Hi list,<div><br></div><div>I have two StrongSwans running in a testbench scenario using preshared keys with IKEv2. I would like to set up PKI instead of preshared keys. I'm not interested in using DNs, I just want to trust any certificate signed by my CA (unless there's a compelling security concern with this). It would be preferable if each gateway had its own cert, its own key, and the CA cert without having to copy every cert onto every gateway.</div>
<div><br></div><div>I'm running openssl to generate the CA: openssl req -x509 -days 3650 -newkey rsa:2048 -keyout ca.key -out ca.crt</div><div>Here's the cert request: openssl req -newkey rsa:2048 -keyout site.key -out site.req</div>
<div>And here's the ca sign: openssl -in site.req -days 730 -out site.crt -notext</div><div><br></div><div>I'm just filling in the country code, the company name, and using the site's name as the common-name. There's no subjectAltName.</div>
<div><br></div><div>Is this the way to go about creating the certs required, and what do I need to have in my ipsec.conf to make this work? Thankyou.</div><div><br></div><div>PS: does anyone have recommendations for generating entropy in a VM? I would like to use a TRNG but I can't get VMWare ESXi to pass USB/serial/parallel devices through -- timer_entropyd generates plenty of entropy bits, but is it random enough?</div>
<div><br></div><div>Thank you.</div>