From: spamtrap47@adelphia.net   
      
   pkcs12/pfx is an import format containing a cert and its private key   
   along with zero or more other certs and CA's. Thats how you'd transport   
   a cert and private key between clients.   
      
   pkcs7 is one of several cert formats. I guess this is their CA?   
      
   If I'm understanding you right you want to authenticate your customer's   
   connection and the cert they will present is signed by their CA. If   
   that's the case all your end needs is their CA. Their end needs yours.   
   No reason to exchange certs and ABSOLUTELY NO reason to exchange private   
   keys. (That's why they call them "private".)   
      
   If they sent you a pkcs12 file containing their private key that's a   
   huge no-no. If they have made a habit out of that they should throw out   
   their cert and CA and start over. Security is compromised. Well actually   
   its flushed down the toilet. I hope I've misunderstood.   
      
   The authentication process works like this. Their end presents its cert   
   and trust chain up to, but not including, the CA. If your end has a CA   
   to complete the chain, they are in. Same thing with your cert in the   
   other direction. Private keys remain private.   
      
   Mitja Sladovic wrote:   
   > Hi   
   >   
   > I have Linux FreeS/WAN super-freeswan-1.99.8 with X509 patch on server side,   
   > with working WinXP native IPSEC connections (where i'm CA).   
   >   
   > Now I want to add cert to freeswan from custumer, where he is a CA.   
   > He gives me cert.pfx and cert-ca.p7b (CA Cert).   
   >   
   > So i converted those certs in PEM format:   
   > Private cert:   
   > openssl pkcs12 -in cert.pfx -out cert_pem.pem   
   > openssl rsa -in cert_pem.pem -out cert.pem # to remove password   
   >   
   > CA cert:   
   > openssl pkcs7 -inform DER -in cert-ca.p7b -print_certs -text -out cert-ca.pem   
   >   
   > I configured ipsec.conf:   
   > conn customer   
   >         left=(my IP)   
   >         leftsubnet=192.168.1.0/24   
   >         leftcert=/etc/ipsec.d/cert.pem   
   >         right=(Customer's IP)   
   >         rightsubnet=10.0.10.0/24   
   >         rightcert=/etc/ipsec.d/cert-ca.pem   
   >         rightca=%same   
   >         pfs=yes   
   >         auto=start   
   >   
   >   
   > Is certificate convertion process OK?   
   > IS ipsec.conf configuration OK?   
   > What should I define in ipsec.secrets?   
   >   
   > Thanks a lot!!!   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)