ipsec pki¶

Synopsis¶

ipsec pki --gen     (-g)  generate a new private key
ipsec pki --pub     (-p)  extract the public key from a private key/certificate
ipsec pki --req     (-r)  create a PKCS#10 certificate request
ipsec pki --self    (-s)  create a self signed certificate
ipsec pki --issue   (-i)  issue a certificate using a CA certificate and key
ipsec pki --keyid   (-k)  calculate key identifiers of a key/certificate
ipsec pki --verify  (-v)  verify a certificate using the CA certificate
ipsec pki --signcrl (-c)  issue a CRL using a CA certificate and key
ipsec pki --print   (-a)  print a credential in a human readable form
ipsec pki --help    (-h)  show usage information

Description¶

The ipsec pki command suite allows you to run a simple public key infrastructure. Generate RSA and ECDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.

• ipsec pki --gen
• ipsec pki --pub
• ipsec pki --req
• ipsec pki --self
• ipsec pki --issue
• ipsec pki --keyid
• ipsec pki --verify
• ipsec pki --signcrl
• ipsec pki --print

ipsec pki was introduced with strongSwan 4.3.5.

How-To's¶

• Set up a simple CA and issue peer certificates