[ previous ] [ next ] [ threads ]
 From:  Lynn Grant <lgrant at adamscon dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Quick Start for RSA Signature Authentication
 Date:  Sat, 27 Dec 2008 14:07:24 -0600

I have been running a four-M0n0wall VPN network for a while, using Pre-Shared 
Key authentication.  I really wanted to use RSA Signature authentication, but 
the M0n0wall documentation is a bit sparse on how to do that.  I have just 
managed to get all my M0n0s working with RSA Signature authentication, so I 
thought I would document how I did it.  This is not the be-all-and-end-all of 
certificate documentation, but it might help other folks get started. 


Quick Start for RSA Signature Authentication

You will need to generate a certificate and a private key for each router.  
You can do this with OpenSSL, and there are several tutorials on the web 
about how to do this.  A quicker way is to use the XCA program, from 
Christian Hohnstaedt.  It is available here 
(http://sourceforge.net/projects/xca) as a *nix tarbal or a Windows exe file, 
and is licensed under a BSD-like license. 

First you need to create a Certification Authority (CA) key to use in signing 
your certificates.  Bring up XCA, and click on the "Private Keys" tab, then 
click the "New Key" button.  Give the key a name like "My Company Certificate 
Authority".  Keytype should be "RSA".  The default keysize of 1024 is 
probably about right. 

Now click on the "Certificates" tab, and click the "New Certificate" button.  
On the "Create x509 Certificate" page, select "Create a self signed 
certificate with the serial 1". Click on the "Subject" tab.  For "Internal 
name" and "Common name", use something like "My Company Certificate 
Authority".  Fill in the other fields at the top of the page (Country code, 
State or Province -- spelled out, by the way -- Locality, Organisation, 
Organ. unit, E-mail address).  Click on the "Extensions" tab.  Set the type 
to "Certification Authority".  Uner "Key Identifier", select "Subject Key 
Identifier". Click on the "Key Usage" tab and select "Certificate Sign".  
Click the "OK" button.

Now that you have a certificate signing certificate, you can make certificates 
for all of your routers. 

In XCA, click on the "private keys" tab, then click the "New Key" button.  
Give the key a name that lets you remember which router it goes to.  Keytype 
should be "RSA", and the default of 1024 bit keysize is probably about right.  
Click the "Create" button.  Do this for each router. 

Click on the "Certificates" tab, then click the "New Certificate" button.  On 
the "Source" page, select "Use this Certificate for signing", and select your 
CA certificate.  (This value should be in the field by default.)  On 
the "Subject" page, enter the information for your router.  I use the router 
name as the Internal Name and Common Name.  Click on the "Extensions" tab.  
Set the type to "End Entity" and under "Key Identifier", select "Subject Key 

Now comes the most important part.  In the "subject alternative name" field, 
put "IP:" followed by the IP address of the interface, for 
example "IP:".  This must match the IP address of the interface that 
the VPN goes over; if you have VPNs on the WAN interface, and VPNs to 
internal routers on the LAN interface, you will need two separate 
certificates.  Click on "OK" to create your certificate. Repeat this for each 

Now select each router certificate under the "Certificates" tab and click on 
the "Export" button.  Choose a file name.  Select "PEM" for the export format 
and click "OK".

Now click the "Private Keys" tab.  Select the private key for each router, and 
click on the "Export" button.  Choose a file name.  Select "PEM" for the 
export format and click "OK".  Keep in mind that the key files are the key to 
the router's identity, so be sure to delete them as soon as your are done 
setting up the routers. 

It is probably best to get your VPN tunnel working in Pre-Shared Key mode 
first, so you can get any kinks out of the other parameters, before you add 
the additional complexity of certificates.   Bring up the VPN:IPSEC:Edit 
Tunnel page on your M0n0walls.  If you already have the tunnel working in 
Pre-Shared Key mode, you can bring them up side-by-side in two browser 
windows, which will make things easier.  Just be sure to move slowly and read 
all the directions before you do anything, so you don't lose contact with the 
remote M0n0wall before you get it set up. 

Lets say your two routers are RouterA and RouterB.  On RouterA, change 
the "Authentication Method" to "RSA Signature".  Bring up the RouterA 
certificate in your favorite text editor.  It should look something like 


Copy it however your editor does that, and paste it into the "Certificate" box 
on RouterA's page.  Also paste it into the "Peer Certificate" box on 
RouterB's page.  

Now edit the RouterB certificate.  Copy it and paste it into the "Certificate" 
box on RouterB's page and the "Peer Certificate" box on RouterA's page. 

Bring up the RouterA private key file in your editor.  It should look 
something like this: 


Paste it into the "Key" field on RouterA's page.  Edit the RouterB private key 
file, and copy and paste it into the "Key" file on  RouterB's page. 

Click the "Save" button on each page. 

You will now have an "Apply Changes" button at the top of each page. Here is 
the critical part.  As soon as you click either of the "Apply Changes" 
buttons, you will lose contact with the remote router until the tunnel is 
re-established.  So the proper order is: 

- Click "Apply Changes" on the remote router's page. 
- Click "Apply Changes" on the local router's page. 

The local router's page should refresh almost immediately.  The remote router 
will take a little longer, since the tunnel has to be re-established, but if 
you did everything right, it should come up shortly.  If the tunnel is slow 
coming up, you may have to refresh the page if it times out.  If something 
got messed up, like you pasted the wrong certificate in the wrong box, or you 
got the IP address wrong in the subject alternative key, you will have to 
change both M0n0wall's back to Pre-Shared Key authentication (which will 
involve physically going to where the remote router is, since you can't talk 
to it any more) and start over. 

Don't forget to delete the files you exported the private keys to when you are 
done setting up!


Lynn Grant
Cross Design Group LLC