Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 21
Andreas Steffen, 24.12.2009 11:48
| 1 | 21 | Andreas Steffen | h1. Setting-up a simple CA using the strongSwan PKI tool |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 6 | Jean-Michel Pouré | This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible. |
| 4 | 1 | Martin Willi | |
| 5 | 1 | Martin Willi | h2. CA certificate |
| 6 | 1 | Martin Willi | |
| 7 | 1 | Martin Willi | First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key: |
| 8 | 1 | Martin Willi | <pre> |
| 9 | 2 | Andreas Steffen | ipsec pki --gen > caKey.der |
| 10 | 1 | Martin Willi | </pre> |
| 11 | 18 | Andreas Steffen | For a real-world setup, make sure to keep this key absolutely private. |
| 12 | 1 | Martin Willi | |
| 13 | 1 | Martin Willi | Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key: |
| 14 | 1 | Martin Willi | <pre> |
| 15 | 2 | Andreas Steffen | ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der |
| 16 | 1 | Martin Willi | </pre> |
| 17 | 1 | Martin Willi | Adjust the distinguished name to your needs, it will be included in all issued certificates. |
| 18 | 1 | Martin Willi | |
| 19 | 1 | Martin Willi | That's it, your CA is ready to issue certificates. |
| 20 | 1 | Martin Willi | |
| 21 | 17 | Jean-Michel Pouré | h2. End entity certificates |
| 22 | 1 | Martin Willi | |
| 23 | 19 | Andreas Steffen | For *each* peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and [[IpsecPKIIssue|issue]] a matching certificate using your new CA: |
| 24 | 1 | Martin Willi | |
| 25 | 1 | Martin Willi | <pre> |
| 26 | 2 | Andreas Steffen | ipsec pki --gen > peerKey.der |
| 27 | 1 | Martin Willi | |
| 28 | 16 | Jean-Michel Pouré | ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \ |
| 29 | 3 | Andreas Steffen | --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der |
| 30 | 1 | Martin Willi | </pre> |
| 31 | 1 | Martin Willi | |
| 32 | 20 | Andreas Steffen | The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute each private key and matching certificate to the corresponding peer. |
| 33 | 17 | Jean-Michel Pouré | |
| 34 | 4 | Jean-Michel Pouré | h2. Install certificates |
| 35 | 1 | Martin Willi | |
| 36 | 18 | Andreas Steffen | On *each* peer store the following certificates and keys in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree: |
| 37 | 5 | Jean-Michel Pouré | |
| 38 | 19 | Andreas Steffen | * *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the given peer. |
| 39 | 19 | Andreas Steffen | * *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the given peer. |
| 40 | 12 | Andreas Steffen | * *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates. |
| 41 | 13 | Andreas Steffen | |
| 42 | 18 | Andreas Steffen | Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI. |
| 43 | 18 | Andreas Steffen |