Project

General

Profile

Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 1

Martin Willi, 16.09.2009 11:23

1 1 Martin Willi
h1. Setup a simple CA
2 1 Martin Willi
3 1 Martin Willi
This How-To sets up a Certificate Authority using the strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
4 1 Martin Willi
5 1 Martin Willi
h2. CA certificate
6 1 Martin Willi
7 1 Martin Willi
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
8 1 Martin Willi
<pre>
9 1 Martin Willi
ipsec pki --gen > cakey.der
10 1 Martin Willi
</pre>
11 1 Martin Willi
For a real-world setup, make sure to keep this key private.
12 1 Martin Willi
13 1 Martin Willi
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
14 1 Martin Willi
<pre>
15 1 Martin Willi
ipsec pki --self --in cakey.der --dn "C=CH, O=strongSwan, CN=CA" --ca > cacert.der
16 1 Martin Willi
</pre>
17 1 Martin Willi
Adjust the distinguished name to your needs, it will be included in all issued certificates.
18 1 Martin Willi
19 1 Martin Willi
That's it, your CA is ready to issue certificates.
20 1 Martin Willi
21 1 Martin Willi
h2. End entity certificates
22 1 Martin Willi
23 1 Martin Willi
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
24 1 Martin Willi
25 1 Martin Willi
<pre>
26 1 Martin Willi
ipsec pki --gen > peerkey.der
27 1 Martin Willi
28 1 Martin Willi
ipsec pki --pub --in peerkey.der | ipsec pki --issue --cacert cacert.der \
29 1 Martin Willi
   --cakey cakey.der --dn "C=CH, O=strongSwan, CN=peer"
30 1 Martin Willi
</pre>
31 1 Martin Willi
32 1 Martin Willi
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.