Description

I recently had to configure Strongswan with Certificate Authentication to a Checkpoint GW and got lost a bit in all the articles I could find about the openssl utility and how to generate a CA, CSRs, sign a certificate and so on.
I will summarize here the steps required for generating the CA/cert so that everything is in a single place.

I give an example with RSA and one with ECDSA.

The changes are minimal.

On the Checkpoint side I only had to import the CA from Strongswan side and configure it under the Public Key auth pertaining to the Network Interoperable Device (representation of 3rd party device Checkpoint wise).

RSA

Create CA key, passphrase is mandatory

openssl genrsa 2048 > ca-key.pem
# remove the passphrase (just for my testing)
openssl rsa -in ca-key.pem -out rootCA.key

# create the CA cert
openssl req -new -x509 -nodes -days 365000 \
   -key rootCA.key \
   -out rootCA.pem

Create Client Cert - with or without Extensions (additional fields)

If you do not want any custom fields in the cert (no extensions):

## SERVER KEY + CERT but without CUSTOM EXT FIELDS (alternate subject name / dns / IP)   
openssl req -newkey rsa:2048 -nodes -days 365000 \
   -keyout server-key.pem \
   -out server-req.pem

#no custom fields for client cert, just 1 command to create and sign it
# it asks for the default fields like city etc
openssl x509 -req -days 365000 -set_serial 01 \
   -in server-req.pem \
   -out server-cert.pem \
   -CA rootCA.pem \
   -CAkey rootCA.key2

If you need custom fields like DNS, email, IP address (recommended)

These you can use on the Checkpoint side by clicking on “Matching Criteria” thus allowing only a specific certificate signed by the CA and not all (better for security).

Create a file san.cnf

##### START SERVER KEY + CERT with EXTRA FIELDS / Extensions = what you normally need ####

### create a file san.cnf with the following data ###

# with custom fields
[req]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions         = req_ext

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name (full name)
localityName           = Locality Name (eg, city)
organizationName       = Organization Name (eg, company)
commonName             = Common Name (e.g. server FQDN or YOUR name)

# Optionally, specify some defaults.
countryName_default            = CH
stateOrProvinceName_default    = Bern
localityName_default           = Bern
organizationName_default     = This sucks
commonName_default		       = mihaigw.aviatrix.com
organizationalUnitName_default = research
emailAddress_default           = mihai@aviatrix.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1	= mihai.aviatrix.com
DNS.2   = 10.1.0.36

### end san.cnf ###

Now create CSR, then we sign it with the CA + creates also a key server-key.pem

openssl req -out server-req.pem -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf

Sign the CSR by the custom CA from before.

if you do not specify the last 2 parts with ext and the alias in the cnf file for them then they get stripped from the CSR.

openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA rootCA.pem -CAkey rootCA.key -extfile san.cnf -extensions server_req_extensions

### END CUSTOM SERVER CERT with fields ###

DISPLAY CERT

openssl x509 -in /root/certs/server-cert.pem -text -noout

In my strongswan deployment I had to copy the CA into /etc/swanctl/x509ca I copied the server-cert into /etc/swanctl/x509/ I copied the server-key into /etc/swanctl/private I modified the ike-.json file to have under “local” the “id”: mihai.aviatrix.com (which matched on the DNS name / Subject Alternate Name I specified in my server cert) This way Strongswan knows which cert to use from all that it may have.

ECDSA

Create CA key

openssl ecparam -name prime256v1 -genkey -noout -out CA-key.pem

## side info..if you want to create the public key from the private 
## openssl ec -in private-key.pem -pubout -out public-key.pem

Create the CA cert

openssl req -new -x509 -nodes -days 365000 \
   -key rootCA.key \
   -out rootCA.pem

Server Key/Cert wo CUSTOM EXT FIELDS (alternate subject name / dns / IP)

openssl req -newkey rsa:2048 -nodes -days 365000 \
   -keyout server-key.pem \
   -out server-req.pem

Create Client Cert - with or without Extensions (additional fields)

No custom fields for client cert, just 1 command to create and sign it

It asks for the default fields like city etc

openssl x509 -req -days 365000 -set_serial 01 \
   -in server-req.pem \
   -out server-cert.pem \
   -CA rootCA.pem \
   -CAkey rootCA.key2

##### END SERVER KEY + CERT in ONE SHOT ####

With custom field / Alternate Subject Name / Extentions -> what I used

create a file san.cnf with the following data


# with custom fields
[req]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions         = req_ext

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name (full name)
localityName           = Locality Name (eg, city)
organizationName       = Organization Name (eg, company)
commonName             = Common Name (e.g. server FQDN or YOUR name)

# Optionally, specify some defaults.
countryName_default            = CH
stateOrProvinceName_default    = Bern
localityName_default           = Bern
organizationName_default     = This sucks
commonName_default		       = mihaigw.aviatrix.com
organizationalUnitName_default = research
emailAddress_default           = mihai@aviatrix.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1	= mihai.aviatrix.com
DNS.2   = 10.1.0.36

### end san.cnf ###

Now create CSR, then we sign it with the CA + creates also a key server-key.pem

openssl req -out server-req.pem -newkey ec:<(openssl ecparam -name prime256v1) -nodes -keyout server-key.pem -config san.cnf

Sign it with the custom CA from before

if you do not specify the last 2 parts with ext and the alias in the cnf file for them then they get stripped from the CSR.

openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA rootCA.pem -CAkey rootCA.key -extfile san.cnf -extensions server_req_extensions
### END CUSTOM SERVER CERT with fields ###

DISPLAY CERT

openssl x509 -in /root/certs/server-cert.pem -text -noout

Check if key and cert match

Check if all works

# swanctl --log

#if it shows this message for your own local server cert it means it managed to load it successfully
107[IKE] authentication of 'mihai.aviatrix.com' (myself) with RSA signature successful

RSA

openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in privkey.txt | openssl md5

ECDSA

#ecdsa type - what we use in Strongswan (strongswan supports rsa by default also)
openssl x509 -pubkey -in x509/1__GWChkVPN.crt -noout | openssl md5
openssl pkey -pubout -in /etc/ssl/private/cloudx_local.key  | openssl md5

SSL Certs: Create own CA + cert for S2S VPN auth - RSA and ECDSA

Table of Contents

Description

RSA

Create CA key, passphrase is mandatory

Create Client Cert - with or without Extensions (additional fields)

If you do not want any custom fields in the cert (no extensions):

If you need custom fields like DNS, email, IP address (recommended)

Create a file san.cnf

Now create CSR, then we sign it with the CA + creates also a key server-key.pem

Sign the CSR by the custom CA from before.

DISPLAY CERT

ECDSA

Create CA key

Create the CA cert

Server Key/Cert wo CUSTOM EXT FIELDS (alternate subject name / dns / IP)

Create Client Cert - with or without Extensions (additional fields)

No custom fields for client cert, just 1 command to create and sign it

With custom field / Alternate Subject Name / Extentions -> what I used

create a file san.cnf with the following data

Now create CSR, then we sign it with the CA + creates also a key server-key.pem

Sign it with the custom CA from before

DISPLAY CERT

Check if key and cert match

Check if all works

RSA

ECDSA

Mihai Tanasescu