Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 30
Setting-up a Simple CA Using the strongSwan PKI Tool¶
- Table of contents
- Setting-up a Simple CA Using the strongSwan PKI Tool
ipsec pki --gen > caKey.der
For a real-world setup, make sure to keep this key absolutely private.
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue end-entity certificates.
End Entity Certificates¶
For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:
ipsec pki --gen > peerKey.der ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \ --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
If you want to add subjectAltName extensions to your certificates use the --san option (can be provided multiple times), for instance,
--san vpn.strongswan.org or
--san firstname.lastname@example.org. It is recommended to include the hostname of a gateway as subjectAltName in its certificate.
Distribute each private key and matching certificate to the corresponding peer.
Certificate Revocation Lists (CRL)¶
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the ipsec pki --signcrl command:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
The certificate given with
--cacert must be either a CA certificate or a certificate with the crlSign extended key usage (
When issuing certificates an URL to a CRL may be added with the
On each peer store the following certificates and keys in the /etc/ipsec.d/ subdirectory tree:
- /etc/ipsec.d/private/peerKey.der holds the private key of the given peer.
- /etc/ipsec.d/certs/peerCert.der holds the end entitity certificate of the given peer.
- /etc/ipsec.d/cacerts/caCert.der holds the CA certificate which issued and signed all peer certificates.
Never store the private key caKey.der of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
Optionally, the CRL may be stored in the following directory (if the certificate contains an URL to a CRL, it will be fetched on demand):
- /etc/ipsec.d/crls/crl.der holds the CRL signed by the CA (or a certificate containing the crlSign EKU).
Install certificates in Android¶
To import certificates into the strongSwan Android app, they must be bundled together with the required CA certificate and private key into a
The certificates and the private key have to be in
PEM format for
openssl pkcs12 to find them acceptable.
DER format is not accepted by it.
The files can be bundled into a
PKCS#12 file by replacing the file names from the following examples:
To convert a
X.509 certificate from
openssl x509 -inform der -outform pem -in caCert.der -out caCert.pem
To convert a
openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem
To package all of the files into a
openssl pkcs12 -in peerCert.pem -inkey peerKey.pem -certfile caCert.pem -export -out peer.p12
peer.p12 file can then be imported in the Android app and contains everything needed by the strongSwan app.