Secure Computing SG300 User Manual page 242

Create the CA certificate, omit the –nodes option if you want to use a password to
secure the CA key:
openssl req -config openssl.cnf -new -x509 -keyout
rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes
.. where DAYS_VALID is the number of days the root CA is valid for.
Create local certificate pairs
For each local certificate you wish to create, there are two steps.
First, create the certificate request:
openssl req -config openssl.cnf -new -keyout cert1.key -out
cert1.req
Enter a PEM pass phrase (this is the same pass phrase required when you upload the
key to the SnapGear unit) and then the certificate details. All but the Common Name are
optional and may be omitted.
Second, sign the certificate request with the CA:
openssl ca -config openssl.cnf -out cert1.pem -notext -infiles
cert1.req
You now have a local certificate pair, the local public certificate cert1.pem and the local
private key certificate cert1.key, ready to use in the SnapGear unit.
For each certificate required, change the cert1.* filenames appropriately.
Using certificates with Windows IPSec
To create certificates to use with IPSec on a Windows system, first follow the previous
instructions in Creating a CA certificate and Creating local certificate pairs.
Windows IPSec requires the certificates to be in a PKCS12 format file. This format
combines the CA certificate, local public certificate and local private key certificate into
one file.
openssl pkcs12 -export -inkey cert1.key -in cert1.pem -certfile
rootCA/ca.pem -out cert1.p12 -name "Certificate 1"
Virtual Private Networking
236