X.509 certificate authentication
In this set of examples, you modify the VPN connection that is configured in the basic set of examples between WEST and EAST (Basic site-to-site connection). The site-to-site connection created in that set of examples used pre-shared keys for authentication. This set of examples modifies the configuration to use X.509 certificates for authentication.
In general, the procedure for obtaining the files required to authenticate using X.509 certificates is as follows:
- Generate the private key and a certificate signing request (CSR) (based on the public key). This can be accomplished using the generate vpn x509 key-pair <name> command (for example, generate vpn x509 key-pair west, where west.key is the private key and west.csr is the certificate signing request file—both created in /config/auth).
- Send the CSR file (for example, west.csr ) to the certificate authority (CA) and receive back a server certificate (for example, west.crt), the CA certificate (for example, ca.crt), and potentially, a certificate revocation list (CRL) file. This procedure varies according to the CA being used.
At this point, the configuration can be modified to use these files.