IKEv2 VPN Server with StrongSwan on Ubuntu 18.04 : Creating a Certificate Authority "ipsec pki" command replaced by "pki"
Creating a Certificate Authority
An IKEv2 server requires a certificate to identify itself to clients. To help us create the certificate required, the strongswan-pki package comes with a utility to generate a certificate authority and server certificates. To begin, let's create a few directories to store all the assets we'll be working on. The directory structure matches some of the directories in /etc/ipsec.d, where we will eventually move all of the items we create. We'll lock down the permissions so that our private files can't be seen by other users:
$ sudo apt update
$ sudo apt install strongswan strongswan-pki
$ mkdir -p ~/pki/{cacerts,certs,private}
$ chmod 700 ~/pki
Note:The pki command was moved to a separated binary and package:
$ apt-cache policy strongswan-pki
"ipsec pki" command replaced by "pki"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1804889i
$ pki --gen --type rsa --size 4096 --outform der > ~/pki/private/caprivatekey.der
$ pki --self --ca --lifetime 3650 --in ~/pki/private/caprivatekey.der --type rsa --dn "C=JP, O=Sakura, CN=Sakura" --outform der > ~/pki/cacerts/cacert.der
Generating a Certificate for the VPN Server
$ pki --gen --type rsa --size 4096 --outform der > ~/pki/private/serverkey.der
$ pki --pub --in ~/pki/private/serverkey.der --type rsa | pki --issue --lifetime 3650 --cacert ~/pki/cacerts/cacert.der --cakey ~/pki/private/caprivatekey.der --dn "C=JP, O=Sakura, CN=Sakura" --san Sakura --san @Sakura --flag serverAuth --flag ikeIntermediate --outform der > ~/pki/certs/servercert.der
Generating a Certificate for the Clients
$ pki --gen --type rsa --size 4096 --outform pem > ~/pki/client.pem
$ pki --pub --in ~/pki/client.pem --type rsa | pki --issue --lifetime 3650 --cacert ~/pki/cacerts/cacert.der --cakey ~/pki/private/caprivatekey.der --dn "C=JP, O=Sakura, CN=client@Sakura" --san client@Sakura --outform pem > ~/pki/clientcert.pem
$ sudo cp -r ~/pki/* /etc/ipsec.d/
$ pki --pub --in ~/pki/client.pem --type rsa | pki --issue --lifetime 3650 --cacert ~/pki/cacerts/cacert.der --cakey ~/pki/private/caprivatekey.der --dn "C=JP, O=Sakura, CN=client@Sakura" --san client@Sakura --outform pem > ~/pki/clientcert.pem
$ openssl x509 -inform DER -in ~/pki/cacerts/cacert.der -out ~/pki/cacerts/cacert.pem -outform PEM
$ openssl pkcs12 -export -inkey ~/pki/client.pem -in ~/pki/clientcert.pem -name "Client Certificarte" -certfile ~/pki/cacerts/cacert.pem -caname "CA Certificate" -out ~/pki/sakura.p12
Enter Export Password:xxxxxxxx
Verifying - Enter Export Password:xxxxxxxx
How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 18.04 | DigitalOcean
さくらVPS上のUbuntuにstrongswanでIKEv2 VPNサーバー(証明書認証)を構築する | web net FORCE
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1804889i
