Version 1 - History - Setting-up a Simple CA Using the strongSwan PKI Tool - strongSwan

Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 1

Martin Willi, 16.09.2009 11:23

-Martin Willi
+h1. Setup a simple CA
 Martin Willi
-Martin Willi
+This How-To sets up a Certificate Authority using the strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
 Martin Willi
-Martin Willi
+h2. CA certificate
 Martin Willi
-Martin Willi
+First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
-Martin Willi
+<pre>
-Martin Willi
+ipsec pki --gen > cakey.der
-Martin Willi
+</pre>
-Martin Willi
+For a real-world setup, make sure to keep this key private.
 Martin Willi
-Martin Willi
+Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
-Martin Willi
+<pre>
-Martin Willi
+ipsec pki --self --in cakey.der --dn "C=CH, O=strongSwan, CN=CA" --ca > cacert.der
-Martin Willi
+</pre>
-Martin Willi
+Adjust the distinguished name to your needs, it will be included in all issued certificates.
 Martin Willi
-Martin Willi
+That's it, your CA is ready to issue certificates.
 Martin Willi
-Martin Willi
+h2. End entity certificates
 Martin Willi
-Martin Willi
+For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
 Martin Willi
-Martin Willi
+<pre>
-Martin Willi
+ipsec pki --gen > peerkey.der
 Martin Willi
-Martin Willi
+ipsec pki --pub --in peerkey.der | ipsec pki --issue --cacert cacert.der \
-Martin Willi
+   --cakey cakey.der --dn "C=CH, O=strongSwan, CN=peer"
-Martin Willi
+</pre>
 Martin Willi
-Martin Willi
+The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.

Project

General

Profile

strongSwan

Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 1