b029465b58
Story: 2010940 Task: 50151 Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
1.6 KiB
IPSec Certificates
uses x509 certificate for IPsec authentication. The following are IPsec related certificates.
- Certificates in /etc/swanctl/x509/ directory
-
Files in this directory are the IPsec certificates for peer authentication and SA establishment. They are issued by system-local-ca managed by cert-manager.
- Private keys in /etc/swanctl/private/ directory
-
Files in this directory are the corresponding private keys of the IPsec certificates in /etc/swanctl/x509/ directory. Together with the certificates, they are used for IPsec authentication and SA establishment.
IPsec certificates are valid for 3 months by default. They are monitored and renewed automatically by the Platform. The IPsec certificates are renewed (along with the corresponding private keys) when the certificates are within 15 days of expiration.
- Certificates in /etc/swanctl/x509ca/ directory
-
Files in this directory are the root and intermediate certificates. These are the CA certificates that sign the IPsec certificates. With these certificates, a full certificate chain is established. They are used by IPsec to authenticate peers and SA establishment.
When the system's root certificate is updated (by user running
update_platform_certificates.yml for example), the
certificates for IPsec, including IPsec certificates, corresponding
private keys and CA certificates, will all be updated accordingly.