<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">2016-09-29 20:01 GMT+03:00 Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span>:<br><span class="gmail-"></span><br><span class="gmail-"></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
There are various tools you can use to generate certificates. openssl,<br>
or nss's certutil, or xca or tinyCA2, etc etc.<br>
<br>
You can find the example code we use to generate our test certficates<br>
herE:<br>
<br>
<a href="https://github.com/libreswan/libreswan/blob/master/testing/x509/dist_certs.py" rel="noreferrer" target="_blank">https://github.com/libreswan/l<wbr>ibreswan/blob/master/testing/x<wbr>509/dist_certs.py</a><span class="gmail-"><br></span></blockquote><div><br></div><div>Ок. I use lines :<br><br>certutil -S -k rsa -c "cacert01" -n "server01" -s "CN=<a href="http://gateway.example.org">gateway.example.org</a>" \<br>-v 12 -t "u,u,u" --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth -8 "<a href="http://gateway.example.org">gateway.example.org</a>" -d sql:./cert<br><br></div><div>Its correct ?<br></div><div> <span class="gmail-"></span><span class="gmail-"></span><br><span class="gmail-"></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
You should be able to omit the rightrsasigkey= line if you are using<br>
leftcert= already.<span class="gmail-"><br></span></blockquote><div><br><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">It's clear. <br></span></span></div><div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">No i use ( client side )<br>...<br></span></span></div><div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">right=<a href="http://gateway.example.org">gateway.example.org</a><br></span></span></div><div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">rightid=%fromcert</span></span><br><span class="gmail-">rightrsasigkey=%cert<br></span></div><div><span class="gmail-">NO WORKS :(<br><br></span></div><div><span class="gmail-">and<br><br></span></div><div><span class="gmail-">use:<br></span><div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">right=<a href="http://gateway.example.org">gateway.example.org</a><br></span></span></div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-"># rightid=%fromcert</span></span><br><span class="gmail-">rightrsasigkey=%cert<br>WORKS.<br></span></div><div><span class="gmail-"><br>I read manual for ipsec and view : </span><br><span class="gmail-">line rightrsasigkey=%cert exclude line </span><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">rightid=%fromcert<br></span></span></div><div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">and see rightid from line right<br><br></span></span></div><div><span class="gmail-short_text" id="gmail-result_box" tabindex="-1" lang="en"><span class="gmail-">Its correct ?<br></span></span></div><div> <span class="gmail-"></span><span class="gmail-"></span><br><span class="gmail-"></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Unfortunately, no. all EAP code is openssl/wpa_supplicant based,<br>
and libreswan uses NSS. So we have not yet written all the code<br>
needed for EAP support.</blockquote><div>Ok. <span class="gmail-HOEnZb"></span><br></div><div><span class="gmail-HOEnZb"></span><span class="gmail-HOEnZb"><font color="#888888"></font></span><br><span class="gmail-HOEnZb"></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-HOEnZb"><font color="#888888">
Paul<br>
</font></span></blockquote></div><br></div><div class="gmail_extra">Тhanks.<br clear="all"></div><div class="gmail_extra"><br>-- <br><div class="gmail_signature">mx</div>
</div></div>