[strongSwan] building CRED_PRIVATE_KEY - ANY failed, tried 4 builders

ccsalway ccsalway at yahoo.co.uk
Tue May 15 09:11:43 CEST 2018 

I’m generating an ecdsa server cert but am getting the following errors.. I’ve built with openssl.. what am I missing?


# swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/vpnserver.crt'
loaded certificate from '/etc/swanctl/x509/vpnserver1.crt'
building CRED_PRIVATE_KEY - ANY failed, tried 4 builders
loaded private key from '/etc/swanctl/private/vpnserver.key'
loaded rsa key from '/etc/swanctl/private/vpnserver1.key’

List of X.509 End Entity Certificates

  subject:  "CN=vpnserver1"
  issuer:   "CN=Vivace Root CA"
  validity:  not before May 15 07:00:32 2018, ok
             not after  Jun 14 07:00:32 2019, ok (expires in 394 days)
  serial:    c2:79:0c:c6:8b:27:50:6c
  altNames:  vpnserver1, 35.177.138.182
  flags:     serverAuth ikeIntermediate 
  OCSP URIs: http://127.0.0.1:2560
  authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
  subjkeyId: d8:12:51:d5:a8:6c:d1:f3:f4:6e:77:d0:79:51:bc:1f:56:a3:0a:5e
  pubkey:    RSA 2048 bits, has private key
  keyid:     6b:2a:e9:4f:82:d7:d1:cd:b4:3d:71:56:d9:90:62:1f:1a:c9:3a:a2
  subjkey:   d8:12:51:d5:a8:6c:d1:f3:f4:6e:77:d0:79:51:bc:1f:56:a3:0a:5e
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing certificate failed



openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -nodes \
-subj "/CN=vpnserver" \
-keyout /ca/private/vpnserver.key -out /ca/requests/vpnserver.csr

openssl ca -config /ca/openssl.cnf -create_serial -days 395 \
-keyfile /ca/private/ca.key -cert /ca/ca.crt -passin pass:"${CAKEYPSWD}" \
-in /ca/requests/vpnserver.csr -notext \
-extfile <(cat <<EOF
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
extendedKeyUsage = serverAuth, ikeIntermediate
subjectAltName = DNS:vpnserver
EOF
)


./configure --prefix=/usr --sysconfdir=/etc \
  --enable-systemd --enable-swanctl \
  --disable-charon --disable-stroke --disable-scepclient \
  --enable-eap-identity --enable-eap-mschapv2 --enable-md4 \
  --enable-eap-tls --enable-eap-dynamic \
  --enable-curl --enable-gcm --enable-openssl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180515/dc678136/attachment.html>

More information about the Users mailing list