ipsec pki


ipsec pki --gen     (-g)  generate a new private key
ipsec pki --self    (-s)  create a self signed certificate
ipsec pki --issue   (-i)  issue a certificate using a CA certificate and key
ipsec pki --signcrl (-c)  issue a CRL using a CA certificate and key
ipsec pki --acert   (-z)  issue an attribute certificate
ipsec pki --req     (-r)  create a PKCS#10 certificate request
ipsec pki --pkcs7   (-7)  PKCS#7 wrap/unwrap functions
ipsec pki --pkcs12  (-u)  PKCS#12 functions
ipsec pki --keyid   (-k)  calculate key identifiers of a key/certificate
ipsec pki --print   (-a)  print a credential in a human readable form
ipsec pki --dn      (-d)  extract the subject DN of an X.509 certificate
ipsec pki --pub     (-p)  extract the public key from a private key/certificate
ipsec pki --verify  (-v)  verify a certificate using the CA certificate
ipsec pki --help    (-h)  show usage information


The ipsec pki command suite allows you to run a simple public key infrastructure. Generate RSA and ECDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.

ipsec pki was introduced with strongSwan 4.3.5.


  • Set up a simple CA and issue peer certificates