[strongSwan] PEM vs DER certificate format

Noel Kuntze noel at familie-kuntze.de
Thu Dec 3 17:18:08 CET 2015

Hash: SHA256

Hello Martin,
> Why is this? Why did you had to change something which was working for years?
> Where do I even see the expiration date of this .der file?

Because it works and the certs are smaller. Maybe there are more reasons, but I do not know that.

> At the old .PEM certificates at least it was obvious because I could set the number of days for expiration:
> https://www.strongswan.org/docs/readme4.htm
The man page of `pki --issue` mentions it.
In general, pki is much better than using the openssl tools directly.
One reason is, that you don't have to edit openssl.cnf to change settings. You can just specify them
on the command line. That's much better.
Excerpt for the lazy people:

>        -l, --lifetime days
>               Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are given.
>        -F, --not-before datetime
>               Absolute time when the validity of the certificate begins. The datetime format is defined by the --dateform option.
>        -T, --not-after datetime
>               Absolute time when the validity of the certificate ends. The datetime format is defined by the --dateform option.
>        -D, --dateform form
>               strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T
Read the man page of it if you want to see all possible arguments. There are more man pages for the `pki` tool.
Read the bottom of the man page of `pki` to see all the other man pages.

> Considering that this .der identified by unix file as "data", it is junk for other devices like routers. How is this any better from .pem?
As I wrote above, they're smaller. And what `file` says really doesn't matter.
If you really need PEM certificates, just tell `pki --issue` to output PEM files with `--outform pem`. That's really not difficult.
> After replacing the old .pems with .ders and restarting the vpn nodes I got id 'blahblah.com' not confirmed by certificate, defaulting to ... message so I had to remove the leftid/rightid directives which just making the config more secure but not even after this worked...
That tells you that you forgot to put the IDs into SAN fields in the certificate. That's not something
that is caused by DER/PEM. That's pure user error.
If you use openssl to create the certificates, then you need to edit openssl.cnf and set the SAN fields in there.
With PKI, you can just use --san several times for all the IDs you need.

> What no matching peer configuration? The server does not have to have any config files just it's own key+cert+cacert.
Every peer has a config file. Without a configuration file, charon and pluto do not have a configuration to work with.
This can not work.

> Please remove this new "der tutorial" from your website asap so people don't even see it !!!!!!!!!!!!
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Version: GnuPG v2


More information about the Users mailing list