ECDSA Secret¶
For the private key file both absolute paths or paths relative to /etc/ipsec.d/private are accepted. If the private key file is encrypted, the passphrase must be defined. Instead of a passphrase %prompt can be used which then causes the daemons to ask the user for the password whenever it is required to decrypt the key.
Notation¶
: ECDSA <private key file> [ <passphrase> | %prompt ]
Encountered problems¶
Sometimes an ECDSA key fails to load for no reason and without an error message that points to a problem with access rights. When that is the case, try converting the private key into DER format and loading it again.
Examples¶
: ECDSA moonKey.pem : ECDSA sunKey.der "cjen4*lWnr3jsk"
Creation of an ECDSA key using OpenSSL 0.9.8¶
You can create an ECDSA key with the openssl ecparam command.
openssl ecparam -list_curves
gives you a huge list of available elliptic curves but IKEv2 currently supports
only the following three curves:
prime256v1 secp384r1 secp521r1
The creation of an EC key goes like this:
openssl ecparam -genkey -name secp384r1 -noout -out ecKey.pem
Verify the content of the key:
openssl ec -in ecKey.pem -text read EC key Private-Key: (384 bit) priv: 3c:75:17:c3:97:0b:b4:28:42:8c:b6:f5:56:57:32: 2b:c1:ff:e2:ee:62:25:38:04:b1:6a:f5:23:48:e1: ba:79:ff:56:64:88:74:92:b7:c2:49:ab:8c:ff:b2: 7c:6c:b3 pub: 04:f2:cd:ca:ae:37:38:8d:98:e0:1c:f4:26:59:af: 41:4d:fb:4f:d1:20:10:fb:88:b3:4a:b3:9b:a7:69: dc:0b:5c:ef:06:22:6b:8e:08:c3:c2:74:1b:36:12: 8b:ee:45:c5:f8:3b:73:6f:0a:a4:c9:7c:e1:e9:a8: e2:c9:7c:6f:f1:69:b4:45:ab:d3:45:89:41:6e:68: 9d:9a:d2:ee:fd:1a:a1:e6:ca:3f:4a:6b:0d:db:a5: ef:93:95:4f:8c:4c:31 ASN1 OID: secp384r1 writing EC key -----BEGIN EC PRIVATE KEY----- MIGkAgEBBDA8dRfDlwu0KEKMtvVWVzIrwf/i7mIlOASxavUjSOG6ef9WZIh0krfC SauM/7J8bLOgBwYFK4EEACKhZANiAATyzcquNziNmOAc9CZZr0FN+0/RIBD7iLNK s5unadwLXO8GImuOCMPCdBs2EovuRcX4O3NvCqTJfOHpqOLJfG/xabRFq9NFiUFu aJ2a0u79GqHmyj9Kaw3bpe+TlU+MTDE= -----END EC PRIVATE KEY-----