System information
Manual:Create Certificates
124
Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys
are considered as security threats.
And again during the process you will have to fill some entries. When filling CN remember that
it must not match on CA and server certificate otherwise later naming collision will occur.
Note: Common Name (CN) in server certificate should match the the IP address of your server
otherwise you will get "domain mismatch" message and for example Windows SSTP client will
not be able to connect to the server. If clients are only Windows machines then CN can be a DNS
name, too.
Note: If you are using "My ID user FQDN" in IpSec config then "subjectaltname" extension
should be set on certificate, and must match the value set on remote peers "My ID user FQDN".
•• Client key/certificate pair creation steps are very similar to server. Remember to Specify unique
CN.
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
To examine certificate run following command:
openssl x509 -noout -text -in server.crt -purpose
Import certificates
To import newly created certificates to your router, first you have to upload server.crt and server.key files to the
router via FTP. Now go to /certificate submenu and run following commands:
[admin@test_host] /certificate> import file-name=server.crt
passphrase:
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@test_host] /certificate> import file-name=server.key
passphrase:
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
If everything is imported properly then certificate should show up with KR flag.
[admin@test_host] /certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
