Project

General

Profile

Issue #3494

How to create self CA and public key in encryption algorithms of ECDSA 521

Added by Tom Hsiung about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.6.2
Resolution:

Description

I created ECDSA private via:

ipsec pki --gen type ecdsa --size 521 --outform pem > /PKI/1.pem

But I cannot self CA by,

ipsec pki --self --ca --lifetime 3650 --in /PKI/1.pem --type ecdsa --dn "CN=strongSwan root CA" --outform pem > /PKI/c/2.pem

Error

building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
loading private key failed

Tom

History

#1 Updated by Tobias Brunner about 2 months ago

  • Status changed from New to Feedback

I created ECDSA private via:

ipsec pki --gen type ecdsa --size 521 --outform pem > /PKI/1.pem

You forgot -- before type, so this does not actually produce an ECDSA key but a very weak, 528-bit RSA key.

#2 Updated by Tom Hsiung about 2 months ago

OK.

Now it says,

no private key found for 'server'

I did add the private key into the ipsec.secrets file.

Tom

#3 Updated by Tom Hsiung about 2 months ago

Just forgot to change the RSA to ECDSA.

Not it works.

However, I want to switch site2site certificates from RSA to ECDSA too. But I don't know how to make a ECDSA certificate request. I know that for RSA.

First,

ipsec pki --req --in ~/pki/private/gateway-key.pem --dn "CN=server_domain_or_IP" --san "server_domain_or_IP" --outform pem >  ~/pki/certs/gateway-req.pem

Then,

ipsec pki --issue --type pkcs10 --in ~/pki/certs/gateway-req.pem --lifetime 1825 --cacert ~/pki/cacerts/ca-cert.pem --cakey ~/pki/private/ca-key.pem --flag serverAuth --flag ikeIntermediate --outform pem > ~/pki/certs/gateway-cert.pem

#4 Updated by Tobias Brunner about 2 months ago

However, I want to switch site2site certificates from RSA to ECDSA too. But I don't know how to make a ECDSA certificate request. I know that for RSA.

There is no difference.

Also available in: Atom PDF