55.2. Generating Certificates

  1. Open a terminal / command line and log in as the root user. Normally, this is done using the su command.

  2. Enter the following command in one line:

    openssl req -x509 -newkey rsa:2048 -days 730 -new -nodes -outform PEM -keyform PEM -keyout /etc/ipsec.d/private_key.pem -out /etc/ipsec.d/cert.pem

  3. The key pair is calculated and the system will request the certificate data. The entered values are not relevant in this function, they only have to be unique on all systems connected by VPN. We advise against using special characters such as accents or umlauts.

    Generating a 2048 bit RSA private key
    ..................................................................
    .....................................+++...+++
    writing new private key to 'private_key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:DE
    State or Province Name (full name) [Berkshire]:BW
    Locality Name (eg, city) [Newbury]:Tuebingen
    Organization Name (eg, company) [My Company Ltd]:Intra2net
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:MyComputerName
    Email Address []:
  4. The certificate is now valid for 2 years (730 days) and is located in the /etc/ipsec.d/cert.pem file. The private key is in the /etc/ipsec.d/private_key.pem file. To modify the validity period, use the -days parameter in the command line.

  5. Open the /etc/ipsec.d/cert.pem file, copy the content to the clipboard and import it into the Intra2net system under System > Key > Foreign keys.

  6. In the Intra2net system, navigate to System > Keys > Own Keys : Data. Select the appropriate certificate and export it to a file using the Export certificate menu item. Save it to the Linux computer, e.g. to /etc/ipsec.d/intra2netserver.pem.