Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 26

Version 25 (Tobias Brunner, 18.05.2011 17:26) → Version 26/40 (Tobias Brunner, 05.09.2012 17:04)

h1. Setting-up a simple CA using strongSwan PKI tool

Works only with strongSwan >= [[4.3.5]].

This How-To sets up a Certificate Authority using strongSwan's [[IpsecPKI|PKI tool]], keeping it as simple as possible.

h2. CA certificate

First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key (if this command block, refer to [[IpsecPKIGen#Problems-on-Hosts-with-Low-Entropy|this note about hosts with low entropy]]): key:
ipsec pki --gen > caKey.der
For a real-world setup, make sure to keep this key absolutely private.

Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name to your needs, it will be included in all issued certificates.

That's it, your CA is ready to issue certificates.

h2. End entity certificates

For *each* peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and [[IpsecPKIIssue|issue]] a matching certificate using your new CA:

ipsec pki --gen > peerKey.der

ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
--dn "C=CH, O=strongSwan, CN=peer" > peerCert.der

The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute each private key and matching certificate to the corresponding peer.

h2. Install certificates

On *each* peer store the following certificates and keys in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree:

* *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the given peer.
* *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the given peer.
* *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates.

Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.