Project

General

Profile

Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 25

« Previous - Version 25/37 (diff) - Next » - Current version
Tobias Brunner, 18.05.2011 17:26


Setting-up a simple CA using strongSwan PKI tool

Works only with strongSwan >= 4.3.5.

This How-To sets up a Certificate Authority using strongSwan's PKI tool, keeping it as simple as possible.

CA certificate

First, generate a private key, the default generates a 2048 bit RSA key:

ipsec pki --gen > caKey.der

For a real-world setup, make sure to keep this key absolutely private.

Now self-sign a CA certificate using the generated key:

ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der

Adjust the distinguished name to your needs, it will be included in all issued certificates.

That's it, your CA is ready to issue certificates.

End entity certificates

For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:

ipsec pki --gen > peerKey.der

ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
                                             --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der

The second command extracts the public key and issues a certificate using your CA. Distribute each private key and matching certificate to the corresponding peer.

Install certificates

On each peer store the following certificates and keys in the /etc/ipsec.d/ subdirectory tree:

Never store the private key caKey.der of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.