[strongSwan] Ipsec pki Tool Question

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed Mar 20 18:36:14 CET 2013


Hi,

Maybe this will help:

1. use the standard procedure for generating certs in DER form only, as
below

=========================================================
CA certificate
------------------
First, generate a private key, the default generates a 2048 bit RSA key:

ipsec pki --gen > caKey.der
For a real-world setup, make sure to keep this key absolutely private.
Now self-sign a CA certificate using the generated key:
--------------------------------------------------------
ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwan CA"
--ca > caCert.der
Adjust the distinguished name to your needs, it will be included in all
issued certificates.
That's it, your CA is ready to issue certificates.
End entity certificates
-----------------------
For each peer, i.e. for all VPN clients and VPN gateways in your network,
generate an individual private key and issue a matching certificate using
your new CA:
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der
--cakey cakey.der --dn "C=IN, O=strongSwan, CN=peer" > peerCert.der
=========================================================================

2. Next use the below sample commands to convert the DER certs/keys to PEM

--------------------------------------------------------------------------------
convert cert from pem to der encoding and vice-versa
-----------------------------------------------------------------------------------
#openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der
To convert a certificate from PEM to DER:
#openssl x509 -in input.pem -inform PEM -out output.crt -outform DER
To convert a certificate from DER to PEM:
#openssl x509 -in input.crt -inform DER -out output.pem -outform PEM
To convert a key from PEM to DER:
#openssl rsa -in input.key -inform PEM -out output.key -outform DER
To convert a key from DER to PEM:
#openssl rsa -in input.key -inform DER -out output.key -outform PEM

hope this helps
regards



On Sun, Dec 2, 2012 at 8:35 AM, Chris Arnold <carnold at electrichendrix.com>wrote:

> I am trying to run:
> ipsec pki --self --in iOScaKey.pem --dn "C=CH, O=ELC, CN=strongSwan CA"
> --ca --outform pem > iOScaCert.pem
> and get:
> /usr/lib64/ipsec/pki: unrecognized option '--outform'
>
> Is this because we are running 4.5.x of strongSwan? If so, how can we
> produce a pem with ipsec pki tool in 4.5?
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130320/dcf8cd6e/attachment.html>


More information about the Users mailing list