StrongSwan: Difference between revisions
m →Creating a certificate for the server: Removed obsolete folders |
m →Creating a certificate for clients: Removed obsolete folders, added about CA key |
||
| Line 94: | Line 94: | ||
# Make sure you are still in the correct directory. | # Make sure you are still in the correct directory. | ||
# Generate a private key for the certificate: | # Generate a private key for the certificate: | ||
#:<pre>ipsec pki --gen --type ecdsa --size 384 --outform pem > | #:<pre>ipsec pki --gen --type ecdsa --size 384 --outform pem > client1Key.pem</pre> | ||
# Change the permissions of the private key, so that only root can access it: | # Change the permissions of the private key, so that only root can access it: | ||
#:<pre>chmod 600 | #:<pre>chmod 600 client1Key.pem</pre> | ||
# Now we have the private key, generate the server certificate: | # Now we have the private key, generate the server certificate: | ||
#:<pre>pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem</pre> | #:<pre>pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem</pre> | ||
The <code>CN</code> in the DN this time can be anything for the Windows client. No flags are required. | The <code>CN</code> in the DN this time can be anything for the Windows client. No flags are required. | ||
One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure but safe as this will be needed each time you want to sign a client certificate.''' | |||
== Packaging the required certificates and keys for Windows == | == Packaging the required certificates and keys for Windows == | ||