[strongSwan] Fwd: Re: Is IKEv2 certificate binding to the hardware?

Noel Kuntze noel at familie-kuntze.de
Fri Sep 19 08:32:01 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Quine,

You cannot extend the lifetime. You need to issue new certificates.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 19.09.2014 um 07:28 schrieb tefeng:
> Hello, Noel,
> 
> one more question:
> Is it possbile to extend the lifetime of certificate on server when it expires?  That would save me a lot of time to avoid changing the *.p12 files on vpn client machines.
> 
> Best Regards!
> Quine
> 2014-9-19
> 
> 
> 
> -------- Forwarded Message --------
> Subject: 	Re: [strongSwan] Is IKEv2 certificate binding to the hardware?
> Date: 	Fri, 19 Sep 2014 01:57:29 +0800
> From: 	tefeng <tefeng.em at gmail.com>
> To: 	Noel Kuntze <noel at familie-kuntze.de>
> 
> 
> 
> Hello, Noel,
> 
> Many THX!  After reproducing the server certificates (serverKey.pem and 
> serverCert.pem with "--san" field), IKEv2 certificate now is OK.  :)
> 
> And also thanks for your reminder.  I got it wrong.  I checked the 
> strongSwan website again and found the instructions use "ipsec pki 
> --self ..." to produce certificate.  Then I can use the argument 
> "--lifetime".
> 
> Best Regards!
> Quine
> 2014-9-19
> 
> 
> 
> On 9/19/2014 1:06 AM, Noel Kuntze wrote:
> Hello,
> First question: No. Check the SAN fields.
> 
> Second question: pki --pub gives you the corresponding public key for the input private key or certificate. The output is not a certificate.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 18.09.2014 um 18:53 schrieb tefeng:
>>>> Hi, All,
>>>>
>>>> I have been using strongswan 4.6.4 on my VPS and it worked well. Recently I migrated it to another VPS (still 4.6.4 and the same certificates copied from the previous VPS) but the vpn client (Agile VPN Client in win7 or strongSwan VPN Client for android) with IKEv2 certificate didn't work except that IKEv1 certificate is OK with Cisco VPN Client.
>>>>
>>>> Is IKEv2 certificate binding to the hardware?  If yes, then I have to reproduce the certificates.
>>>>
>>>> The 2nd question: Is it possible to substitute "ipsec pki --self ..." for "ipsec pki --pub ..."?  Because the command "--pub" only produces a certificate with fixed 3 years lifetime and I want more.
>>>>
>>>> Any recommendation would be really appreciated.  Thank in Adv.
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUG83gAAoJEDg5KY9j7GZY068P/1epoptL2/VJ6MgCMkpgRgep
HJZo+xOkoGhc1k8niIBJQCiToygzCUZvXCSmXDq8VbLvapRJtsdl2WQ8hfgKSwpw
C84wgHLiTihKO9RqjoZZVbJMtWDUAtIHkwsyUC59VzpqElCAxJukm4PfvLIAbSPk
lo/HWK1jNsEQbQzadWt2KmJvY0mxR7iyxR+4i8CddR0OUwjCZQXMFoNnumxoGHSe
y6j56wY0otIwJWlibobViCS0zMLFquaTa9jT2fqeQISOUa5KEt51Gwd0OsLtMnRf
vRGzsoyJWgRWpT+LkNBYEzH3Wue79HPyZ78rk+ec4yxlpQ4MWFdim855ZL3gpWrm
iU74ORynqK8CPQSvEobgRTy+Zc3GoQNPUhn4zXZiuucLKYAw97MLh1qwUs+9QWHH
LnkItKWrOohSHMOc0aEi+U2UIrK47NL6XEObFGvplxGbZ1Ys0U7OFn3fZ9ymYxlm
m1a1P6Iy5EYF+qbTNJJ6BlSk8HKTJEShGenNVO/xhkEVZSJKyNFZo4pTyVmFxB5y
C8UF6oYnZGO+4MdQJF2XBjeBpIqwo9lxmPnt87R7sLa4iQGF2ig0ooG5MTMLipcD
0fTXZ/UABSyp4rt8rZeL26SlUWp1tZcQHPGcdjQnFY7mbZ3NElJf1HNXjzLQUwdq
lu23CAJ3YkU+zV3jvZ6O
=9r4T
-----END PGP SIGNATURE-----


More information about the Users mailing list