On 2016-02-27, igor.kos <[email protected]> wrote: > I have created certificates in accordance to isakmpd man page: > > # env CERTIP=10.0.0.1 openssl x509 -req \ > -days 365 -in 10.0.0.1.csr \ > -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ > -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ > -extensions x509v3_IPAddr -out 10.0.0.1.crt > > But in certificate there is no 10.0.0.1 IP addr, instead there is: > > openssl x509 -in /etc/isakmpd/certs/10.0.0.1.crt -text > > .....something..... > X509v3 extensions: > X509v3 Subject Alternative Name: > IP Address:0.0.0.0 > ....somethnig else.... > > > So, 10.0.0.1 defined as: env CERTIP=10.0.0.1 is not here. That is, > because in /etc/ssl/x509v3.cnf is defined 0.0.0.0: > > # default settings > CERTPATHLEN = 1 > CERTUSAGE = digitalSignature,keyCertSign,cRLSign > EXTCERTUSAGE = serverAuth,clientAuth > CERTIP = 0.0.0.0 > CERTFQDN = nohost.nodomain > > Value of CERTIP in x509v3 is important. We can change value in > /etc/ssl/x509v3.cnf and put CERTIP = 10.0.0.1 (ie our IP addr) > > But then, procedure mentioned in man pages is not correct.
You are right: the manpage is no longer correct, it needs updating following changes in libressl. You have figured things out correctly, in short, you now need to use the x509v3.cnf file as a template and substitute in the CERTIP/CERTFQDN values which were being passed in by environment variables. However rather than make this change in the manual (which is not the cleanest approach..), it might be better to check whether certificates from "ikectl ca" can be used with isakmpd and, if so, direct users there instead.
