[strongSwan] Ipsec pki Tool Question

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed Mar 20 18:36:14 CET 2013


Maybe this will help:

1. use the standard procedure for generating certs in DER form only, as

CA certificate
First, generate a private key, the default generates a 2048 bit RSA key:

ipsec pki --gen > caKey.der
For a real-world setup, make sure to keep this key absolutely private.
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwan CA"
--ca > caCert.der
Adjust the distinguished name to your needs, it will be included in all
issued certificates.
That's it, your CA is ready to issue certificates.
End entity certificates
For each peer, i.e. for all VPN clients and VPN gateways in your network,
generate an individual private key and issue a matching certificate using
your new CA:
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der
--cakey cakey.der --dn "C=IN, O=strongSwan, CN=peer" > peerCert.der

2. Next use the below sample commands to convert the DER certs/keys to PEM

convert cert from pem to der encoding and vice-versa
#openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der
To convert a certificate from PEM to DER:
#openssl x509 -in input.pem -inform PEM -out output.crt -outform DER
To convert a certificate from DER to PEM:
#openssl x509 -in input.crt -inform DER -out output.pem -outform PEM
To convert a key from PEM to DER:
#openssl rsa -in input.key -inform PEM -out output.key -outform DER
To convert a key from DER to PEM:
#openssl rsa -in input.key -inform DER -out output.key -outform PEM

hope this helps

On Sun, Dec 2, 2012 at 8:35 AM, Chris Arnold <carnold at electrichendrix.com>wrote:

> I am trying to run:
> ipsec pki --self --in iOScaKey.pem --dn "C=CH, O=ELC, CN=strongSwan CA"
> --ca --outform pem > iOScaCert.pem
> and get:
> /usr/lib64/ipsec/pki: unrecognized option '--outform'
> Is this because we are running 4.5.x of strongSwan? If so, how can we
> produce a pem with ipsec pki tool in 4.5?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130320/dcf8cd6e/attachment.html>

More information about the Users mailing list