b029465b58
Story: 2010940 Task: 50151 Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
38 lines
1.6 KiB
ReStructuredText
38 lines
1.6 KiB
ReStructuredText
.. WARNING: Add no lines of text between the label immediately following
|
|
.. and the title.
|
|
|
|
.. _ipsec-certificates-2c0655a2a888:
|
|
|
|
==================
|
|
IPSec Certificates
|
|
==================
|
|
|
|
|prod| uses x509 certificate for IPsec authentication. The following are IPsec
|
|
related certificates.
|
|
|
|
* Certificates in /etc/swanctl/x509/ directory
|
|
Files in this directory are the IPsec certificates for peer
|
|
authentication and SA establishment. They are issued by system-local-ca
|
|
managed by cert-manager.
|
|
* Private keys in /etc/swanctl/private/ directory
|
|
Files in this directory are the corresponding private keys of the IPsec
|
|
certificates in /etc/swanctl/x509/ directory. Together with the
|
|
certificates, they are used for IPsec authentication and SA establishment.
|
|
|
|
IPsec certificates are valid for 3 months by default. They are monitored and
|
|
renewed automatically by the Platform. The IPsec certificates are renewed
|
|
(along with the corresponding private keys) when the certificates are within
|
|
15 days of expiration.
|
|
|
|
* Certificates in /etc/swanctl/x509ca/ directory
|
|
Files in this directory are the root |CA| and intermediate |CA| certificates.
|
|
These are the CA certificates that sign the IPsec certificates. With these
|
|
|CA| certificates, a full certificate chain is established. They are used
|
|
by IPsec to authenticate peers and SA establishment.
|
|
|
|
When the system's root |CA| certificate is updated (by user running
|
|
``update_platform_certificates.yml`` for example), the certificates for IPsec,
|
|
including IPsec certificates, corresponding private keys and CA certificates,
|
|
will all be updated accordingly.
|
|
|