Using certificates

Turbo IPsec relies on the PEM format to manage certificates, private keys and certificate revocation lists generated on another system.

As Turbo IPsec instances can belong to different communities, you can install several certificates. These certificates are used in the vpn command from the sec context.

You can manage certificates in the certificates context.

Installing a certificate

  1. Get the CA’s certificate from a third party utility:

    $ cat ca.pem
    -----BEGIN CERTIFICATE-----
    MIICvDCCAiWgAwIBAgIJAMn1vekv/hkWMA0GCSqGSIb3DQEBBAUAMEkxEjAQBgNV
    BAoTCTZXSU5EIFMuQTEMMAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UE
    AxMPNldJTkQgQXV0aG9yaXR5MB4XDTE1MTEyMzE0MjI0N1oXDTE1MTIyMzE0MjI0
    N1owSTESMBAGA1UEChMJNldJTkQgUy5BMQwwCgYDVQQHEwNTUVkxCzAJBgNVBAYT
    AkZSMRgwFgYDVQQDEw82V0lORCBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQAD
    gY0AMIGJAoGBANAliWlCRol13hcL4PRPAzb05uO15UKWMKKofh69nzBcX2Fzueut
    tXRXbIBMTQIMWRLFFs8LJ0G9sU8fwpjsh3XiEEchDw7L+LEhUtD16cz20V087Pfo
    atvl3hKTucVv9Fq52v6m+3peCbcAn51yoo27jFz1t3o0WZ1rarWEdVvxAgMBAAGj
    gaswgagwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUjvm1FCeIbtnbj1T7aznEirbF
    gJwweQYDVR0jBHIwcIAUjvm1FCeIbtnbj1T7aznEirbFgJyhTaRLMEkxEjAQBgNV
    BAoTCTZXSU5EIFMuQTEMMAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UE
    AxMPNldJTkQgQXV0aG9yaXR5ggkAyfW96S/+GRYwDQYJKoZIhvcNAQEEBQADgYEA
    sAtomSf9Zl7nCQq8jmoBmRT2J4K9yuWv98UhB2QTRLj9GTJeTJxgycC08JYrnIt7
    8NvdRGILtNSIYiBaeCkYD+AcjDvXWiShDxdMAOulZmsIZ5oYX3nhTIXwPn9QQBM4
    glBjnC+T3qe4M4EeATkQu8KFT87R33vk629MITcVXEQ=
    -----END CERTIFICATE-----
    
  2. Import the certification authority’s certificate in Turbo IPsec via the following command:

    router{conf:running-certificates}ca-certificate CANAME<CR>
    <paste the whole certificate>
    -----BEGIN CERTIFICATE-----
    MIICvDCCAiWgAwIBAgIJAMn1vekv/hkWMA0GCSqGSIb3DQEBBAUAMEkxEjAQBgNV
    BAoTCTZXSU5EIFMuQTEMMAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UE
    AxMPNldJTkQgQXV0aG9yaXR5MB4XDTE1MTEyMzE0MjI0N1oXDTE1MTIyMzE0MjI0
    N1owSTESMBAGA1UEChMJNldJTkQgUy5BMQwwCgYDVQQHEwNTUVkxCzAJBgNVBAYT
    AkZSMRgwFgYDVQQDEw82V0lORCBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQAD
    gY0AMIGJAoGBANAliWlCRol13hcL4PRPAzb05uO15UKWMKKofh69nzBcX2Fzueut
    tXRXbIBMTQIMWRLFFs8LJ0G9sU8fwpjsh3XiEEchDw7L+LEhUtD16cz20V087Pfo
    atvl3hKTucVv9Fq52v6m+3peCbcAn51yoo27jFz1t3o0WZ1rarWEdVvxAgMBAAGj
    gaswgagwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUjvm1FCeIbtnbj1T7aznEirbF
    gJwweQYDVR0jBHIwcIAUjvm1FCeIbtnbj1T7aznEirbFgJyhTaRLMEkxEjAQBgNV
    BAoTCTZXSU5EIFMuQTEMMAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UE
    AxMPNldJTkQgQXV0aG9yaXR5ggkAyfW96S/+GRYwDQYJKoZIhvcNAQEEBQADgYEA
    sAtomSf9Zl7nCQq8jmoBmRT2J4K9yuWv98UhB2QTRLj9GTJeTJxgycC08JYrnIt7
    8NvdRGILtNSIYiBaeCkYD+AcjDvXWiShDxdMAOulZmsIZ5oYX3nhTIXwPn9QQBM4
    glBjnC+T3qe4M4EeATkQu8KFT87R33vk629MITcVXEQ=
    -----END CERTIFICATE-----
    
    <CR>
    router{conf:running-certificates}
    
    CANAME

    CA’s name of the certificate you want to refer to.

  3. Import your own certificate and its private key:

    router{conf:running-certificates}my-certificate CERTNAME
    

    and

    router{conf:running-certificates}my-private-key CERTNAME
    
    CERTNAME

    Name of the router’s certificate to declare.

Displaying configured certificates

  • Display the configured certificates in PEM format:

    router{conf:running-certificates}display ca-certificate CANAME pem
    router{conf:running-certificates}display my-certificate CERTNAME pem
    
    CANAME

    CA’s name of the certificate to display.

    CERTNAME

    Name of the certificate to be displayed

  • Display the configured certificates in text format:

    router{conf:running-certificates}display ca-certificate CANAME text
    router{conf:running-certificates}display my-certificate CERTNAME text
    
    CANAME

    CA’s name of the certificate to display.

    CERTNAME

    Name of the certificate to be displayed

Example

router{conf:running-certificates}display ca-certificate myCA1
-----BEGIN CERTIFICATE-----
MIICvDCCAiWgAwIBAgIJAMn1vekv/hkWMA0GCSqGSIb3DQEBBAUAMEkxEjAQBgNV
BAoTCTZXSU5EIFMuQTEMMAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UE
AxMPNldJTkQgQXV0aG9yaXR5MB4XDTE1MTEyMzE0MjI0N1oXDTE1MTIyMzE0MjI0
N1owSTESMBAGA1UEChMJNldJTkQgUy5BMQwwCgYDVQQHEwNTUVkxCzAJBgNVBAYT
AkZSMRgwFgYDVQQDEw82V0lORCBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBANAliWlCRol13hcL4PRPAzb05uO15UKWMKKofh69nzBcX2Fzueut
tXRXbIBMTQIMWRLFFs8LJ0G9sU8fwpjsh3XiEEchDw7L+LEhUtD16cz20V087Pfo
atvl3hKTucVv9Fq52v6m+3peCbcAn51yoo27jFz1t3o0WZ1rarWEdVvxAgMBAAGj
gaswgagwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUjvm1FCeIbtnbj1T7aznEirbF
gJwweQYDVR0jBHIwcIAUjvm1FCeIbtnbj1T7aznEirbFgJyhTaRLMEkxEjAQBgNV
BAoTCTZXSU5EIFMuQTEMMAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UE
AxMPNldJTkQgQXV0aG9yaXR5ggkAyfW96S/+GRYwDQYJKoZIhvcNAQEEBQADgYEA
sAtomSf9Zl7nCQq8jmoBmRT2J4K9yuWv98UhB2QTRLj9GTJeTJxgycC08JYrnIt7
8NvdRGILtNSIYiBaeCkYD+AcjDvXWiShDxdMAOulZmsIZ5oYX3nhTIXwPn9QQBM4
glBjnC+T3qe4M4EeATkQu8KFT87R33vk629MITcVXEQ=
-----END CERTIFICATE-----
router{conf:running-certificates}display ca-certificate myCA1 text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14552746580147837206 (0xc9f5bde92ffe1916)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: O=6WIND S.A, L=SQY, C=FR, CN=6WIND Authority
        Validity
            Not Before: Nov 23 14:22:47 2015 GMT
            Not After : Dec 23 14:22:47 2015 GMT
        Subject: O=6WIND S.A, L=SQY, C=FR, CN=6WIND Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d0:25:89:69:42:46:89:75:de:17:0b:e0:f4:4f:
                    03:36:f4:e6:e3:b5:e5:42:96:30:a2:a8:7e:1e:bd:
                    9f:30:5c:5f:61:73:b9:eb:ad:b5:74:57:6c:80:4c:
                    4d:02:0c:59:12:c5:16:cf:0b:27:41:bd:b1:4f:1f:
                    c2:98:ec:87:75:e2:10:47:21:0f:0e:cb:f8:b1:21:
                    52:d0:f5:e9:cc:f6:d1:5d:3c:ec:f7:e8:6a:db:e5:
                    de:12:93:b9:c5:6f:f4:5a:b9:da:fe:a6:fb:7a:5e:
                    09:b7:00:9f:9d:72:a2:8d:bb:8c:5c:f5:b7:7a:34:
                    59:9d:6b:6a:b5:84:75:5b:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Subject Key Identifier:
                8E:F9:B5:14:27:88:6E:D9:DB:8F:54:FB:6B:39:C4:8A:B6:C5:80:9C
            X509v3 Authority Key Identifier:
                keyid:8E:F9:B5:14:27:88:6E:D9:DB:8F:54:FB:6B:39:C4:8A:B6:C5:80:9C
                DirName:/O=6WIND S.A/L=SQY/C=FR/CN=6WIND Authority
                serial:C9:F5:BD:E9:2F:FE:19:16

    Signature Algorithm: md5WithRSAEncryption
         b0:0b:68:99:27:fd:66:5e:e7:09:0a:bc:8e:6a:01:99:14:f6:
         27:82:bd:ca:e5:af:f7:c5:21:07:64:13:44:b8:fd:19:32:5e:
         4c:9c:60:c9:c0:b4:f0:96:2b:9c:8b:7b:f0:db:dd:44:62:0b:
         b4:d4:88:62:20:5a:78:29:18:0f:e0:1c:8c:3b:d7:5a:24:a1:
         0f:17:4c:00:eb:a5:66:6b:08:67:9a:18:5f:79:e1:4c:85:f0:
         3e:7f:50:40:13:38:82:50:63:9c:2f:93:de:a7:b8:33:81:1e:
         01:39:10:bb:c2:85:4f:ce:d1:df:7b:e4:eb:6f:4c:21:37:15:
         5c:44

Delete configured certificates

Certificates and private keys configured can be deleted using the following commands:

router{conf:running-certificates}delete ca-certificate all|NAME
router{conf:running-certificates}delete my-certificate all|NAME
router{conf:running-certificates}delete my-private-key all|NAME
NAME
Element to be deleted
all
Specify to delete all elements

Installing a CRL

You can install a certificate revocation list encoded in PEM format.

  • Install the certification authority’s CRL:

    router{conf:running-certificates}ca-crl CANAME
    -----BEGIN X509 CRL-----
    MIIByTCCATICAQEwDQYJKoZIhvcNAQEEBQAwSTESMBAGA1UEChMJNldJTkQgUy5B
    MQwwCgYDVQQHEwNTUVkxCzAJBgNVBAYTAkZSMRgwFgYDVQQDEw82V0lORCBBdXRo
    b3JpdHkXDTE1MTEyNDE2MDAyN1oXDTE1MTIyNDE2MDAyN1owKDASAgEBFw0xNTEx
    MjMxNDIzMzBaMBICAQMXDTE1MTEyMzE0MzA0MlqggYowgYcweQYDVR0jBHIwcIAU
    jvm1FCeIbtnbj1T7aznEirbFgJyhTaRLMEkxEjAQBgNVBAoTCTZXSU5EIFMuQTEM
    MAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UEAxMPNldJTkQgQXV0aG9y
    aXR5ggkAyfW96S/+GRYwCgYDVR0UBAMCAQQwDQYJKoZIhvcNAQEEBQADgYEASWrF
    iBqBpQSDAbv8DHuW/rgQC3TRs9BgI1Wk6e32nUFAUaYsgTXmdTV2R9R1gyHiUoTF
    M2PXMG2mW+iWFdESkTv2kyNwDCoA/Cu3bgEScZjkDGcwJRooPh9VJmcr/CIr62lt
    TNlKk5w7fP2zsbgbOOBpg+/nobocURSCOS7oMUo=
    -----END X509 CRL-----
    
    router{conf:running-certificates}
    
    CANAME

    CA’s name of the CRL to install.

Note

Installing a CRL does not tear down established IKE sessions, even if they used a now revoked certificate for authentication. Likewise, rekeying a child or IKE SA will succeed regardless of the revoked certificates, since it does not include a new authentication exchange.

See also

RFC 4306 Internet Key Exchange (IKEv2) Protocol, section 2.8. Rekeying.

Displaying configured certificates

  • Display a configured CRL in PEM format:

    router{conf:running-certificates}display ca-crl CANAME pem
    
    CANAME

    Name of the certificate to be displayed

  • Display a configured CRL in text format:

    router{conf:running-certificates}display ca-crl CANAME text
    
    CANAME

    Name of the certificate to be displayed

Example

router{conf:running-certificates}display ca-crl myCA1 pem
-----BEGIN X509 CRL-----
MIIByTCCATICAQEwDQYJKoZIhvcNAQEEBQAwSTESMBAGA1UEChMJNldJTkQgUy5B
MQwwCgYDVQQHEwNTUVkxCzAJBgNVBAYTAkZSMRgwFgYDVQQDEw82V0lORCBBdXRo
b3JpdHkXDTE1MTEyNDE2MDAyN1oXDTE1MTIyNDE2MDAyN1owKDASAgEBFw0xNTEx
MjMxNDIzMzBaMBICAQMXDTE1MTEyMzE0MzA0MlqggYowgYcweQYDVR0jBHIwcIAU
jvm1FCeIbtnbj1T7aznEirbFgJyhTaRLMEkxEjAQBgNVBAoTCTZXSU5EIFMuQTEM
MAoGA1UEBxMDU1FZMQswCQYDVQQGEwJGUjEYMBYGA1UEAxMPNldJTkQgQXV0aG9y
aXR5ggkAyfW96S/+GRYwCgYDVR0UBAMCAQQwDQYJKoZIhvcNAQEEBQADgYEASWrF
iBqBpQSDAbv8DHuW/rgQC3TRs9BgI1Wk6e32nUFAUaYsgTXmdTV2R9R1gyHiUoTF
M2PXMG2mW+iWFdESkTv2kyNwDCoA/Cu3bgEScZjkDGcwJRooPh9VJmcr/CIr62lt
TNlKk5w7fP2zsbgbOOBpg+/nobocURSCOS7oMUo=
-----END X509 CRL-----
router{conf:running-certificates}display ca-crl myCA1 text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: /O=6WIND S.A/L=SQY/C=FR/CN=6WIND Authority
        Last Update: Nov 24 16:00:27 2015 GMT
        Next Update: Dec 24 16:00:27 2015 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:8E:F9:B5:14:27:88:6E:D9:DB:8F:54:FB:6B:39:C4:8A:B6:C5:80:9C
                DirName:/O=6WIND S.A/L=SQY/C=FR/CN=6WIND Authority
                serial:C9:F5:BD:E9:2F:FE:19:16

            X509v3 CRL Number:
                4
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Nov 23 14:23:30 2015 GMT
    Serial Number: 03
        Revocation Date: Nov 23 14:30:42 2015 GMT
    Signature Algorithm: md5WithRSAEncryption
         49:6a:c5:88:1a:81:a5:04:83:01:bb:fc:0c:7b:96:fe:b8:10:
         0b:74:d1:b3:d0:60:23:55:a4:e9:ed:f6:9d:41:40:51:a6:2c:
         81:35:e6:75:35:76:47:d4:75:83:21:e2:52:84:c5:33:63:d7:
         30:6d:a6:5b:e8:96:15:d1:12:91:3b:f6:93:23:70:0c:2a:00:
         fc:2b:b7:6e:01:12:71:98:e4:0c:67:30:25:1a:28:3e:1f:55:
         26:67:2b:fc:22:2b:eb:69:6d:4c:d9:4a:93:9c:3b:7c:fd:b3:
         b1:b8:1b:38:e0:69:83:ef:e7:a1:ba:1c:51:14:82:39:2e:e8:
         31:4a

Deleting a configured CRL

  • Delete a CRL:
router{conf:running-certificates}delete ca-crl all|CANAME
CANAME
Name of the certificate to be deleted.
all
Specify to delete all CRLs

Specifying a CRL distribution point

Instead of (or in addition to) installing a CRL, it is possible to provide the URI of a CRL distribution point. The IKE daemon will download the CRL from the specified URI during IKE negotiations.

  • Specify the CA’s CRL URI:

    router{conf:running-certificates}ca-crl-uri CANAME URI
    
    CANAME

    CA’s name of the certificate you want to refer to.

    URI

    CRL distribution point URI (beginning with http:// or ldap://). The remote CRL must be encoded in DER format.

Note

Downloading a CRL does not tear down established IKE sessions, even if they used a now revoked certificate for authentication. Likewise, rekeying a child or IKE SA will succeed regardless of the revoked certificates, since it does not include a new authentication exchange.

See also

RFC 4306 Internet Key Exchange (IKEv2) Protocol, section 2.8. Rekeying.

Deleting a CRL distribution point

  • Delete a CRL distribution point:
router{conf:running-certificates}delete ca-crl-uri all|CANAME
CANAME
Name of the certificate to be deleted.
all
Specify to delete all CRLs