Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 2
Version 1 (Martin Willi, 16.09.2009 11:23) → Version 2/41 (Andreas Steffen, 17.10.2009 09:01)
h1. Setup a simple CA
This How-To sets up a Certificate Authority using the strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
h2. CA certificate
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
<pre>
ipsec pki --gen > caKey.der cakey.der
</pre>
For a real-world setup, make sure to keep this key private.
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
<pre>
ipsec pki --self --in caKey.der cakey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" CN=CA" --ca > caCert.der cacert.der
</pre>
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
h2. End entity certificates
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
<pre>
ipsec pki --gen > peerKey.der peerkey.der
ipsec pki --pub --in peerKey.der peerkey.der | ipsec pki --issue --cacert caCert.der
cacert.der \
--cakey caKey.der cakey.der --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
</pre>
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.
This How-To sets up a Certificate Authority using the strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
h2. CA certificate
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
<pre>
ipsec pki --gen > caKey.der cakey.der
</pre>
For a real-world setup, make sure to keep this key private.
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
<pre>
ipsec pki --self --in caKey.der cakey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" CN=CA" --ca > caCert.der cacert.der
</pre>
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
h2. End entity certificates
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
<pre>
ipsec pki --gen > peerKey.der peerkey.der
ipsec pki --pub --in peerKey.der peerkey.der | ipsec pki --issue --cacert caCert.der
cacert.der \
--cakey caKey.der cakey.der --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
</pre>
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.