Setting-up a Simple CA Using the strongSwan PKI Tool » History » Version 7
Version 6 (Jean-Michel Pouré, 24.12.2009 09:15) → Version 7/40 (Jean-Michel Pouré, 24.12.2009 09:17)
h1. Setting-up Setup a simple CA using strongSwan PKI tool
This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
h2. CA certificate
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
<pre>
ipsec pki --gen > caKey.der
</pre>
For a real-world setup, make sure to keep this key private.
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
<pre>
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
</pre>
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
h2. End entity certificates
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
<pre>
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der
--dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
</pre>
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.
h2. Install certificates
Certificates are stored in /etc/ipsec.d subdirectories.
Here we take the example of Moon (gateway) and Carol (peer).
On moon:
* /etc/ipsec.d/[fix-me]/moonKey.der holds the public key of your CA.
* /etc/ipsec.d/[fix-me/moonKey.der holds the private key of your CA.
On carol:
* /etc/ipsec.d/[fix-me]/carolKey.der holds the public key for your certificate.
* /etc/ipsec.d/[fix-me/carolKey.der holds the private key for your certificate.
This How-To sets up a Certificate Authority using strongSwan [[IpsecPKI|PKI]] tool, keeping it as simple as possible.
h2. CA certificate
First, [[IpsecPKIGen|generate]] a private key, the default generates a 2048 bit RSA key:
<pre>
ipsec pki --gen > caKey.der
</pre>
For a real-world setup, make sure to keep this key private.
Now [[IpsecPKISelf|self-sign]] a CA certificate using the generated key:
<pre>
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
</pre>
Adjust the distinguished name to your needs, it will be included in all issued certificates.
That's it, your CA is ready to issue certificates.
h2. End entity certificates
For each peer, generate a private key and [[IpsecPKIIssue|issue]] a certificate using your new CA:
<pre>
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der
--dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
</pre>
The second command [[IpsecPKIPub|extracts the public key]] and issues a certificate using your CA. Distribute private key and certificate to your peer.
h2. Install certificates
Certificates are stored in /etc/ipsec.d subdirectories.
Here we take the example of Moon (gateway) and Carol (peer).
On moon:
* /etc/ipsec.d/[fix-me]/moonKey.der holds the public key of your CA.
* /etc/ipsec.d/[fix-me/moonKey.der holds the private key of your CA.
On carol:
* /etc/ipsec.d/[fix-me]/carolKey.der holds the public key for your certificate.
* /etc/ipsec.d/[fix-me/carolKey.der holds the private key for your certificate.