Project

General

Profile

Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 24

michael anderl, 08.08.2010 10:34

1 22 Jean-Michel Pouré
h1. Setting-up a simple CA using strongSwan PKI tool
2 1 Martin Willi
3 24 michael anderl
Works only with strongSwan > 4.3.5
4 23 michael anderl
5 6 Jean-Michel Pouré
This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
6 1 Martin Willi
7 1 Martin Willi
h2. CA certificate
8 1 Martin Willi
9 1 Martin Willi
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
10 1 Martin Willi
<pre>
11 2 Andreas Steffen
ipsec pki --gen > caKey.der
12 1 Martin Willi
</pre>
13 18 Andreas Steffen
For a real-world setup, make sure to keep this key absolutely private.
14 1 Martin Willi
15 1 Martin Willi
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
16 1 Martin Willi
<pre>
17 2 Andreas Steffen
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
18 1 Martin Willi
</pre>
19 1 Martin Willi
Adjust the distinguished name to your needs, it will be included in all issued certificates.
20 1 Martin Willi
21 1 Martin Willi
That's it, your CA is ready to issue certificates.
22 1 Martin Willi
23 17 Jean-Michel Pouré
h2. End entity certificates
24 1 Martin Willi
25 19 Andreas Steffen
For *each* peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and [[IpsecPKIIssue|issue]] a matching certificate using your new CA:
26 1 Martin Willi
27 1 Martin Willi
<pre>
28 2 Andreas Steffen
ipsec pki --gen > peerKey.der
29 1 Martin Willi
30 16 Jean-Michel Pouré
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
31 3 Andreas Steffen
                                             --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
32 1 Martin Willi
</pre>
33 1 Martin Willi
34 20 Andreas Steffen
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute each private key and matching certificate to the corresponding peer.
35 17 Jean-Michel Pouré
36 4 Jean-Michel Pouré
h2. Install certificates
37 1 Martin Willi
38 18 Andreas Steffen
On *each* peer store the following certificates and keys in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree:
39 5 Jean-Michel Pouré
40 19 Andreas Steffen
* *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the given peer.
41 19 Andreas Steffen
* *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the given peer.
42 12 Andreas Steffen
* *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates.
43 13 Andreas Steffen
44 18 Andreas Steffen
Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
45 18 Andreas Steffen