[strongSwan] ECDSDA certificates / keys?
Kostya Vasilyev
kman at fastmail.com
Thu Mar 14 12:16:40 CET 2019
Hello,
Does IPSec in general and strongSwan in particular support certificate authentication with ECDSA keys?
I generated new CA / server / client certs using keys like this instead of "genrsa"
openssl ecparam -genkey -name prime256v1 -out key.pem
The rest of certificate generation is the same.
Now the client (also strongSwan) complains that
no private key found for '< its own certificate CN here >'
I did put the certificate's private key under /etc/swanctl/private/
The key looks like this:
-----BEGIN EC PARAMETERS-----
Bgg.....==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCA.......yDpwQ==
-----END EC PRIVATE KEY-----
But I see in strongSwan logs that this key doesn't get auto-loaded (as the rsa key from same directory does).
Mar 14 14:12:09 swanctl[11380]: loaded private key from '/etc/swanctl/private/my_rsa_key.pem'
--> no similar line for the ecdsa key
I tried putting the ECDSA key under /etc/swanctl/ecdsa/ - no change.
Also tried explicitly loading the ECDSA key from my swanctl config file like this - also no change:
secrets {
private_ecdsa_tunnel {
private_pki {
file = ecdsa_tunnel_server.pem
}
}
}
Is there a "secret" or "trick" to getting ECDSA certificates / keys to work?
Thanks,
--
Kostya Vasilyev
kman at fastmail.com
More information about the Users
mailing list