Hi, {{user}}
Request submission is allowed from: {% if ca.request_subnets %}{% for i in ca.request_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}
Autosign is allowed from: {% if ca.autosign_subnets %}{% for i in ca.autosign_subnets %}{{ i }} {% endfor %}{% else %}nowhere{% endif %}
Authority administration is allowed from: {% if ca.admin_subnets %}{% for i in ca.admin_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}
Authority administration allowed for: {% for i in ca.admin_users %}{{ i }} {% endfor %}
opkg update opkg install strongswan-default curl openssl-util modprobe authenc
Generate key and submit using standard shell tools:
CN=$(cat /proc/sys/kernel/hostname) curl {{request.url}}/certificate/ > /etc/ipsec.d/cacerts/ca.pem openssl genrsa -out /etc/ipsec.d/private/$CN.pem 4096 chmod 0600 /etc/ipsec.d/private/$CN.pem openssl req -new -sha256 -key /etc/ipsec.d/private/$CN.pem -out /etc/ipsec.d/reqs/$CN.pem -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN" curl -L -H "Content-Type: application/pkcs10" --data-binary @/etc/ipsec.d/reqs/$CN.pem {{request.uri}}/request/?autosign=1\&wait=30 > /etc/ipsec.d/certs/$CN.pem.part if [ $? -eq 0 ]; then mv /etc/ipsec.d/certs/$CN.pem.part /etc/ipsec.d/certs/$CN.pem; fi openssl verify -CAfile /etc/ipsec.d/cacerts/ca.pem /etc/ipsec.d/certs/$CN.pem
Inspect newly created files:
openssl x509 -text -noout -in /etc/ipsec.d/cacerts/ca.pem openssl x509 -text -noout -in /etc/ipsec.d/certs/$CN.pem openssl rsa -check -in /etc/ipsec.d/private/$CN.pem
Assuming you have Certidude installed
certidude setup client {{request.url}}
To set up OpenVPN server
certidude setup openvpn server {{request.url}}
Or to set up OpenVPN client
certidude setup openvpn client {{request.url}}
You can fetch a certificate by common name signing the request
curl -f {{request.url}}/signed/$CN > $CN.crt
To fetch certificate revocation list:
curl {{request.url}}/revoked/ | openssl crl -text -noout