Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec implementation can utilize certificates. Certificates can be issued by Public Certificate Authorities, Privat Certificate Authorities like company internal CA’s or the Nodegrid solution can provide it’s own certificate infrastructure.
In case the certificates need to be signed by a Public or Private CA a certificate request file needs to be created on each node individually. For this run the following command on each node:
Format:
Example:
root@ng-west:~# certutil -R -s "CN=ng-west, L=Fremont, ST=California, C=US" -o ng-west.req -d sql:/etc/ipsec/ipsec.d/ A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments...
This will create a request file, which can be send to the CA for signing. The CA will then have to return the required files.
The Nodegrid can provide its own Certificate Infrastructure. For this a Certificate Authority needs to be created on one node. This node does not have to be any of the nodes which is used in the VPN. It is recommended that the node used for this task is in a secure location as this node will hold all certificates, for a security breach on this node will affect all VPN connections.
root@ng-west:~# mkdir ca
root@ng-west:~# certutil -N -d ./ca/ Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:
Format:
certutil -S -k rsa -n "" -s "" -v 12 -t "CT,C,C" -x -d
Example:
root@ng-west:~# certutil -S -k rsa -n "zpeca" -s "CN=ca.zpesystems.local,L=Fremont,ST=California,C=US" -v 12 -t "CT,C,C" -x -d ./ca/ Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments...
Format:
certutil -S -k rsa -c "<>CA IDENTIFIER" -n "" -s "" -v 12 -t "u,u,u" -d
Example ng-west:
root@ng-west:~# certutil -S -k rsa -c "zpeca" -n "ng-west" -s "CN=ng-west,L=Fremont,ST=California,C=US" -v 12 -t "u,u,u" -d ./ca/ Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Notice: Trust flag u is set automatically if the private key is present.
Example ng-east
root@ng-west:~# certutil -S -k rsa -c "zpeca" -n "ng-east" -s "CN=ng-east,L=Fremont,ST=California,C=US" -v 12 -t "u,u,u" -d ./ca/ Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Notice: Trust flag u is set automatically if the private key is present.
Format:
certutil -L -d
Example:
root@ng-west:~# certutil -L -d ./ca/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI zpeca CTu,Cu,Cu ng-east u,u,u ng-west u,u,u
Format:
certutil -L -n "" -d -a > .crt
Example:
root@ng-west:~#certutil -L -n "zpeca" -d ./ca/ -a > zpeca.crt
Format:
pk12util -o .p12 -n -d
Example:
root@ng-west:~# pk12util -o ng-west.p12 -n ng-west -d ./ca/ Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL
root@ng-west:~# pk12util -o ng-west.p12 -n ng-west -d ./ca/ Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL root@ng-west:~# certutil -L -n "zpeca" -d ./ca/ -a > zpeca.crt root@ng-west:~# certutil -L -n "ng-east" -d ./ca/ -a > ng-east.crt root@ng-west:~# ls -l total 16 -rw-r--r-- 1 root root 1147 Apr 19 02:00 ng-east.crt -rw------- 1 root root 3370 Apr 19 01:57 ng-west.p12 -rw-r--r-- 1 root root 1163 Apr 19 01:55 zpeca.crt
root@ng-west:~# pk12util -o ng-east.p12 -n ng-east -d ./ca/ Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL root@ng-west:~# certutil -L -n "zpeca" -d ./ca/ -a > zpeca.crt root@ng-west:~# certutil -L -n "ng-west" -d ./ca/ -a > ng-west.crt root@ng-west:~# ls -l total 24 -rw------- 1 root root 3370 Apr 19 02:02 ng-east.p12 -rw-r--r-- 1 root root 1147 Apr 19 02:03 ng-west.crt -rw-r--r-- 1 root root 1163 Apr 19 01:55 zpeca.crt
Format:
certutil -A -i -n "" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
Format:
certutil -A -i -n "" -t ",," -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# certutil -A -i euzpeca.crt -n "euzpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
Format:
ipsec import -n -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# ipsec import ng-west.p12 -n ng-west -d sql:/etc/ipsec/ipsec.d/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
Note: Use below command if this command does not work,
ipsec import ng-west.p12 -d sql:/etc/ipsec/ipsec.d
Format:
certutil -A -i -n "" -t "P,," -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# certutil -A -i ng-east.crt -n "ng-east" -t "P,," -d sql:/etc/ipsec/ipsec.d/
root@ng-west:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/ root@ng-west:~# ipsec import ng-west.p12 -n ng-west -d sql:/etc/ipsec/ipsec.d/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL root@ng-west:~# certutil -A -i ng-east.crt -n "ng-east" -t "P,," -d sql:/etc/ipsec/ipsec.d/
Verify certificates are in place for ipsec to use, issuing “certutil –L” command.
root@ng-west:~# certutil -L -d sql:/etc/ipsec/ipsec.d/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI zpeca CT,, ng-west u,u,u ng-east P,,
Use scp or other secure file transfer method to transfer the three files, zpeca.crt, ng-east.p12 and ng-west.crt to the root home folder of ng-east, then repeat the import procedures as did in the ng-east, as follows.
root@ng-east:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/ root@ng-east:~# ipsec import ng-east.p12 -n ng-east -d sql:/etc/ipsec/ipsec.d/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL root@ng-east:~# certutil -A -i ng-west.crt -n "ng-west" -t "P,," -d sql:/etc/ipsec/ipsec.d/ Verify certificates are in place with “certutil –L” command: root@ng-east:~# certutil -L -d sql:/etc/ipsec/ipsec.d/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI zpeca CT,, ng-east u,u,u ng-west P,,
Below is an example for a certificate-based authentication for a Host to Host connection.
Example /etc/ipsec/ipsec.d/host-to-host-cert.conf
conn host-to-host-cert connaddrfamily=ipv4 auto=start leftid=%fromcert left=192.168.50.4 leftrsasigkey=%cert leftcert=ng-west rightid=%fromcert right=192.168.58.4 rightrsasigkey=%cert rightcert=ng-east