<div>Hi,</div>
<div> </div>
<div>Maybe this will help:</div>
<div> </div>
<div>1. use the standard procedure for generating certs in DER form only, as below</div>
<div> </div>
<div>=========================================================</div>
<div>CA certificate<br>------------------<br>First, generate a private key, the default generates a 2048 bit RSA key:</div>
<div><br>ipsec pki --gen > caKey.der</div>
<div>For a real-world setup, make sure to keep this key absolutely private.</div>
<div>Now self-sign a CA certificate using the generated key:<br>--------------------------------------------------------</div>
<div>ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwan CA" --ca > caCert.der</div>
<div>Adjust the distinguished name to your needs, it will be included in all issued certificates.</div>
<div>That's it, your CA is ready to issue certificates.</div>
<div>End entity certificates<br>-----------------------<br>For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:</div>
<div>ipsec pki --gen > peerKey.der</div>
<div>ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey cakey.der --dn "C=IN, O=strongSwan, CN=peer" > peerCert.der</div>
<div>=========================================================================</div>
<div> </div>
<div>2. Next use the below sample commands to convert the DER certs/keys to PEM</div>
<div> </div>
<div>--------------------------------------------------------------------------------<br>convert cert from pem to der encoding and vice-versa<br>-----------------------------------------------------------------------------------</div>
<div>#openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der </div>
<div>To convert a certificate from PEM to DER:</div>
<div>#openssl x509 -in input.pem -inform PEM -out output.crt -outform DER</div>
<div>To convert a certificate from DER to PEM:</div>
<div>#openssl x509 -in input.crt -inform DER -out output.pem -outform PEM</div>
<div>To convert a key from PEM to DER:</div>
<div>#openssl rsa -in input.key -inform PEM -out output.key -outform DER</div>
<div>To convert a key from DER to PEM:</div>
<div>#openssl rsa -in input.key -inform DER -out output.key -outform PEM<br></div>
<div> </div>
<div>hope this helps</div>
<div>regards</div>
<div><br><br> </div>
<div class="gmail_quote">On Sun, Dec 2, 2012 at 8:35 AM, Chris Arnold <span dir="ltr"><<a href="mailto:carnold@electrichendrix.com" target="_blank">carnold@electrichendrix.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">I am trying to run:<br>ipsec pki --self --in iOScaKey.pem --dn "C=CH, O=ELC, CN=strongSwan CA" --ca --outform pem > iOScaCert.pem<br>
and get:<br>/usr/lib64/ipsec/pki: unrecognized option '--outform'<br><br>Is this because we are running 4.5.x of strongSwan? If so, how can we produce a pem with ipsec pki tool in 4.5?<br><br>_______________________________________________<br>
Users mailing list<br><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br>