TheGreenBow IPSec VPN http://www.thegreenbow.com support@thegreenbow.com TheGreenBow Sistech SA - Sistech 2001-2010 1/27
1... 3 1.1... 3 1.2... 3 2... 4 2.1... 4 2.2 PKCS#12... 6 2.3 PEM... 8 2.4... Erreur! Signet non défini. 2.5... 12 3... 13 3.1... 13 3.2... 15 3.2.1... 15 3.2.2... 18 3.3... 19 4 OpenSSL... 21 4.1... 21 4.1.1... 21 4.1.2... 22 4.2 TgbSmallPKI... 24 4.2.1... 24 5... 26 6... 27 TheGreenBow Sistech SA - Sistech 2001-2010 2/27
1 1.1 TheGreenBow IPSec VPN PKCS#12 X509 VPN Windows 2000/2003 Microsoft OpenSSL VPN 1.2 TheGreenBow VPN - PKCS#12 - PEM PIN TheGreenBow VPN - - - TheGreenBow Sistech SA - Sistech 2001-2010 3/27
2 2.1 X509 1 1 TheGreenBow Sistech SA - Sistech 2001-2010 4/27
VPN TheGreenBow VPN - PKCS#12 - PEM - CRT TheGreenBow Sistech SA - Sistech 2001-2010 5/27
2.2 PKCS#12 PKCS#12 PKCS#12 TheGreenBow Sistech SA - Sistech 2001-2010 6/27
OK TheGreenBow VPN TheGreenBow Sistech SA - Sistech 2001-2010 7/27
2.3 PEM PEM CA TheGreenBow Sistech SA - Sistech 2001-2010 8/27
TheGreenBow Sistech SA - Sistech 2001-2010 9/27
2.4 PIN TheGreenBow Sistech SA - Sistech 2001-2010 10/27
PIN TheGreenBow Sistech SA - Sistech 2001-2010 11/27
2.5 IT PKCS#11 /addmiddleware:[path_to_middleware.dll] PKCS#11 DLL /checkkeyusage:[yes no] TheGreenBow VPN X509 yes VPN (DIGITAL_SIGNATURE) TheGreenBow Sistech SA - Sistech 2001-2010 12/27
3 3.1 Windows NT/2000/2003 Microsoft Internet Information IIS Microsoft Internet explorer (IE) Web http://servername/certsrv ServerName CA Windows 2000 URL http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp Windows 2003 Server CA Internet Information Server (IIS 6.0) Microsoft Certificate Server (MCS) Microsoft Internet Information Server / / Windows Windows Internet Information Services (IIS) Internet Information Services (IIS) World Wide Web Service OK OK Windows Windows CA / / Windows CA TheGreenBow Sistech SA - Sistech 2001-2010 13/27
CA Web OK Windows CA / TheGreenBow Sistech SA - Sistech 2001-2010 14/27
/ CA YES IIS YES Web IIS Windows 3.2 3.2.1 TheGreenBow VPN IPSec VPN IPSec VPN (http://servername/certsrv ServerName CA ) TheGreenBow Sistech SA - Sistech 2001-2010 15/27
CA Mark keys as exportable TheGreenBow VPN IPSec TheGreenBow Sistech SA - Sistech 2001-2010 16/27
Internet Explorer TheGreenBow Sistech SA - Sistech 2001-2010 17/27
Internet Explorer 3.3 3.2.2 (http://servername/certsrv ServerName CA ) base-64 CMC PKCS #10 base-64 PKCS #7 Read! TheGreenBow Sistech SA - Sistech 2001-2010 18/27
certnew.cer 3.3 Internet Explorer PKCS12 Internet Explorer Internet Explorer Internet YES TheGreenBow VPN IPSec TheGreenBow Sistech SA - Sistech 2001-2010 19/27
TheGreenBow VPN IPSec CA TheGreenBow Sistech SA - Sistech 2001-2010 20/27
4 OpenSSL OpenSSL OpenSSL http://www.openssl.org openssl TgbSmallPKI.zip C:\TgbSmallPKI RootCA.bat: UserCA.bat: Pkcs12.bat: P12 PEM CAinfo.bat: PEM CAsign.bat: \Bin o o openssl.cnf: OpenSSL openssl.exe, libeay32.dll ssleay32.dll Windows ReadME.txt: 4.1 OpenSSL for Windows 4.1.1 RootCA! Creating Root CA folders Root CA folder set to.\rootca Root CA key length is 1024 bits Root CA validity is 3650 days The system cannot find the file specified.! Creating CA private key (1024 bits, 3650 days) Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus...++++++ TheGreenBow Sistech SA - Sistech 2001-2010 21/27
.++++++ e is 65537 (0x10001)! CA autosigning (1024 bits, 3650 days) Using configuration from.\bin\openssl.cnf You are about to be asked to enter information that will be incorporated into your Certificate Request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]:FR State or Province Name (full name) [France]:France Locality Name (eg, city) []:Paris Organization Name (eg, company) [TheGreenBow]:TheGreenBow Organizational Unit Name (eg, section) []:Authority Certificate Common Name (eg, YOUR name) []:TheGreenBow CA Email Address []:TgbCA@thegreenbow.fr Please enter the following 'extra' attributes to be sent with your Certificate Request A challenge password []:capassword An optional company name []:TheGreenBow Loading 'screen' into random state - done Signature ok subject=/c=fr/st=france/l=paris/o=thegreenbow/ou=authority Certificate/CN=TheGreenBow CA/Email=TgbCA @thegreenbow.fr Getting Private key "---------------------------" "---------------------------" Root Certificate at.\rootca\rootca.pem Root Private Key at.\rootca\cakey.key RootCA.pem CAKey.key RootCA 4.1.2 IKE X.509 VPN IPSec / UserCA PKCS12 VPN IPSec TheGreenBow VPN IPSec UserCA TgbClient! Creating User CA folder TheGreenBow Sistech SA - Sistech 2001-2010 22/27
Creating User Certificate folder at.\tgbclient User CA key length is 1024 bits User CA validity is 3650 days! Creating User CA private key (1024 bits) Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus...++++++...++++++ e is 65537 (0x10001)! Signing User CA Using configuration from.\bin\openssl.cnf You are about to be asked to enter information that will be incorporated into your Certificate Request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]:FR State or Province Name (full name) [France]:France Locality Name (eg, city) []:Paris Organization Name (eg, company) [TheGreenBow]:TheGreenBow Organizational Unit Name (eg, section) []:VPN Common Name (eg, YOUR name) []:TheGreenBow VPN Client Email Address []:TgbClient@thegreenbow.fr Please enter the following 'extra' attributes to be sent with your Certificate Request A challenge password []:tgbcapwd An optional company name []:TheGreenBow Loading 'screen' into random state - done Signature ok subject=/c=fr/st=france/l=paris/o=thegreenbow/ou=vpn/cn=thegreenbow VPN Client/Email=TgbClient@thegreenbow.fr Getting CA Private Key! User CA in P12 Format Loading 'screen' into random state - done Enter Export Password: Verifying password - Enter Export Password: TgbClient.p12 created in.\tgbclient.p12 "---------------------------" "---------------------------" User Certificate at.\tgbclient\tgbclient.pem User Private Key at.\tgbclient\local.key User Certificate Subject is: subject= /C=FR/ST=France/L=Paris/O=TheGreenBow/OU=VPN/CN=TheGreenBow VPN Client/Email=TgbClient@thegreenbow.fr TheGreenBow Sistech SA - Sistech 2001-2010 23/27
TgbClient TgbClient.pem: Local.key: Subject.txt: TgbClient.p12: PKCS12 4.2 TgbSmallPKI PKCS12 Pkcs12.bat: P12 PEM CAinfo.bat: PEM 4.2.1 CAinfo TgbClient.pem 4.1.2 TheGreenBow CAinfo TgbClient\TgbClient.pem! Certificate TgbClient\TgbClient.pem information Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5withrsaencryption Issuer: C=FR, ST=France, L=Paris, O=TheGreenBow, OU=Authority Certificate, CN=TheGreenBow CA /Email=TgbCA@thegreenbow.fr Validity Not Before: Apr 19 12:44:03 2005 GMT Not After: Apr 17 12:44:03 2015 GMT Subject: C=FR, ST=France, L=Paris, O=TheGreenBow, OU=VPN, CN=TheGreenBow VPN Client/Email=Tg bclient@thegreenbow.fr Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:00:2c:1b:82:6d:32:2e:17:09:9f:13:8d:b9: 9f:9b:db:d7:3f:f7:45:9b:f2:73:6d:8b:3d:9b:b1: 14:99:25:22:fb:a8:56:30:9d:68:43:e9:14:84:6f: 4c:24:fa:e2:36:84:56:2d:b2:5c:11:fd:be:b9:9e: ed:49:c8:c1:08:29:d0:17:ca:b8:12:41:41:55:4d: 48:01:57:bc:22:9a:c9:48:ca:e2:c2:59:2c:78:8d: 6d:cc:89:09:3a:97:f5:f4:b7:96:ea:da:82:0e:8c: TheGreenBow Sistech SA - Sistech 2001-2010 24/27
87:49:a7:45:a4:74:45:31:8e:ac:be:9a:a2:8c:a1: 16:be:f7:46:4a:94:78:31:73 Exponent: 65537 (0x10001) Signature Algorithm: md5withrsaencryption b2:ba:7c:92:9c:eb:59:c2:7e:d9:95:af:71:8b:06:2f:b8:44: b3:b5:2a:b7:98:0b:1e:08:97:85:c7:bc:21:1c:cf:df:15:97: d9:4f:e5:ec:31:14:6f:9e:b1:8a:47:37:ad:6b:4b:c8:15:bf: cd:8a:1b:ed:a5:f7:3e:ac:72:73:b9:bc:f6:22:b3:05:f5:26: 40:dd:f8:4c:83:3f:25:da:68:32:8b:bd:1b:68:24:e8:df:31: 83:5b:74:91:10:1f:6a:d0:b9:3c:f3:04:50:4c:6e:ce:c9:de: 3a:38:fe:2d:ad:6c:6b:e6:74:38:51:0c:5b:c5:bb:6b:05:25: 44:d9 TheGreenBow Sistech SA - Sistech 2001-2010 25/27
5 pdf www.thegreenbow.com/vpn_doc.html TheGreenBow Sistech SA - Sistech 2001-2010 26/27
6 http://www.thegreenbow.com support@thegreenbow.com +33 1 43 12 39 37 sales@thegreenbow.com TheGreenBow Sistech SA - Sistech 2001-2010 27/27