Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 31

Tobias Brunner, 25.04.2016 14:31
PKCS#12 is not Android specific (and the app does not actually allow importing PKCS#12 files)

1 27 Tobias Brunner
{{title(Setting-up a Simple CA Using the strongSwan PKI Tool)}}
2 1 Martin Willi
3 27 Tobias Brunner
h1. Setting-up a Simple CA Using the strongSwan PKI Tool
4 23 michael anderl
5 27 Tobias Brunner
6 1 Martin Willi
7 27 Tobias Brunner
This how-to sets up a Certificate Authority using strongSwan's [[IpsecPKI|PKI tool]] (available since [[4.3.5]]), keeping it as simple as possible.
8 1 Martin Willi
9 27 Tobias Brunner
h2. CA Certificate
10 27 Tobias Brunner
11 27 Tobias Brunner
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key (if this command blocks, refer to [[IpsecPKIGen#Problems-on-Hosts-with-Low-Entropy|this note about hosts with low entropy]]):
12 26 Tobias Brunner
13 1 Martin Willi
ipsec pki --gen > caKey.der
14 1 Martin Willi
15 27 Tobias Brunner
16 1 Martin Willi
For a real-world setup, make sure to keep this key absolutely private.
17 1 Martin Willi
18 1 Martin Willi
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
19 1 Martin Willi
20 1 Martin Willi
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
21 2 Andreas Steffen
22 1 Martin Willi
23 27 Tobias Brunner
Adjust the _distinguished name (DN)_ to your needs, it will be included in all issued certificates.
24 1 Martin Willi
25 27 Tobias Brunner
That's it, your CA is ready to issue end-entity certificates.
26 17 Jean-Michel Pouré
27 27 Tobias Brunner
h2. End Entity Certificates
28 27 Tobias Brunner
29 1 Martin Willi
For *each* peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and [[IpsecPKIIssue|issue]] a matching certificate using your new CA:
30 1 Martin Willi
31 1 Martin Willi
32 1 Martin Willi
ipsec pki --gen > peerKey.der
33 1 Martin Willi
34 1 Martin Willi
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
35 1 Martin Willi
                                             --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
36 1 Martin Willi
37 1 Martin Willi
38 27 Tobias Brunner
The second command [[IpsecPKIPub|extracts the public key]] and [[IpsecPKIIssue|issues a certificate]] using your CA.
39 27 Tobias Brunner
40 27 Tobias Brunner
If you want to add _subjectAltName_ extensions to your certificates use the _--san_ option (can be provided multiple times), for instance, @--san or @--san It is recommended to include the hostname of a gateway as _subjectAltName_ in its certificate.
41 1 Martin Willi
42 27 Tobias Brunner
Depending on your clients there may be additional requirements imposed on gateway certificates, for instance, the [[Win7CertReq|Windows 7 certificate requirements]] or those for [[IOS_(Apple)#Certificate-requirements-for-iOS-interoperability|iOS and Mac OS X clients]].
43 27 Tobias Brunner
44 27 Tobias Brunner
Distribute each private key and matching certificate to the corresponding peer.
45 27 Tobias Brunner
46 27 Tobias Brunner
h2. Certificate Revocation Lists (CRL)
47 27 Tobias Brunner
48 27 Tobias Brunner
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the [[IpsecPkiSigncrl|ipsec pki --signcrl]] command:
49 27 Tobias Brunner
50 27 Tobias Brunner
51 27 Tobias Brunner
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
52 27 Tobias Brunner
53 27 Tobias Brunner
54 27 Tobias Brunner
The certificate given with @--cacert@ must be either a CA certificate or a certificate with the _crlSign_ extended key usage (@--flag crlSign@).
55 27 Tobias Brunner
56 27 Tobias Brunner
When [[IpsecPKIIssue|issuing certificates]] an URL to a CRL may be added with the @--crl@ argument.
57 27 Tobias Brunner
58 1 Martin Willi
h2. Install certificates
59 1 Martin Willi
60 1 Martin Willi
On *each* peer store the following certificates and keys in the [[IpsecDirectory|/etc/ipsec.d/]] subdirectory tree:
61 4 Jean-Michel Pouré
62 1 Martin Willi
* *[[/IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the given peer.
63 18 Andreas Steffen
* *[[/IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end entitity certificate of the given peer.
64 5 Jean-Michel Pouré
* *[[/IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates.
65 19 Andreas Steffen
66 19 Andreas Steffen
Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
67 27 Tobias Brunner
68 27 Tobias Brunner
Optionally, the CRL may be stored in the following directory (if the certificate contains an URL to a CRL, it will be fetched on demand):
69 27 Tobias Brunner
70 27 Tobias Brunner
* *[[/IpsecDirectoryCrls|/etc/ipsec.d/crls/]]crl.der* holds the CRL signed by the CA (or a certificate containing the _crlSign_ EKU).
71 28 Carl-Daniel Hailfinger
72 31 Tobias Brunner
h3. Install certificates in other platforms
73 28 Carl-Daniel Hailfinger
74 31 Tobias Brunner
To import certificates on most other systems, they must be bundled together with the required CA certificate and private key into a @PKCS#12@ file.
75 30 Noel Kuntze
The certificates and the private key have to be in @PEM@ format for @openssl pkcs12@ to find them acceptable. @DER@ format is not accepted by it.
76 31 Tobias Brunner
Either use @--outform pem@ with the @pki@ commands above to generate the files in PEM format (@pki@ accepts both formats) or convert with
77 31 Tobias Brunner
the commands below. The files can be bundled into a @PKCS#12@ file by replacing the file names in the following examples:
78 30 Noel Kuntze
79 30 Noel Kuntze
To convert a @X.509@ certificate from @DER@ to @PEM@
80 31 Tobias Brunner
81 1 Martin Willi
82 1 Martin Willi
openssl x509 -inform der -outform pem -in caCert.der -out caCert.pem
83 1 Martin Willi
84 31 Tobias Brunner
85 31 Tobias Brunner
To convert an @RSA@ key from @DER@ to @PEM@
86 31 Tobias Brunner
87 1 Martin Willi
88 30 Noel Kuntze
openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem
89 1 Martin Willi
90 31 Tobias Brunner
91 31 Tobias Brunner
To package all of the files into a @PKCS#12@ container
92 31 Tobias Brunner
93 30 Noel Kuntze
94 1 Martin Willi
openssl pkcs12 -in peerCert.pem -inkey peerKey.pem -certfile caCert.pem -export -out peer.p12
95 28 Carl-Daniel Hailfinger
96 28 Carl-Daniel Hailfinger
97 31 Tobias Brunner
The @peer.p12@ file contains everything needed and is ready for the import on other systems.