tech stuff.

racoon requires subjectAltName for x509 IKE

leave a comment »

Having trouble getting your ipsec working with x509 certs?  It would appear that racoon requires the subjectAltName extension to be set.  It won’t use the CN.  You have to set a subjectAltName field even if it contains nothing besides a copy of the CN.

Heed this warning, or you’ll fall victim to the following:

racoon: 2008-12-02 14:47:21: ERROR:
racoon: 2008-12-02 14:47:21: ERROR: failed to get subjectAltName
racoon: 2008-12-02 14:47:21: ERROR: no peer's CERT payload found.

Of course… the misery that is tricking openssl to create a cert with the subjectAltName in it is outside the scope of this simple blog entry. Maybe a lengthy one at a later date…

http://www.mail-archive.com/openssl-users@openssl.org/msg47641.html

Advertisements

Written by Lee Verberne

2008/12/02 at 21:12

Posted in Internet, Unix-type stuff

Tagged with

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: