Administrator Guide

Table Of Contents
# leftcert=selfCert.der
# leftsendcert=never
# right=
# rightsubnet=
# rightcert=peerCert.der
# auto=start
# conn sample-with-ca-cert
# leftsubnet=
# leftcert=myCert.pem
# right=
# rightsubnet=
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
Begin Certificate-Based Authentication, IPv4
1. strongSwan host IP address is
2. array addresses are (the wka) and (eth0)
3. 2048-bit RSA keys will be generated to encrypt/decrypt the local certificates (one for
the array and one for the strongSwan host)
4. a self-signed root certificate will be generated
5. local certificate requests for both the array and the strongSwan client will be generated
6. certificate requests will be "signed" with our root certificate
7. the certificates and keys will be installed on the strongSwan host, then strongSwan will
be reconfigured to use certificate-based authentication
Certificate Creation with OpenSSL:
1. Generate a 2048-bit RSA key. This is the "server" key, which will be used to generate a
self-signed root certificate. Note that the minimum acceptable key length is 2048 bits:
1.1 draoidoir:fwoods> openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
2. With the server key in hand, generate a self-signed root certificate:
1.15 draoidoir:fwoods> openssl req -new -x509 -days 365 -key server.key -out root-ca.crt
You will be prompted to enter information that will be incorporated into the certificate
request. This is called a Distinguished Name or a DN. There are quite a few fields but you
can leave some blank
For some fields there will be a default value. If you enter '.', the field will be left
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: New Hampshire
Locality Name (eg, city) []: Nashua
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dell Equallogic
Organizational Unit Name (eg, section) []: Networking and iSCSI
Common Name (e.g. server FQDN or YOUR name) []: Joe Secure
Email Address []:
Now take a peek at the new root certificate:
draoidoir:fwoods> openssl x509 -text -noout -in root-ca.crt
Version: 3 (0x2)
Serial Number: 11801568908693661699 (0xa3c7986522fae803)
Signature Algorithm: sha256WithRSAEncryption
About Group-Level Security