OpenSSL equivalent of libreswan IPSEC

Question

I have the following ipsec commands that generate certificates, but I dont have ipsec installed so looking for the openssl equivalent. Can anyone please help?

Create certificate authority cert

ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem

ipsec pki --self --ca --lifetime 3650 \
--in server-root-key.pem \
--type rsa --dn "C=GB, O=Self Signed, CN=VPN Server Root CA" \
--outform pem > server-root-ca.pem

Create vpn server cert

ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem

ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=vpnserver" \
--san vpnserver \
--san dns:18.130.12.85 \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem

Create user cert

ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-$USER-key.pem

ipsec pki --pub --in vpn-$USER-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=$USER" \
--san $USER \
--outform pem > vpn-$USER-cert.pem

If this `ipsec` command is part of StrongSwan, please make this more clear. — Sven, Apr 09 '18 at 13:31
You have the same subjectName in both. They should be unique. That's not really relevant to your question - just thought I'd point it out :-) — garethTheRed, Apr 09 '18 at 15:34
The `ipsec pki --issue` command for the server uses the `--flag` option to add `serverAuth` and `IKE` EKUs. The same command for the client doesn't use any flags, therefore no EKUs. Use a similar command to the one used for the server but avoid the `extendedKeyUsage` line. — garethTheRed, Apr 09 '18 at 15:47

Christian · Answer 1 · 2018-04-09T16:32:49.660

I've spent 3hrs trying to get this, so here they are to save you time:

################### Create certificate authority cert
openssl req -new -x509 -days 3650 \
-newkey rsa:4096 -nodes \
-subj "/C=GB/O=Self Signed/CN=VPN Server Root CA" \
-keyout private/server-root-key.pem -out x509ca/server-root-ca.pem

################### Create vpn server cert
openssl req -new -newkey rsa:4096 -nodes \
-subj "/C=GB/O=Self Signed/CN=vpnserver" \
-keyout private/vpn-server-key.pem -out x509/vpn-server-cert.pem

openssl x509 -req -in x509/vpn-server-cert.pem -days 1095 \
-CA x509ca/server-root-ca.pem -CAkey private/server-root-key.pem -CAcreateserial \
-out x509/vpn-server-cert.pem \
-extensions req_ext -extfile <(
cat <<EOF
[req_ext]
subjectAltName = DNS:vpnserver,DNS:18.130.12.85
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.8.2.2
EOF
)

################### Create user cert
ID=userN

openssl req -new -newkey rsa:4096 -nodes \
-subj "/C=GB/O=Self Signed/CN=${ID}" \
-keyout private/vpn-${ID}-key.pem -out x509/vpn-${ID}-cert.pem

openssl x509 -req -in x509/vpn-${ID}-cert.pem  -days 1095 \
-CA x509ca/server-root-ca.pem -CAkey private/server-root-key.pem -CAcreateserial \
-out x509/vpn-${ID}-cert.pem \
-extensions req_ext -extfile <(
cat <<EOF
[req_ext]
subjectAltName = DNS:${ID}
EOF
)

OpenSSL equivalent of libreswan IPSEC

Create certificate authority cert

Create vpn server cert

Create user cert

1 Answers1