In iOS IPSec VPN Server on Ubuntu, I create a local CA with openssl.
I’m setting up an OpenConnect VPN, which uses GnuTLS’s certtool generating ca and sign certificates.
I want to use share the same Root CA for both OpenSSL and GnuTLS, so I’m generating request from GnuTLS and signing with OpenSSL.
Apple has it’s own certtool different from GnuTLS, the MacPorts one is named as gnutls-certtool
Prepare
1 2 |
sskajetekiMacBook-Pro:CA sskaje$ mkdir gnutls sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/ |
Create private key
1 2 |
sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-privkey --outfile server-key.pem Generating a 2432 bit RSA private key... |
Create Request
1 2 3 4 5 6 7 8 9 10 11 |
sskajetekiMacBook-Pro:gnutls sskaje$ cat <<_EOF_ >server.tmpl > cn = "openconnect.sskaje.me" > o = "VPN" > serial = 2 > expiration_days = 9999 > signing_key > encryption_key #only if the generated key is an RSA one > tls_www_server > _EOF_ sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-request --load-privkey server-key.pem --template server.tmpl --outfile server-cert.csr Generating a PKCS #10 certificate request... |
Copy Request to CA Work Directory
1 2 |
sskajetekiMacBook-Pro:gnutls sskaje$ cp server-cert.csr ../newreq.pem sskajetekiMacBook-Pro:gnutls sskaje$ cd ../ |
Sign with CA
1 2 3 4 5 6 7 |
sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -signreq Using configuration from openssl.cnf Enter pass phrase for ./sskajeCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: ..... |
Move Back
1 2 3 4 5 6 7 8 |
sskajetekiMacBook-Pro:CA sskaje$ mv newcert.pem gnutls/server-cert.pem sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/ sskajetekiMacBook-Pro:gnutls sskaje$ ll total 48 -rw------- 1 sskaje staff 2665 Feb 6 22:05 server-cert.csr -rw-r--r-- 1 sskaje staff 4124 Feb 6 22:08 server-cert.pem -rw------- 1 sskaje staff 6796 Feb 6 22:03 server-key.pem -rw-r--r-- 1 sskaje staff 163 Feb 6 22:04 server.tmpl |
Upload files to Server
1 |
$ scp *.pem root@rst.im:/opt/ocserv/etc/ |
Generate Certificate with GnuTLS and Sign with OpenSSL by @sskaje: https://sskaje.me/2014/02/generate-certificate-gnutls-sign-openssl/
Incoming search terms:
Link to this post!