Questions about certificate authentication



  • I have Mutual PSK + Xauth working fine but I'm trying to migrate to certificate authentication (Mutual RSA + Xauth) and I have it somewhat working but I have a few questions…

    1)  I've created a self-signed certificate authority and some signed certificates.  My VPN client (iPhone) is using the certificate and it's working, but how does the VPN server validate the certificate?  The racoon docs mention using ASN.1 names but it doesn't seem to work with pfSense (they seem to be ignored) which makes sense because racoon.conf doesn't have "validate_peers" enabled.

    2)  Does "My Certificate" (phase 1) need to be signed through the same certificate authority as the "My Certificate Authority"?  It seems like the answer is no (because I'm using a wildcard SSL certificate and it appears to be working), but I want to make sure.

    3)  How can I verify that my configuration is secure?  Are there any (easy) tools available for checking?

    Thanks!


  • Rebel Alliance Developer Netgate

    Easy test would be to make a different certificate from a completely different CA and see if you can still get in with that.


Locked