[strongSwan] Proper method for generating certificates

G. B. gawd0wns at hotmail.com
Sat Oct 26 02:22:59 CEST 2013

I want to make sure I am doing this correctly so I can rule it out as a problem.  Please verify the syntax I use to generate my certificates will work with all client types:

About my setup:  Strongswan v5.0.4 is running in server mode on my router (which also takes care of DHCP for my network) to roadwarriors (which also require access to my lan), using public key authentication.

-I will use a self-signed CA, which I will call CA-AUTH.
-My server's LAN IP is and hostname is HOST.COM
-My clients are roadwarriors with a LAN IP addresses and hostnames that will constantly change.

To generate the certificate authority:

ipsec pki --gen --outform pem > caKey.pem

ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=CA-AUTH" --san="CA-AUTH" --ca --outform pem > caCert.pem

To generate the server certificate and private key:

ipsec pki --gen --outform pem > serverKey.pem

ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=" --san="HOST.COM" --flag serverAuth --outform pem > serverCert.pem

To generate the client certificates and private keys:

ipsec pki --gen --outform pem > userKey.pem

ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=z10" --san "z10 at HOST.COM"  --flag serverAuth --outform pem > userCert.pem

I have established connections using the certificates I generated, though there is never any data going through the tunnels.  I just want to be sure it isn't the certificates so I can move on... Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131025/57f3948d/attachment.html>

More information about the Users mailing list