b:56:78:10:26:ed:62:0c:4c:e8:78:
f5:51:82:10:93:a6:f5:98:01:ae:92:58:4d:7e:f2:bb:
88:b8:8a:5c:58:20:fa:84:99:a4:96:77:05:4c:1f:d7:
5c:49:44:ce:88:64:81:1d:7b:1a:2b:c9:19:3d:02:fb
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Key Usage
Usages: Digital Signature
Name: Certificate Subject Alt Name
DNS name: "remotehost.bigcorp.com"
I've also included a --win {server,client} option that will set the
appropriate KU/EKU for Windows clients.
The python module depends on pyOpenSSL, so Paul suggested that this
would be a seperate package (i.e. libreswan-ca). I'm not sure if our
build scripts are set up to build a sub-package, or how to accomplish
that so I'd like some advice on getting _ipsec_ca and its modules
to install correctly.
Thanks,
Matt
More information about the Swan-dev
mailing list