47.2. Generating Certificates

IPSecuritas cannot generate certificates itself. Therefore the OpenSSL program will be used for this purpose.

  1. Open a Unix terminal (Programs > Utilities > Terminal).

  2. Enter the following command in one line:

    openssl req -x509 -newkey rsa:2048 -days 730 -new -nodes -outform PEM -keyform PEM -keyout private_key.pem -out newcert.pem

  3. The key pair is calculated and the system will request the certificate data. The entered values are not relevant in this function, they only have to be unique on all systems connected by VPN. Do not use special characters such as accents or umlauts.

    Generating a 2048 bit RSA private key
    ..................................................................
    .....................................+++...+++
    writing new private key to 'private_key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:DE
    State or Province Name (full name) [Berkshire]:BW
    Locality Name (eg, city) [Newbury]:Tuebingen
    Organization Name (eg, company) [My Company Ltd]:Intra2net
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:MyComputerName
    Email Address []:
  4. The certificate is now valid for 2 years (730 days) and is located in newcert.pem. The private key is in the private_key.pem file. It is possible to change the validity period using the -days parameter in the command line.

  5. Current versions of IPSecuritas read the private key only in PKCS 12 format. The following command on the command line converts the key pair created in step 2 appropriately:

    openssl pkcs12 -export -in newcert.pem -inkey private_key.pem -out newcert.p12

    At this point, you must enter a password with which the private key is secured. This password is needed again later when importing to IPSecuritas. The result is saved under the file name newcert.p12.