strongSwan

h1. Setting-up a simple CA using strongSwan PKI tool

This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.

h2. CA certificate

First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:

<pre>

ipsec pki --gen > caKey.der

</pre>

For a real-world setup, make sure to keep this key private.

Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:

<pre>

ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der

</pre>

Adjust the distinguished name to your needs, it will be included in all issued certificates.

That's it, your CA is ready to issue certificates.

h2. End entity certificates

For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:

<pre>

ipsec pki --gen > peerKey.der

ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der 

                                             --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der

</pre>

The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.

h2. Install certificates

Certificates and keys are stored in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree:

* *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the peer.

* *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the peer.

* *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates.

Never store the private key *caKey.der* of the Certification Authority (CA) on a VPN gateway with direct access to the Internet since a theft of this key will completely compromise your PKI.