Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 17
Version 16 (Jean-Michel Pouré, 24.12.2009 09:49) → Version 17/41 (Jean-Michel Pouré, 24.12.2009 10:04)
h1. Setting-up a simple CA using strongSwan PKI tool
This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
h2. CA certificate
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
<pre>
ipsec pki --gen > caKey.der
</pre>
For a real-world setup, make sure to keep this key private.
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
<pre>
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
</pre>
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
h2. End entity certificates
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
<pre>
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
--dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
</pre>
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.
[fix-me: should we generate a key pair for each peer, including the VPN gateway?]
h2. Install certificates
Certificates and keys are stored in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree:
* *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the peer.
* *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the peer.
* *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates.
[fix-me: should we install these three files Never store the private key *caKey.der* of the Certification Authority (CA) on each peer? This does not seem clear a host with constant direct access to me, sorry, I am the Internet (e.g. a complete newbie.] VPN gateway), since a theft of this master signing key will completely compromise your PKI.
This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
h2. CA certificate
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
<pre>
ipsec pki --gen > caKey.der
</pre>
For a real-world setup, make sure to keep this key private.
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
<pre>
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
</pre>
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
h2. End entity certificates
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
<pre>
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
--dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
</pre>
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.
[fix-me: should we generate a key pair for each peer, including the VPN gateway?]
h2. Install certificates
Certificates and keys are stored in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree:
* *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the peer.
* *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the peer.
* *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates.
[fix-me: should we install these three files Never store the private key *caKey.der* of the Certification Authority (CA) on each peer? This does not seem clear a host with constant direct access to me, sorry, I am the Internet (e.g. a complete newbie.] VPN gateway), since a theft of this master signing key will completely compromise your PKI.