In this page you edit the configuration of the CA certificate. Use the example below as a guide and pay close attention at the comments for the Bits and Country fields.
First, a small explanation about Crls: By copying a CA certificate into /etc/freeswan/ipsec.d/cacerts, automatically all user or host certificates issued by this CA are declared valid. Unfortunately private keys might get compromised inadvertently or intentionally, personal certificates of users leaving a company have to be blocked immediately, etc. This gave birth to Certificate Revocation Lists, or CRLs. CRLs contain the serial numbers of all user or host certificates that have been revoked due to various reasons.
After successful verification of the X.509 trust chain, the /etc/freeswan/ipsec.d/crls directory is searched for the presence of a CRL issued by the CA that has signed the certificate. If the serial number of the certificate is found in the CRL, then the public key contained in the certificate is declared invalid and the IPSec SA will not be established. If no CRL is found in the crls directory, or if the deadline defined in the nextUpdate field of the CRL has been reached, a warning is issued but the public key will be accepted anyway.
On with the example:
Common Name | firewall.enterprise.net |
Days | 3650 |
Crl Days | 33 |
Bits | 2048 |
Country | US |
State or Province | New-York |
Locality | New-York |
Organization Name | enterprise |
Organizational Unit Name | enterprise |
Email Address | admin@enterprise.net |
Some notes: the Days field is set to 10 years in the example; common values for the Bits field are 1024 or 2048 (you should not set it to less than 1024); in the Country field the two-letter ISO code for your country must be used.
Once all values are completed, clic on the Next button and then on the Apply button to make the changes effective.