This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3 Astaros with 3 Tunnels

Dear AstaroNG,

no Problems occurs any more.

I got only a understanding Problem with the x.509-certificates and a new Tunnel.

Astaro 1 is the signing CA / root CA.
Astaro 2 and Astaro 3 is only verification CA.
On Astaro 2 and 3 --> I created a remoteKey for Astaro 1 and i imported the signed keys from Astaro 1 to Astaro 2 and 3.

Now i want to establish a new Tunnel from Astaro2 to Astaro3.
Which Key do I have to import to Which Astaro ---> AND

This thread was automatically locked due to age.

Parents

0 maygyver over 19 years ago

I would do it like this.

on every astaro create a CA and an own certificate.

export each CA and certificate without key.

So each Astaro has its own CA and 2 signing CA's
Each Astaro has ists own certificate and the certificates from the others.

Now just build the tunnel, and everythin is fine.

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel
0 Krischeu over 19 years ago in reply to maygyver

Hi Macgyver,

isn't it possible with only one ca?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Krischeu over 19 years ago in reply to maygyver

Hi Macgyver,

isn't it possible with only one ca?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Krischeu over 19 years ago in reply to Krischeu

How does cross-certification are different from only one CA?

In the hands on are described, that every FW has it RootCA/SigningCA.

The next step should be --> Host certificates must be issued by the root CA on each side.
What are the meaning?
Normally i am creating a Host CSR on each Side. Than i signed it on the machine i was creating it. After this i will export this and import the *.pem-file with key-included.
This should be done on every side. The remotekey will also be installed on every side.

Am I right with these thoughts?

Any comments are welcome
Cancel
Vote Up 0 Vote Down

Cancel