Project

General

Profile

Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 40

Carl-Daniel Hailfinger, 25.10.2020 20:46
Mention how to use Certificate Requests

1 27 Tobias Brunner
{{title(Setting-up a Simple CA Using the strongSwan PKI Tool)}}
2 1 Martin Willi
3 27 Tobias Brunner
h1. Setting-up a Simple CA Using the strongSwan PKI Tool
4 23 michael anderl
5 27 Tobias Brunner
{{>toc}}
6 1 Martin Willi
7 39 Tobias Brunner
This how-to sets up a Certificate Authority using strongSwan's [[IpsecPKI|PKI tool]] (available since version:4.3.5), keeping it as simple as possible.
8 1 Martin Willi
9 27 Tobias Brunner
h2. CA Certificate
10 27 Tobias Brunner
11 39 Tobias Brunner
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key, use @--type@ and/or @--size@ to specify other key types and lengths (if this command blocks, refer to [[IpsecPKIGen#Problems-on-Hosts-with-Low-Entropy|this note about hosts with low entropy]]):
12 26 Tobias Brunner
<pre>
13 38 Andreas Steffen
pki --gen > caKey.der
14 1 Martin Willi
</pre>
15 27 Tobias Brunner
16 1 Martin Willi
For a real-world setup, make sure to keep this key absolutely private.
17 1 Martin Willi
18 1 Martin Willi
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
19 1 Martin Willi
<pre>
20 38 Andreas Steffen
pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
21 2 Andreas Steffen
</pre>
22 1 Martin Willi
23 36 Tobias Brunner
Adjust the _distinguished name (DN)_ to your needs (refer to [[IdentityParsing#Supported-RDN-Types|the list of supported RDN types]]), it will be included in all issued certificates.
24 1 Martin Willi
25 27 Tobias Brunner
That's it, your CA is ready to issue end-entity certificates.
26 17 Jean-Michel Pouré
27 27 Tobias Brunner
h2. End Entity Certificates
28 27 Tobias Brunner
29 39 Tobias Brunner
For *each* peer, i.e. for all VPN clients and VPN gateways in your network, [[IpsecPKIgen|generate]] an individual private key and [[IpsecPKIIssue|issue]] a matching certificate using your new CA:
30 1 Martin Willi
31 1 Martin Willi
<pre>
32 38 Andreas Steffen
pki --gen > peerKey.der
33 1 Martin Willi
34 38 Andreas Steffen
pki --issue --in peerKey.der --type priv --cacert caCert.der --cakey caKey.der \
35 38 Andreas Steffen
            --dn "C=CH, O=strongSwan, CN=peer" --san peer > peerCert.der
36 36 Tobias Brunner
37 36 Tobias Brunner
or when using older versions
38 36 Tobias Brunner
39 38 Andreas Steffen
pki --pub --in peerKey.der | pki --issue --cacert caCert.der --cakey caKey.der \
40 38 Andreas Steffen
                                         --dn "C=CH, O=strongSwan, CN=peer" --san peer > peerCert.der
41 1 Martin Willi
</pre>
42 1 Martin Willi
43 1 Martin Willi
The second command [[IpsecPKIPub|extracts the public key]] and [[IpsecPKIIssue|issues a certificate]] using your CA.
44 36 Tobias Brunner
45 37 Noel Kuntze
Again, adjust the DN and SAN to your needs ([[IdentityParsing#Supported-RDN-Types|supported RDN types]]).
46 27 Tobias Brunner
 
47 27 Tobias Brunner
If you want to add _subjectAltName_ extensions to your certificates use the _--san_ option (can be provided multiple times), for instance, @--san vpn.strongswan.org@ or @--san peer@strongswan.org@. It is recommended to include the hostname of a gateway as _subjectAltName_ in its certificate.
48 1 Martin Willi
49 27 Tobias Brunner
Depending on your clients there may be additional requirements imposed on gateway certificates, for instance, the [[Win7CertReq|Windows 7 certificate requirements]] or those for [[IOS_(Apple)#Certificate-requirements-for-iOS-interoperability|iOS and Mac OS X clients]].
50 27 Tobias Brunner
51 27 Tobias Brunner
Distribute each private key and matching certificate to the corresponding peer.
52 27 Tobias Brunner
53 40 Carl-Daniel Hailfinger
h3. Generating Certificate Requests and Signing them
54 40 Carl-Daniel Hailfinger
55 40 Carl-Daniel Hailfinger
If you don't want to generate all private keys centrally to distribute them, but instead want decentralized private key generation, please see the section "Generating a Host or User End Entity Certificate":https://github.com/strongswan/strongswan/blob/master/README.md#generating-a-host-or-user-end-entity-certificate in the file README.md in the strongswan source tree.
56 40 Carl-Daniel Hailfinger
57 27 Tobias Brunner
h2. Certificate Revocation Lists (CRL)
58 27 Tobias Brunner
59 27 Tobias Brunner
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the [[IpsecPkiSigncrl|ipsec pki --signcrl]] command:
60 27 Tobias Brunner
61 27 Tobias Brunner
<pre>
62 38 Andreas Steffen
pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
63 27 Tobias Brunner
</pre>
64 27 Tobias Brunner
65 27 Tobias Brunner
The certificate given with @--cacert@ must be either a CA certificate or a certificate with the _crlSign_ extended key usage (@--flag crlSign@).
66 27 Tobias Brunner
67 27 Tobias Brunner
When [[IpsecPKIIssue|issuing certificates]] an URL to a CRL may be added with the @--crl@ argument.
68 27 Tobias Brunner
69 1 Martin Willi
h2. Install certificates
70 1 Martin Willi
71 32 Tobias Brunner
On *each* peer store *its own* credentials as follows.
72 1 Martin Willi
73 1 Martin Willi
Never store the private key *caKey.der* of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
74 1 Martin Willi
75 32 Tobias Brunner
h3. Configuration with [[swanctl.conf]]
76 32 Tobias Brunner
77 32 Tobias Brunner
Store the certificates and keys in the [[SwanctlDirectory|/etc/swanctl/]] tree:
78 32 Tobias Brunner
79 32 Tobias Brunner
* */etc/swanctl/(rsa|ecdsa|pkcs8)/peerKey.der* holds the private key of the given peer (directory depends on the type of key), gets loaded automatically. Passwords may be configured in [[swanctl.conf]].
80 32 Tobias Brunner
* */etc/swanctl/x509/peerCert.der* holds the end-entity certificate of the given peer, gets loaded automatically. Reference it in [[swanctl.conf]] to explicitly use it.
81 32 Tobias Brunner
* */etc/swanctl/x509ca/caCert.der* holds the CA certificate which issued and signed all peer certificates, gets loaded automatically.
82 32 Tobias Brunner
83 1 Martin Willi
Optionally, the CRL may be stored in the following directory (if the certificate contains an URL to a CRL, it will be fetched on demand):
84 1 Martin Willi
85 32 Tobias Brunner
* */etc/swanctl/x509crl/crl.der* holds the CRL signed by the CA (or by a certificate containing the _crlSign_ EKU).
86 32 Tobias Brunner
87 32 Tobias Brunner
h3. Configuration with [[ipsec.conf]]/[[ipsec.secrets]]
88 32 Tobias Brunner
89 32 Tobias Brunner
Store the certificates and keys in the [[IpsecDirectory|/etc/ipsec.d/]] tree:
90 32 Tobias Brunner
91 32 Tobias Brunner
* *[[IpsecDirectoryPrivate|/etc/ipsec.d/private/]]peerKey.der* holds the private key of the given peer. Configure it in [[ipsec.secrets]] to load it.
92 32 Tobias Brunner
* *[[IpsecDirectoryCerts|/etc/ipsec.d/certs/]]peerCert.der* holds the end-entity certificate of the given peer. Reference it in [[ipsec.conf]] to use it.
93 32 Tobias Brunner
* *[[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts/]]caCert.der* holds the CA certificate which issued and signed all peer certificates, gets loaded automatically.
94 32 Tobias Brunner
95 32 Tobias Brunner
Optionally, the CRL may be stored in the following directory (if the certificate contains an URL to a CRL, it will be fetched on demand):
96 32 Tobias Brunner
97 32 Tobias Brunner
* *[[IpsecDirectoryCrls|/etc/ipsec.d/crls/]]crl.der* holds the CRL signed by the CA (or by a certificate containing the _crlSign_ EKU).
98 28 Carl-Daniel Hailfinger
99 31 Tobias Brunner
h3. Install certificates in other platforms
100 28 Carl-Daniel Hailfinger
101 35 Tobias Brunner
To import certificates on most other systems, they must be bundled together with the required CA certificate and private key into a PKCS#12 file.
102 35 Tobias Brunner
The certificates and the private key have to be in PEM format for @openssl pkcs12@ to find them acceptable. DER format is not accepted by it.
103 31 Tobias Brunner
Either use @--outform pem@ with the @pki@ commands above to generate the files in PEM format (@pki@ accepts both formats) or convert with
104 35 Tobias Brunner
the commands below. The files can be bundled into a PKCS#12 file by replacing the file names in the following examples:
105 30 Noel Kuntze
106 35 Tobias Brunner
To convert an X.509 certificate from DER to PEM
107 31 Tobias Brunner
108 1 Martin Willi
<pre>
109 1 Martin Willi
openssl x509 -inform der -outform pem -in caCert.der -out caCert.pem
110 1 Martin Willi
</pre>
111 31 Tobias Brunner
112 35 Tobias Brunner
To convert an RSA key from DER to PEM
113 31 Tobias Brunner
114 1 Martin Willi
<pre>
115 30 Noel Kuntze
openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem
116 1 Martin Willi
</pre>
117 31 Tobias Brunner
118 35 Tobias Brunner
To package all of the files into a PKCS#12 container
119 31 Tobias Brunner
120 34 Noel Kuntze
<pre>
121 34 Noel Kuntze
openssl pkcs12 -in peerCert.pem -inkey peerKey.pem -certfile caCert.pem -export -out peer.p12
122 34 Noel Kuntze
</pre>
123 33 Carl-Daniel Hailfinger
124 33 Carl-Daniel Hailfinger
The @peer.p12@ file contains everything needed and is ready for the import on other systems.
125 33 Carl-Daniel Hailfinger
126 35 Tobias Brunner
On Android 4.4 and later, you may get a warning ("Network may be monitored by an unknown third party") if the @peer.p12@ file contains
127 35 Tobias Brunner
the CA certificate. To avoid that create the PKCS#12 file without the CA certificate by omitting the @-certfile caCert.pem@ argument.
128 35 Tobias Brunner
Then import the @peer.p12@ file into the Android trust store as usual and the @caCert.pem@ file directly [[AndroidVPNClient|into the strongSwan app]].