Setting-up a simple CA using strongSwan PKI tool¶
This How-To sets up a Certificate Authority using strongSwan PKI tool, keeping it as simple as possible.
First, generate a private key, the default generates a 2048 bit RSA key:
ipsec pki --gen > caKey.der
For a real-world setup, make sure to keep this key private.
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
End entity certificates¶
For each peer, generate a private key and issue a certificate using your new CA:
ipsec pki --gen > peerKey.der ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \ --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
The second command extracts the public key and issues a certificate using your CA. Distribute private key and certificate to your peer.
Certificates and keys are stored in the /etc/ipsec.d/ subdirectory tree:
- /etc/ipsec.d/private/peerKey.der holds the private key of the peer.
- /etc/ipsec.d/certs/peerCert.der holds the end entitity certificate of the peer.
- /etc/ipsec.d/cacerts/caCert.der holds the CA certificate which issued and signed all peer certificates.
Never store the private key caKey.der of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.