[strongSwan] PEM vs DER certificate format

Noel Kuntze noel at familie-kuntze.de
Thu Dec 3 17:18:08 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Martin,
> Why is this? Why did you had to change something which was working for years?
> Where do I even see the expiration date of this .der file?

Because it works and the certs are smaller. Maybe there are more reasons, but I do not know that.

> At the old .PEM certificates at least it was obvious because I could set the number of days for expiration:
> https://www.strongswan.org/docs/readme4.htm
The man page of `pki --issue` mentions it.
In general, pki is much better than using the openssl tools directly.
One reason is, that you don't have to edit openssl.cnf to change settings. You can just specify them
on the command line. That's much better.
Excerpt for the lazy people:

>        -l, --lifetime days
>               Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are given.
>
>        -F, --not-before datetime
>               Absolute time when the validity of the certificate begins. The datetime format is defined by the --dateform option.
>
>        -T, --not-after datetime
>               Absolute time when the validity of the certificate ends. The datetime format is defined by the --dateform option.
>
>        -D, --dateform form
>               strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T
>
Read the man page of it if you want to see all possible arguments. There are more man pages for the `pki` tool.
Read the bottom of the man page of `pki` to see all the other man pages.

> Considering that this .der identified by unix file as "data", it is junk for other devices like routers. How is this any better from .pem?
As I wrote above, they're smaller. And what `file` says really doesn't matter.
If you really need PEM certificates, just tell `pki --issue` to output PEM files with `--outform pem`. That's really not difficult.
> After replacing the old .pems with .ders and restarting the vpn nodes I got id 'blahblah.com' not confirmed by certificate, defaulting to ... message so I had to remove the leftid/rightid directives which just making the config more secure but not even after this worked...
That tells you that you forgot to put the IDs into SAN fields in the certificate. That's not something
that is caused by DER/PEM. That's pure user error.
If you use openssl to create the certificates, then you need to edit openssl.cnf and set the SAN fields in there.
With PKI, you can just use --san several times for all the IDs you need.

> What no matching peer configuration? The server does not have to have any config files just it's own key+cert+cacert.
Every peer has a config file. Without a configuration file, charon and pluto do not have a configuration to work with.
This can not work.

> Please remove this new "der tutorial" from your website asap so people don't even see it !!!!!!!!!!!!
No.
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIbBAEBCAAGBQJWYGs7AAoJEDg5KY9j7GZYhDQP9ioZZmsh/+pk+blMLo5KHbNA
LzVKUU/IUYE8o1Op7vIp1EQUG5ACDgPGk2BpTb0M5SATkrnK7XcPvb5hbKgh/ST9
+et+UCtBeRSQEvaxQSIBrb6rAN3mruffd5fR7koaxrQqlFHDF/d8IIJaLtDXBWM1
Eobq9ZzgaS5Er9u1o6K0A4vrJ0sVzDEyVXWLlaW5/e9LYBYTCQr3k0jacyJB5mdT
0+mNvDFZknzT0Vm62JUcG0HTEclo4viZ9jzb6R73tTThgVaddGTVfkkjslCGOmuI
tuBBqbecH3Xi9Za3cUpQlF9uofhiaXF8hnRQuou/uYNGDS1Tvv0rG5WOgMUV9lEb
NeEw60Hy3pqGTA1AqRPUf5TxNWa0fLBaQsuoxRzmyT3qBt9Mzmz6Rm5dtDAuymW9
2eQJs228vncIuN/3CHMqU4U8XV40O2+NHLP476VNsGL+GJVb0rjFNo3jG94m/tSm
Uzkw2k7GhuVPX86h1ET/Kdl+jKCTl/BfrySHsKc/+kWw+0QM/Ub515HcFQ99tlR/
wXvABScc/gKye/jK2O9fQvqsFmjWTKa9k054qNdwcbXcqpbWv0tpahA1o4xniGQa
4V94O+6UqlVLGjF/xrv6sSlGL28drkLK/0WXeWIKkR8Cf5Vvnh6ouCIKQNrCWNIy
emopRrqOBm6loFO1jwU=
=RuGk
-----END PGP SIGNATURE-----

More information about the Users mailing list