[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Ipsec pki Tool Question
From:       Rajiv Kulkarni <rajivkulkarni69 () gmail ! com>
Date:       2013-03-20 17:48:14
Message-ID: CA+35gnQ05tb0pDo1NSPbmUZHnt_fCEyz5qTcvVkEKw8D9sMR5w () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

Maybe this will help:

1. use the standard procedure for generating certs in DER form only, as
below

=========================================================
CA certificate
------------------
First, generate a private key, the default generates a 2048 bit RSA key:

ipsec pki --gen > caKey.der
For a real-world setup, make sure to keep this key absolutely private.
Now self-sign a CA certificate using the generated key:
--------------------------------------------------------
ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwan CA"
--ca > caCert.der
Adjust the distinguished name to your needs, it will be included in all
issued certificates.
That's it, your CA is ready to issue certificates.
End entity certificates
-----------------------
For each peer, i.e. for all VPN clients and VPN gateways in your network,
generate an individual private key and issue a matching certificate using
your new CA:
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der
--cakey cakey.der --dn "C=IN, O=strongSwan, CN=peer" > peerCert.der
=========================================================================

2. Next use the below sample commands to convert the DER certs/keys to PEM

--------------------------------------------------------------------------------
convert cert from pem to der encoding and vice-versa
-----------------------------------------------------------------------------------
#openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der
To convert a certificate from PEM to DER:
#openssl x509 -in input.pem -inform PEM -out output.crt -outform DER
To convert a certificate from DER to PEM:
#openssl x509 -in input.crt -inform DER -out output.pem -outform PEM
To convert a key from PEM to DER:
#openssl rsa -in input.key -inform PEM -out output.key -outform DER
To convert a key from DER to PEM:
#openssl rsa -in input.key -inform DER -out output.key -outform PEM

hope this helps
regards



On Sun, Dec 2, 2012 at 8:35 AM, Chris Arnold <carnold@electrichendrix.com>wrote:

> I am trying to run:
> ipsec pki --self --in iOScaKey.pem --dn "C=CH, O=ELC, CN=strongSwan CA"
> --ca --outform pem > iOScaCert.pem
> and get:
> /usr/lib64/ipsec/pki: unrecognized option '--outform'
>
> Is this because we are running 4.5.x of strongSwan? If so, how can we
> produce a pem with ipsec pki tool in 4.5?
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

[Attachment #5 (text/html)]

<div>Hi,</div>
<div> </div>
<div>Maybe this will help:</div>
<div> </div>
<div>1. use the standard procedure for generating certs in DER form only, as \
below</div> <div> </div>
<div>=========================================================</div>
<div>CA certificate<br>------------------<br>First, generate a private key, the \
default generates a 2048 bit RSA key:</div> <div><br>ipsec pki --gen &gt; \
caKey.der</div> <div>For a real-world setup, make sure to keep this key absolutely \
private.</div> <div>Now self-sign a CA certificate using the generated \
key:<br>--------------------------------------------------------</div> <div>ipsec pki \
--self --in caKey.der --dn &quot;C=IN, O=strongSwan, CN=strongSwan CA&quot; --ca &gt; \
caCert.der</div> <div>Adjust the distinguished name to your needs, it will be \
included in all issued certificates.</div> <div>That&#39;s it, your CA is ready to \
issue certificates.</div> <div>End entity \
certificates<br>-----------------------<br>For each peer, i.e. for all VPN clients \
and VPN gateways in your network, generate an individual private key and issue a \
matching certificate using your new CA:</div>

<div>ipsec pki --gen &gt; peerKey.der</div>
<div>ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey \
cakey.der --dn &quot;C=IN, O=strongSwan, CN=peer&quot; &gt; peerCert.der</div> \
<div>=========================================================================</div> \
<div> </div> <div>2. Next use the below sample commands to convert the DER certs/keys \
to PEM</div> <div> </div>
<div>--------------------------------------------------------------------------------<br>convert \
cert from pem to der encoding and \
vice-versa<br>-----------------------------------------------------------------------------------</div>


<div>#openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der </div>
<div>To convert a certificate from PEM to DER:</div>
<div>#openssl x509 -in input.pem -inform PEM -out output.crt -outform DER</div>
<div>To convert a certificate from DER to PEM:</div>
<div>#openssl x509 -in input.crt -inform DER -out output.pem -outform PEM</div>
<div>To convert a key from PEM to DER:</div>
<div>#openssl rsa -in input.key -inform PEM -out output.key -outform DER</div>
<div>To convert a key from DER to PEM:</div>
<div>#openssl rsa -in input.key -inform DER -out output.key -outform PEM<br></div>
<div> </div>
<div>hope this helps</div>
<div>regards</div>
<div><br><br> </div>
<div class="gmail_quote">On Sun, Dec 2, 2012 at 8:35 AM, Chris Arnold <span \
dir="ltr">&lt;<a href="mailto:carnold@electrichendrix.com" \
target="_blank">carnold@electrichendrix.com</a>&gt;</span> wrote:<br> <blockquote \
style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" \
class="gmail_quote">I am trying to run:<br>ipsec pki --self --in iOScaKey.pem --dn \
&quot;C=CH, O=ELC, CN=strongSwan CA&quot; --ca --outform pem &gt; iOScaCert.pem<br> \
and get:<br>/usr/lib64/ipsec/pki: unrecognized option &#39;--outform&#39;<br><br>Is \
this because we are running 4.5.x of strongSwan? If so, how can we produce a pem with \
ipsec pki tool in 4.5?<br><br>_______________________________________________<br> \
Users mailing list<br><a \
href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a \
href="https://lists.strongswan.org/mailman/listinfo/users" \
target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br> \
</blockquote></div><br>



_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic