How to Create Certificates for IPSec

How to Create Certificates for IPSec

Reversion 0.2 (30 Jun 2021)

Overview

Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec implementation can utilize certificates. Certificates can be issued by Public Certificate Authorities, Privat Certificate Authorities like company internal CA’s or the Nodegrid solution can provide it’s own certificate infrastructure.

Certificate Request Files

In case the certificates need to be signed by a Public or Private CA a certificate request file needs to be created on each node individually. For this run the following command on each node:

Format:

certutil -R -s "" -o .req -d sql:/etc/ipsec/ipsec.d/

Example:

root@ng-west:~# certutil -R -s "CN=ng-west, L=Fremont, ST=California, C=US" -o ng-west.req -d sql:/etc/ipsec/ipsec.d/

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:

Generating key.  This may take a few moments...

This will create a request file, which can be send to the CA for signing. The CA will then have to return the required files.

Nodegrid Certificate Authority

The Nodegrid can provide its own Certificate Infrastructure. For this a Certificate Authority needs to be created on one node. This node does not have to be any of the nodes which is used in the VPN. It is recommended that the node used for this task is in a secure location as this node will hold all certificates, for a security breach on this node will affect all VPN connections.

  1. Create a folder which will hold the Certificate Authority database

  2. root@ng-west:~# mkdir ca
  3. Create a Database

  4. root@ng-west:~# certutil -N -d ./ca/
    Enter a password which will be used to encrypt your keys.
    The password should be at least 8 characters long,
    and should contain at least one non-alphabetic character.
    
    Enter new password:
    Re-enter password:
  5. Create the Root Certificate
  6. Format:

    certutil -S -k rsa -n "" -s "" -v 12 -t "CT,C,C" -x -d 

    Example:

    root@ng-west:~# certutil -S -k rsa -n "zpeca" -s "CN=ca.zpesystems.local,L=Fremont,ST=California,C=US" -v 12 -t "CT,C,C" -x -d ./ca/
    Enter Password or Pin for "NSS Certificate DB":
    
    A random seed must be generated that will be used in the
    creation of your key.  One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    
    To begin, type keys on the keyboard until this progress meter
    is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
    
    Continue typing until the progress meter is full:
    
    |************************************************************|
    
    Finished.  Press enter to continue:
    
    Generating key.  This may take a few moments...
  7. Create Certificates for each node
  8. In this Example we will create 2 certificates which can be used for the Host to Host examples.
  9. Format:

    certutil -S -k rsa -c "<>CA IDENTIFIER" -n "" -s "" -v 12 -t "u,u,u" -d

    Example ng-west:

    root@ng-west:~# certutil -S -k rsa -c "zpeca" -n "ng-west" -s "CN=ng-west,L=Fremont,ST=California,C=US" -v 12 -t "u,u,u" -d ./ca/
    Enter Password or Pin for "NSS Certificate DB":
    
    A random seed must be generated that will be used in the
    creation of your key.  One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    
    To begin, type keys on the keyboard until this progress meter
    is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
    
    Continue typing until the progress meter is full:
    
    |************************************************************|
    
    Finished.  Press enter to continue:
    
    Generating key.  This may take a few moments...
    
    Notice: Trust flag u is set automatically if the private key is present.

    Example ng-east

    root@ng-west:~# certutil -S -k rsa -c "zpeca" -n "ng-east" -s "CN=ng-east,L=Fremont,ST=California,C=US" -v 12 -t "u,u,u" -d ./ca/
    Enter Password or Pin for "NSS Certificate DB":
    
    A random seed must be generated that will be used in the
    creation of your key.  One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    
    To begin, type keys on the keyboard until this progress meter
    is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
    
    Continue typing until the progress meter is full:
    
    |************************************************************|
    
    Finished.  Press enter to continue:
    
    Generating key.  This may take a few moments...
    
    Notice: Trust flag u is set automatically if the private key is present.
  10. Confirm that Certificates have been created
  11. Format:

    certutil -L -d 

    Example:

    root@ng-west:~# certutil -L -d ./ca/
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    zpeca                                                        CTu,Cu,Cu
    ng-east                                                      u,u,u
    ng-west                                                      u,u,u
  12. At this point we have all the required certificates for our Host to Host connections. In case more nodes are involved in the VPN setup then additional certificates can be created.
  13. Each node requires a number of certificates so that it can successfully authenticate a session. These certificates are:
    1. Root Certificate Authority
    2. All intermediate Certificate Authorities (Note: in our example we do not have any Intermediate CA’s)
    3. The private key and certificate for the specific node in a PKCS#12 format
    4. The certificate of all remote nodes which will connect to this node
  14. Extract the required certifications
    1. Extract Certificate files
    2. Format:

      certutil -L -n "" -d  -a > .crt

      Example:

      root@ng-west:~#certutil -L -n "zpeca" -d ./ca/ -a > zpeca.crt
    3. Extract Private Kets and Certificates
    4. Format:

      pk12util -o .p12 -n  -d 

      Example:

      root@ng-west:~#  pk12util -o ng-west.p12 -n ng-west -d ./ca/
      Enter Password or Pin for "NSS Certificate DB":
      Enter password for PKCS12 file:
      Re-enter password:
      pk12util: PKCS12 EXPORT SUCCESSFUL
  15. Full Example of extracting certificates for a Host to Host connection example
    1. ng-west node
    2. root@ng-west:~#  pk12util -o ng-west.p12 -n ng-west -d ./ca/
      Enter Password or Pin for "NSS Certificate DB":
      Enter password for PKCS12 file:
      Re-enter password:
      pk12util: PKCS12 EXPORT SUCCESSFUL
      root@ng-west:~# certutil -L -n "zpeca" -d ./ca/ -a > zpeca.crt
      root@ng-west:~# certutil -L -n "ng-east" -d ./ca/ -a > ng-east.crt
      root@ng-west:~# ls -l
      total 16
      -rw-r--r-- 1 root root 1147 Apr 19 02:00 ng-east.crt
      -rw------- 1 root root 3370 Apr 19 01:57 ng-west.p12
      -rw-r--r-- 1 root root 1163 Apr 19 01:55 zpeca.crt
    3. ng-east node
    4. root@ng-west:~#  pk12util -o ng-east.p12 -n ng-east -d ./ca/
      Enter Password or Pin for "NSS Certificate DB":
      Enter password for PKCS12 file:
      Re-enter password:
      pk12util: PKCS12 EXPORT SUCCESSFUL
      root@ng-west:~# certutil -L -n "zpeca" -d ./ca/ -a > zpeca.crt
      root@ng-west:~# certutil -L -n "ng-west" -d ./ca/ -a > ng-west.crt
      root@ng-west:~# ls -l
      total 24
      -rw------- 1 root root 3370 Apr 19 02:02 ng-east.p12
      -rw-r--r-- 1 root root 1147 Apr 19 02:03 ng-west.crt
      -rw-r--r-- 1 root root 1163 Apr 19 01:55 zpeca.crt
  16. At this point all certificates have been created and exported. The files can now be distributed to the correct nodes.

Import of Certificates to NSS Database

  1. First import the Root Certificate
  2. Format:

    certutil -A -i  -n "" -t "CT,," -d sql:/etc/ipsec/ipsec.d/

    Example:

    root@ng-west:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
  3. Import Intermediate Certificate Authorities if they exist
  4. Format:

    certutil -A -i  -n "" -t ",," -d sql:/etc/ipsec/ipsec.d/

    Example:

    root@ng-west:~# certutil -A -i euzpeca.crt -n "euzpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
  5. Import the private key and certificate specific to this node
  6. Format:

    ipsec import  -n  -d sql:/etc/ipsec/ipsec.d/

    Example:

    root@ng-west:~#  ipsec import ng-west.p12 -n ng-west -d sql:/etc/ipsec/ipsec.d/
    Enter password for PKCS12 file:
    pk12util: PKCS12 IMPORT SUCCESSFUL
    Note: Use below command if this command does not work,
    ipsec import ng-west.p12 -d sql:/etc/ipsec/ipsec.d
  7. Import the remote node certificates
  8. Format:

    certutil -A -i  -n "" -t "P,," -d sql:/etc/ipsec/ipsec.d/

    Example:

    root@ng-west:~# certutil -A -i ng-east.crt -n "ng-east" -t "P,," -d sql:/etc/ipsec/ipsec.d/
  9. Full Example of importing certificates for a Host to Host connection example
    1. ng-west node
    2. root@ng-west:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
      root@ng-west:~#  ipsec import ng-west.p12 -n ng-west -d sql:/etc/ipsec/ipsec.d/
      Enter password for PKCS12 file:
      pk12util: PKCS12 IMPORT SUCCESSFUL
      root@ng-west:~# certutil -A -i ng-east.crt -n "ng-east" -t "P,," -d sql:/etc/ipsec/ipsec.d/

      Verify certificates are in place for ipsec to use, issuing “certutil –L” command.

      root@ng-west:~# certutil -L -d sql:/etc/ipsec/ipsec.d/
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      zpeca                                                        CT,,
      ng-west                                                      u,u,u
      ng-east                                                      P,,
      
    3. ng-east node
    4. Use scp or other secure file transfer method to transfer the three files, zpeca.crt, ng-east.p12 and ng-west.crt to the root home folder of ng-east, then repeat the import procedures as did in the ng-east, as follows.

      root@ng-east:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
      root@ng-east:~# ipsec import ng-east.p12 -n ng-east -d sql:/etc/ipsec/ipsec.d/
      Enter password for PKCS12 file:
      pk12util: PKCS12 IMPORT SUCCESSFUL
      root@ng-east:~# certutil -A -i ng-west.crt -n "ng-west" -t "P,," -d sql:/etc/ipsec/ipsec.d/
      
      Verify certificates are in place with “certutil –L” command:
      
      root@ng-east:~# certutil -L -d sql:/etc/ipsec/ipsec.d/
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      zpeca                                                        CT,,
      ng-east                                                      u,u,u
      ng-west                                                      P,,

      Below is an example for a certificate-based authentication for a Host to Host connection.

      Example /etc/ipsec/ipsec.d/host-to-host-cert.conf

      conn host-to-host-cert
              connaddrfamily=ipv4
              auto=start
      
              leftid=%fromcert
              left=192.168.50.4
              leftrsasigkey=%cert
              leftcert=ng-west
      
              rightid=%fromcert
              right=192.168.58.4
              rightrsasigkey=%cert
              rightcert=ng-east

    • Related Articles

    • IPsec tunnel to AWS VPC with Certificates

      IPsec tunnel to AWS VPC with Certificates tested on: 5.2.1, 6.0.5 AWS VPC configuration Create Certificates AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the ...
    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...
    • How to Configure IPSec Host to Host tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to established a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details ...
    • How to Configure IPSec Host to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...
    • How to Configure IPSec Site to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...