summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-04-09 09:22:56 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-04-09 09:22:56 +0000
commit360dba98ba678692e46482beae42a1c7bf1d4b33 (patch)
treefa1db227a0a803c1183e9c4a119b385e1ca7f737
parent02c055c1366d390f55b20801a40d9d94e72efd19 (diff)
downloadvyos-strongswan-360dba98ba678692e46482beae42a1c7bf1d4b33.tar.gz
vyos-strongswan-360dba98ba678692e46482beae42a1c7bf1d4b33.zip
Sync postinst, rules, and debconf handling with openswan.
-rw-r--r--debian/changelog4
-rw-r--r--debian/control18
-rwxr-xr-xdebian/rules2
-rw-r--r--debian/strongswan-starter.config61
-rw-r--r--debian/strongswan-starter.postinst210
-rw-r--r--debian/strongswan-starter.templates220
6 files changed, 287 insertions, 228 deletions
diff --git a/debian/changelog b/debian/changelog
index 19f68a49a..35a33b255 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ strongswan (4.3.6-1) unstable; urgency=low
* New upstream release, now build-depends on gperf.
* Switch to dpkg-source 3.0 (quilt) format
+ * Synchronize debconf handling with current openswan 2.6.25 package to keep
+ X509 certificate handling etc. similar. Thanks to Harald Jenny for
+ implementing these changes in openswan, which I just converted to
+ strongswan.
-- Rene Mayrhofer <rmayr@debian.org> Tue, 23 Feb 2010 10:39:21 +0000
diff --git a/debian/control b/debian/control
index 53a616ffe..ec25da5ce 100644
--- a/debian/control
+++ b/debian/control
@@ -2,8 +2,10 @@ Source: strongswan
Section: net
Priority: optional
Maintainer: Rene Mayrhofer <rmayr@debian.org>
-Standards-Version: 3.8.1
-Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), gperf
+Standards-Version: 3.8.4
+Vcs-Browser: http://wiki.strongswan.org/repositories/show/strongswan
+Vcs-Git: http://wiki.strongswan.org/repositories/show/strongswan
+Build-Depends: debhelper (>= 7.1), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), gperf
Homepage: http://www.strongswan.org
Package: strongswan
@@ -35,6 +37,18 @@ Description: strongSwan utility and crypto library
components. It is built in a modular way and is extendable through various
plugins.
+Package: strongswan-dbg
+Architecture: any
+Section: debug
+Priority: extra
+Depends: ${misc:Depends}, strongswan
+Description: strongSwan library and binaries - debugging symbols
+ StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
+ native IPsec stack and runs on any recent 2.6 kernel (no patching required).
+ It supports both IKEv1 and the newer IKEv2 protocols.
+ .
+ This package provides the symbols needed for debugging of strongswan.
+
Package: strongswan-starter
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2
diff --git a/debian/rules b/debian/rules
index e2c40f268..a6fe632b5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -142,7 +142,7 @@ binary-common:
dh_installchangelogs NEWS
dh_installdocs README
dh_link
- dh_strip
+ dh_strip --dbg-package=strongswan-dbg
dh_compress
dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d
dh_makeshlibs
diff --git a/debian/strongswan-starter.config b/debian/strongswan-starter.config
index eb5f2c2dd..cb9de0964 100644
--- a/debian/strongswan-starter.config
+++ b/debian/strongswan-starter.config
@@ -2,8 +2,6 @@
. /usr/share/debconf/confmodule
-db_input medium strongswan/start_level || true
-
# disable for now, until we can deal with the don't-edit-conffiles situation
#db_input high strongswan/ikev1 || true
#db_input high strongswan/ikev2 || true
@@ -12,36 +10,37 @@ db_input medium strongswan/restart || true
db_input high strongswan/enable-oe || true
-db_input high strongswan/create_rsa_key || true
-db_go || true
-
-db_get strongswan/create_rsa_key
+db_get strongswan/install_x509_certificate
if [ "$RET" = "true" ]; then
- # create a new certificate
- db_input medium strongswan/rsa_key_length || true
- db_input high strongswan/x509_self_signed || true
- # we can't allow the country code to be empty - openssl will
- # refuse to create a certificate this way
- countrycode=""
- while [ -z "$countrycode" ]; do
- db_input medium strongswan/x509_country_code || true
- db_go || true
- db_get strongswan/x509_country_code
- countrycode="$RET"
- done
- db_input medium strongswan/x509_state_name || true
- db_input medium strongswan/x509_locality_name || true
- db_input medium strongswan/x509_organization_name || true
- db_input medium strongswan/x509_organizational_unit || true
- db_input medium strongswan/x509_common_name || true
- db_input medium strongswan/x509_email_address || true
+ db_input high strongswan/how_to_get_x509_certificate || true
db_go || true
-else
- db_get strongswan/existing_x509_certificate
- if [ "$RET" = "true" ]; then
- # existing certificate - use it
- db_input critical strongswan/existing_x509_certificate_filename || true
- db_input critical strongswan/existing_x509_key_filename || true
- db_go || true
+
+ db_get strongswan/how_to_get_x509_certificate
+ if [ "$RET" = "create" ]; then
+ # create a new certificate
+ db_input medium strongswan/rsa_key_length || true
+ db_input high strongswan/x509_self_signed || true
+ # we can't allow the country code to be empty - openssl will
+ # refuse to create a certificate this way
+ countrycode=""
+ while [ -z "$countrycode" ]; do
+ db_input medium strongswan/x509_country_code || true
+ db_go || true
+ db_get strongswan/x509_country_code
+ countrycode="$RET"
+ done
+ db_input medium strongswan/x509_state_name || true
+ db_input medium strongswan/x509_locality_name || true
+ db_input medium strongswan/x509_organization_name || true
+ db_input medium strongswan/x509_organizational_unit || true
+ db_input medium strongswan/x509_common_name || true
+ db_input medium strongswan/x509_email_address || true
+ db_go || true
+ elif [ "$RET" = "import" ]; then
+ # existing certificate - use it
+ db_input critical strongswan/existing_x509_certificate_filename || true
+ db_input critical strongswan/existing_x509_key_filename || true
+ db_input critical strongswan/existing_x509_rootca_filename || true
+ db_go || true
fi
fi
diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst
index c63273dc2..98de3493c 100644
--- a/debian/strongswan-starter.postinst
+++ b/debian/strongswan-starter.postinst
@@ -32,39 +32,20 @@ set -e
CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
-insert_private_key_filename() {
- if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then
- echo ": RSA $1" >> $SECRETS_FILE
- fi
+Warn ()
+{
+ echo "$*" >&2
}
-IPSEC_SECRETS_PATTERN_1=': RSA {'
-IPSEC_SECRETS_PATTERN_2=' # yyy'
-IPSEC_SECRETS_PATTERN_3=' }'
-IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"'
+Error ()
+{
+ Warn "Error: $*"
+}
-# remove old, misguided attempts at a default ipsec.secrets files
-repair_legacy_secrets() {
- if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE |
- tail --lines=2 |
- grep -A 1 "$IPSEC_SECRETS_PATTERN_2" |
- tail --lines=1 |
- grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then
- echo "Old default config file detected, removing the old defaults now."
- umask 077 ; (
- # this is ugly, and someone maybe can formulate this in sed, but
- # this was the quickest way for me
- line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1`
- until=`expr $line - 1`
- head -n $until $SECRETS_FILE
- sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1`
- from=`expr $sum - $line -1`
- tail -n $from $SECRETS_FILE
- ) > $SECRETS_FILE.tmp
- mv $SECRETS_FILE.tmp $SECRETS_FILE
- grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp
- mv $SECRETS_FILE.tmp $SECRETS_FILE
- fi
+insert_private_key_filename() {
+ if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then
+ echo ": RSA $1" >> $SECRETS_INC_FILE
+ fi
}
make_x509_cert() {
@@ -142,87 +123,110 @@ disable_daemon_start() {
case "$1" in
configure)
- db_get strongswan/create_rsa_key
+ db_get strongswan/install_x509_certificate
if [ "$RET" = "true" ]; then
- repair_legacy_secrets
- # OK, ipsec.secrets should now be correct
- # create a new keypair
- host=`hostname`
- newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
- newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
- if [ -e $newcertfile -o -e $newkeyfile ]; then
- echo "Error: $newcertfile or $newkeyfile already exists."
- echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
- else
- # create a new certificate
- db_get strongswan/rsa_key_length
- keylength=$RET
- db_get strongswan/x509_self_signed
- selfsigned=$RET
- db_get strongswan/x509_country_code
- countrycode=$RET
- if [ -z "$countrycode" ]; then countrycode="."; fi
- db_get strongswan/x509_state_name
- statename=$RET
- if [ -z "$statename" ]; then statename="."; fi
- db_get strongswan/x509_locality_name
- localityname=$RET
- if [ -z "$localityname" ]; then localityname="."; fi
- db_get strongswan/x509_organization_name
- orgname=$RET
- if [ -z "$orgname" ]; then orgname="."; fi
- db_get strongswan/x509_organizational_unit
- orgunit=$RET
- if [ -z "$orgunit" ]; then orgunit="."; fi
- db_get strongswan/x509_common_name
- commonname=$RET
- if [ -z "$commonname" ]; then commonname="."; fi
- db_get strongswan/x509_email_address
- email=$RET
- if [ -z "$email" ]; then email="."; fi
- make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
- chmod 0600 "$newkeyfile"
- umask 077
- insert_private_key_filename "$newkeyfile"
- echo "Successfully created x509 certificate."
- fi
- else
- db_get strongswan/existing_x509_certificate
- if [ "$RET" = "true" ]; then
+ db_get strongswan/how_to_get_x509_certificate
+ if [ "$RET" = "create" ]; then
+ # extract the key from a (newly created) x509 certificate
+ host=`hostname`
+ newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
+ newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
if [ -e $newcertfile -o -e $newkeyfile ]; then
- echo "Error: $newcertfile or $newkeyfile already exists."
- echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+ Error "$newcertfile or $newkeyfile already exists."
+ Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair."
else
- # existing certificate - use it
- db_get strongswan/existing_x509_certificate_filename
- certfile=$RET
- db_get strongswan/existing_x509_key_filename
- keyfile=$RET
- if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
- echo "Either the certificate or the key file could not be read !"
- else
- cp "$certfile" /etc/ipsec.d/certs
- umask 077
- cp "$keyfile" "/etc/ipsec.d/private"
- newkeyfile="/etc/ipsec.d/private/`basename $keyfile`"
- chmod 0600 "$newkeyfile"
- insert_private_key_filename "$newkeyfile"
- echo "Successfully extracted RSA key from existing x509 certificate."
- fi
+ # create a new certificate
+ db_get strongswan/rsa_key_length
+ keylength=$RET
+ db_get strongswan/x509_self_signed
+ selfsigned=$RET
+ db_get strongswan/x509_country_code
+ countrycode=$RET
+ if [ -z "$countrycode" ]; then countrycode="."; fi
+ db_get strongswan/x509_state_name
+ statename=$RET
+ if [ -z "$statename" ]; then statename="."; fi
+ db_get strongswan/x509_locality_name
+ localityname=$RET
+ if [ -z "$localityname" ]; then localityname="."; fi
+ db_get strongswan/x509_organization_name
+ orgname=$RET
+ if [ -z "$orgname" ]; then orgname="."; fi
+ db_get strongswan/x509_organizational_unit
+ orgunit=$RET
+ if [ -z "$orgunit" ]; then orgunit="."; fi
+ db_get strongswan/x509_common_name
+ commonname=$RET
+ if [ -z "$commonname" ]; then commonname="."; fi
+ db_get strongswan/x509_email_address
+ email=$RET
+ if [ -z "$email" ]; then email="."; fi
+ make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
+ chmod 0600 "$newkeyfile"
+ umask 077
+ insert_private_key_filename "$newkeyfile"
+ echo "Successfully created x509 certificate."
+ fi
+ elif [ "$RET" = "import" ]; then
+ # existing certificate - use it
+ db_get strongswan/existing_x509_certificate_filename
+ certfile=$RET
+ db_get strongswan/existing_x509_key_filename
+ keyfile=$RET
+ db_get strongswan/existing_x509_rootca_filename
+ cafile=$RET
+
+ if [ ! "$certfile" ] || [ ! "$keyfile" ]; then
+ Error "Either the certificate or the key filename is not specified."
+ elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then
+ Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link."
+ elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then
+ Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file."
+ elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then
+ Error "The certificate or the key file contains the rootca - unable to import automatically."
+ elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then
+ Error "The certificate file contains more than one certificate - unable to import automatically."
+ elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then
+ Error "The key file contains an encrypted key - unable to import automatically."
+ else
+ newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")"
+ newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")"
+ if [ "$cafile" ]; then
+ newcafile="/etc/ipsec.d/private/$(basename "$cafile")"
+ else
+ newcafile=""
+ fi
+
+ if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then
+ Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists."
+ Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"."
+ else
+ openssl x509 -in $certfile -out $newcertfile 2>/dev/null
+ umask 077
+ openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null
+ chmod 0600 "$newkeyfile"
+ insert_private_key_filename "$newkeyfile"
+ cp "$cafile" /etc/ipsec.d/cacerts
+ echo "Successfully integrated existing x509 certificate."
+ fi
fi
fi
+ db_set strongswan/install_x509_certificate false
fi
- # figure out the correct start time
- db_get strongswan/start_level
- if [ "$RET" = "earliest" ]; then
- LEVELS="start 41 S . stop 34 0 6 ."
- elif [ "$RET" = "after NFS" ]; then
- LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ."
- else
- LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ."
+ # lets see if we are already using dependency based booting or the correct runlevel parameters
+ if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
+ db_fset strongswan/runlevel_changes seen false
+ db_input high strongswan/runlevel_changes || true
+ db_go
+
+ # if the admin did not change the runlevels which got installed by older packages we can modify them
+ if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
+ update-rc.d -f ipsec remove
+ fi
+
+ update-rc.d ipsec defaults 16 84 > /dev/null
fi
- update-rc.d ipsec $LEVELS > /dev/null
db_get strongswan/enable-oe
if [ "$RET" != "true" ]; then
diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates
index 8d239c271..a330005a9 100644
--- a/debian/strongswan-starter.templates
+++ b/debian/strongswan-starter.templates
@@ -7,33 +7,27 @@
# Even minor modifications require translation updates and such
# changes should be coordinated with translators and reviewers.
-Template: strongswan/start_level
-Type: select
-__Choices: earliest, after NFS, after PCMCIA
-Default: earliest
-_Description: When to start strongSwan:
- StrongSwan starts during system startup so that it can protect filesystems
- that are automatically mounted.
- .
- * earliest: if /usr is not mounted through NFS and you don't use a
- PCMCIA network card, it is best to start strongSwan as soon as
- possible, so that NFS mounts can be secured by IPSec;
- * after NFS: recommended when /usr is mounted through NFS and no
- PCMCIA network card is used;
- * after PCMCIA: recommended if the IPSec connection uses a PCMCIA
- network card or if it needs keys to be fetched from a locally running DNS
- server with DNSSec support.
+Template: strongswan/runlevel_changes
+Type: note
+_Description: Old runlevel management superseded
+ Previous versions of the strongSwan package allowed the user to choose between
+ three different Start/Stop-Levels. Due to changes in the standard system
+ startup procedure, this is no longer necessary and useful. For all new
+ installations as well as old ones running in any of the predefined modes,
+ sane default levels set will now be set. If you are upgrading from a previous
+ version and changed your strongSwan startup parameters, then please take a
+ look at NEWS.Debian for instructions on how to modify your setup accordingly.
Template: strongswan/restart
Type: boolean
Default: true
-_Description: Restart strongSwan now?
- Restarting strongSwan is recommended, because if there is a security fix, it
- will not be applied until the daemon restarts. However, this might close
- existing connections and then bring them back up.
- .
- If you don't restart strongSwan now, you should do so manually at the first
- opportunity.
+_Description: Do you wish to restart strongSwan?
+ Restarting strongSwan is a good idea, since if there is a security fix, it
+ will not be fixed until the daemon restarts. Most people expect the daemon
+ to restart, so this is generally a good idea. However, this might take down
+ existing connections and then bring them back up (including the connection
+ currently used for this update, so it is recommended not to restart if you
+ are using any of the tunnel for administration).
Template: strongswan/ikev1
Type: boolean
@@ -49,118 +43,162 @@ _Description: Start strongSwan's IKEv2 daemon?
The charon daemon must be running to support version 2 of the Internet Key
Exchange protocol.
-Template: strongswan/create_rsa_key
+Template: strongswan/install_x509_certificate
Type: boolean
-Default: true
-_Description: Create an RSA public/private keypair for this host?
- StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate
- IPSec connections to other hosts. RSA authentication is generally considered
- more secure and is easier to administer. You can use PSK and RSA authentication
- simultaneously.
+Default: false
+_Description: Do you want to use a X509 certificate for this host?
+ This installer can automatically create or import a X509 certificate for
+ this host. It can be used to authenticate IPsec connections to other hosts
+ and is the preferred way for building up secure IPsec connections. The other
+ possibility would be to use shared secrets (passwords that are the same on
+ both sides of the tunnel) for authenticating an connection, but for a larger
+ number of connections, key based authentication is easier to administer and
+ more secure.
.
- If you do not want to create a new public/private keypair, you can choose to
- use an existing one in the next step.
+ If you do not want to this now you can answer "No" and later use the command
+ "dpkg-reconfigure openswan" to come back.
-Template: strongswan/existing_x509_certificate
-Type: boolean
-Default: false
-_Description: Use an existing X.509 certificate for strongSwan?
- The required information can automatically be extracted from an
- existing X.509 certificate with a matching RSA private key. Both parts can
- be in one file, if it is in PEM format.
- You should choose this option if you have such an existing
- certificate and key file and want to use it for authenticating IPSec
- connections.
+Template: strongswan/how_to_get_x509_certificate
+Type: select
+__Choices: create, import
+Default: create
+_Description: Methods for using a X509 certificate to authenticate this host:
+ It is possible to create a new X509 certificate with user-defined settings
+ or to import an existing public and private key stored in PEM file(s) for
+ authenticating IPsec connections.
+ .
+ If you choose to create a new X509 certificate you will first be presented
+ a number of questions which must be answered before the creation can start.
+ Please keep in mind that if you want the public key to get signed by
+ an existing certification authority you should not select to create a
+ self-signed certificate and all the answers given must match exactly the
+ requirements of the CA, otherwise the certificate request may be rejected.
+ .
+ In case you want to import an existing public and private key you will be
+ prompted for their filenames (may be identical if both parts are stored
+ together in one file). Optionally you may also specify a filename where the
+ public key(s) of the certification authority are kept, but this file cannot
+ be the same as the former ones. Please be also aware that the format for the
+ X509 certificates has to be PEM and that the private key must not be encrypted
+ or the import procedure will fail.
Template: strongswan/existing_x509_certificate_filename
Type: string
-_Description: File name of your X.509 certificate in PEM format:
- Please enter the full location of the file containing your X.509
- certificate in PEM format.
+_Description: Please enter the location of your X509 certificate in PEM format:
+ Please enter the location of the file containing your X509 certificate in
+ PEM format.
Template: strongswan/existing_x509_key_filename
Type: string
-_Description: File name of your existing X.509 private key in PEM format:
- Please enter the full location of the file containing the private RSA key
- matching your X.509 certificate in PEM format. This can be the same file
- as the X.509 certificate.
+_Description: Please enter the location of your X509 private key in PEM format:
+ Please enter the location of the file containing the private RSA key
+ matching your X509 certificate in PEM format. This can be the same file
+ that contains the X509 certificate.
+
+Template: strongswan/existing_x509_rootca_filename
+Type: string
+_Description: You may now enter the location of your X509 RootCA in PEM format:
+ Optionally you can now enter the location of the file containing the X509
+ certificate authority root used to sign your certificate in PEM format. If you
+ do not have one or do not want to use it please leave the field empty. Please
+ note that it's not possible to store the RootCA in the same file as your X509
+ certificate or private key.
Template: strongswan/rsa_key_length
Type: string
Default: 2048
-_Description: RSA key length:
- Please enter the length of RSA key you wish to generate. A value of less than
- 1024 bits is not considered secure. A value of more than 2048 bits will
- probably affect performance.
+_Description: Please enter which length the created RSA key should have:
+ Please enter the length of the created RSA key. it should not be less than
+ 1024 bits because this should be considered unsecure and you will probably
+ not need anything more than 4096 bits because it only slows the
+ authentication process down and is not needed at the moment.
Template: strongswan/x509_self_signed
Type: boolean
Default: true
-_Description: Create a self-signed X.509 certificate?
- Only self-signed X.509 certificates can be created
+_Description: Do you want to create a self-signed X509 certificate?
+ This installer can only create self-signed X509 certificates
automatically, because otherwise a certificate authority is needed to sign
- the certificate request.
+ the certificate request. If you want to create a self-signed certificate,
+ you can use it immediately to connect to other IPsec hosts that support
+ X509 certificate for authentication of IPsec connections. However, if you
+ want to use the new PKI features of strongSwan >= 1.91, you will need to
+ have all X509 certificates signed by a single certificate authority to
+ create a trust path.
.
- If you accept this option, the certificate created can be used
- immediately to connect to other IPSec hosts that support authentication via
- an X.509 certificate. However, using strongSwan's PKI features requires a
- trust path to be created by having all X.509 certificates signed by a single
+ If you do not want to create a self-signed certificate, then this
+ installer will only create the RSA private key and the certificate request
+ and you will have to sign the certificate request with your certificate
authority.
- .
- If you do not accept this option, only the RSA private key will be created,
- along with a certificate request which you will need to have signed by a
- certificate authority.
Template: strongswan/x509_country_code
Type: string
Default: AT
-_Description: Country code for the X.509 certificate request:
- Please enter the two-letter ISO3166 country code that should be
- used in the certificate request.
+_Description: Please enter the country code for the X509 certificate request:
+ Please enter the 2 letter country code for your country. This code will be
+ placed in the certificate request.
+ .
+ You really need to enter a valid country code here, because openssl will
+ refuse to generate certificates without one. An empty field is allowed for
+ any other field of the X.509 certificate, but not for this one.
.
- This field is mandatory; otherwise a certificate cannot be generated.
+ Example: AT
Template: strongswan/x509_state_name
Type: string
Default:
-_Description: State or province name for the X.509 certificate request:
- Please enter the full name of the state or province to include in
- the certificate request.
+_Description: Please enter the state or province name for the X509 certificate request:
+ Please enter the full name of the state or province you live in. This name
+ will be placed in the certificate request.
+ .
+ Example: Upper Austria
Template: strongswan/x509_locality_name
Type: string
-Default:
-_Description: Locality name for the X.509 certificate request:
- Please enter the locality name (often a city)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the locality name for the X509 certificate request:
+ Please enter the locality (e.g. city) where you live. This name will be
+ placed in the certificate request.
+ .
+ Example: Vienna
Template: strongswan/x509_organization_name
Type: string
-Default:
-_Description: Organization name for the X.509 certificate request:
- Please enter the organization name (often a company)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the organization name for the X509 certificate request:
+ Please enter the organization (e.g. company) that the X509 certificate
+ should be created for. This name will be placed in the certificate
+ request.
+ .
+ Example: Debian
Template: strongswan/x509_organizational_unit
Type: string
-Default:
-_Description: Organizational unit for the X.509 certificate request:
- Please enter the organizational unit name (often a department)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the organizational unit for the X509 certificate request:
+ Please enter the organizational unit (e.g. section) that the X509
+ certificate should be created for. This name will be placed in the
+ certificate request.
+ .
+ Example: security group
Template: strongswan/x509_common_name
Type: string
-Default:
-_Description: Common name for the X.509 certificate request:
- Please enter the common name (such as the host name of this machine)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the common name for the X509 certificate request:
+ Please enter the common name (e.g. the host name of this machine) for
+ which the X509 certificate should be created for. This name will be placed
+ in the certificate request.
+ .
+ Example: gateway.debian.org
Template: strongswan/x509_email_address
Type: string
-Default:
-_Description: Email address for the X.509 certificate request:
- Please enter the email address (for the individual or organization responsible)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the email address for the X509 certificate request:
+ Please enter the email address of the person or organization who is
+ responsible for the X509 certificate, This address will be placed in the
+ certificate request.
Template: strongswan/enable-oe
Type: boolean