Generation of user certificates |
After setup of the certification authority (CA), user certificates of the VPN gateway and those of the VPN client can be created. To generate a user certificate, three steps are necessary:
Generation of a new key along with a certificate request (CA.sh -newreq
)
Signing of the certificate request with the certification authority (CA.sh -sign
)
Export of certificates (CA certificate and customer certificate), incl. keys (public and private customer key) in PKCS#12 format using OpenSSL.
In the first step, a new certificate key and certificate request are generated with the
commandCA.sh -newreq
:
newkey.pem
= RSA Key Pair (public and private key)
newreq.pem
= certificate request (contains the public key along with the required data for
certificate request)
In the second step, this certificate request is signed by the certification authority with the command
CA.sh -sign
. This generates the
newcert.pem
file. Now, a separate folder should be created in which the certification key,
certification request and the signed certificate are stored:
create a new folder
mkdir ./vpn-gateway
copy the temporary files into the folder
Move the following files into this folder
mv newreq.pem vpn-gateway/hinz_req.pem
mv newkey.pem vpn-gateway/hinz_key.pem
mv newcert.pem vpn-gateway/hinz_cert.pem
In the third step, the certificate of the certification authority, the just created user certificate including the certification key is exported in a file in PKCS#12 format. This file is protected with a password and allows transmission of the certificates to the VPN gateway, or a VPN client. For this, the following command is used:
openssl pkcs12 -export -in vpn-gateway/newcert.pem -inkey vpn-gateway/newkey.pem -certfile
demoCA/cacert.pem -name vpn-gateway -out vpn-gateway/vpn-gateway1.p12
The described steps for generation of a user certificate are illustrated through the example of the certificate created for the VPN gateway.
These steps must be similarly performed for each of the bintec secure IPsec clients™.
Creation of a new key along with a certificate request:
Signing of the certificate request with the certification authority:
Export of certificates (CA certificate and customer certificate), incl. keys (public and private customer key) in PKCS#12 format using OpenSSL:
Copyright© Version 01/2020 bintec elmeg GmbH |