Westermo RedFox Series User Manual
Page 803
Westermo OS Management Guide
Version 4.17.0-0
CA
AB
Alice
Bob
Trusted CAs
Figure 35.7: Alice and Bob have certificates issued by the same CA (e.g., their
company CA). In this PKI model, Alice uploads the certificate of her CA, and trusts
any certificate issued by that CA.
❼ the certificate of her CA (CA
AB
),
❼ her own certificate (AliceCert), and
❼ the private key associated with her certificate.
This is typically done by importing a password protected PKCS#12 bundle, hold-
ing both these certificates and the private key (see
for more infor-
mation on certificate management).
If we consider the sample setup in
, the certificates of Alice, Bob, Charlie,
and Dave could all be issued by the same CA. Below we see sample WeOS CLI
syntax for Alice’s and Bob’s VPN configuration, as well as some comments.
❼ Local-id: The local-id strings are not necessary here; using the ’auto’ mode
(”no local-id”) is sufficient, since the default is to use the DN string of the
local certificate in certificate authentication mode is used (”method cert”).
❼ Shared remote-subnet: As Bob’s local subnet (10.0.2.128/29) only defines a
subset of the remote subnet defined by Alice (10.0.2.0/24), she has added
the keyword ”shared”.
❼ Remote CA: The setting ”remote-ca same” enforces the restriction that Al-
ice will verify that Bob’s certificate is issued by the same CA as her certifi-
cate (and vice versa). This is the default setting, and may not be shown
in your configuration file. See
and
for alternative
settings.
➞ 2015 Westermo Teleindustri AB
803