[strongSwan] question about certificate

Andreas Steffen andreas.steffen at strongswan.org
Thu Dec 18 08:53:17 CET 2014

Hi Xin,

I don't understand your question. What do you mean by *.key and *.crt?
Do you have private key and certificate files with these suffixes?
In that case just copy them to the private/ and certs/ directory.
strongSwan automatically recognizes the format of the keys and certs
and doesn't care about the suffixes.

Best regards


On 12/18/2014 04:00 AM, Xin wrote:
> Hi,
> I have got a wildcard certificate, but I don't know how to install to
> ipsec.d. I am not good at the cert parts. And I only know If I have no
> certificate, I can generate the self-certificate like the following steps:
> ipsec pki --gen --outform pem > ca.pem
> ipsec pki --self --in ca.pem --dn "C=US, O=***, US=domain" --ca --outform
> pem >ca.cert.pem
> ipsec pki --gen --outform pem > server.pem
> ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem
> --cakey ca.pem --dn "C=US, O=***, US=domain" --san="domain" --flag
> serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
> ipsec pki --gen --outform pem > client.pem
> ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem
> --cakey ca.pem --dn "C=US, O=***, US=domain" --outform pem > client.cert.pem
> cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
> cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
> cp -r server.pem /usr/local/etc/ipsec.d/private/
> cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
> cp -r client.pem  /usr/local/etc/ipsec.d/private/
> But now I have *.key and *.crt, how do I generate ca.cert.pem,
> server.cert.pem, server.pem, client.cert.pem, client.pem and move them to
> the specific folder? Appreciate for helps.

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141218/080dff59/attachment.bin>

More information about the Users mailing list