Re: [strongSwan] ECDSDA certificates / keys?
Thank you Tobias, On Thu, Mar 14, 2019, at 3:41 PM, Tobias Brunner wrote: > Hi Kostya, > > > Does IPSec in general and strongSwan in particular support certificate > > authentication with ECDSA keys? > > Sure. > > > -BEGIN EC PARAMETERS- > > Bgg.== > > -END EC PARAMETERS- > > -BEGIN EC PRIVATE KEY- > > MHcCA...yDpwQ== > > -END EC PRIVATE KEY- > > Remove the parameters, the pem plugin only parses the first BEGIN/END > section in a PEM file. Yes this worked. What also worked is to convert the key from PEM to DER format: openssl pkcs8 -topk8 -inform PEM -outform DER \ -in ec_server.pem \ -out ec_server.der -nocrypt I mention this if anyone else runs into this issue. -- K
Re: [strongSwan] ECDSDA certificates / keys?
Hi Kostya, > Does IPSec in general and strongSwan in particular support certificate > authentication with ECDSA keys? Sure. > -BEGIN EC PARAMETERS- > Bgg.== > -END EC PARAMETERS- > -BEGIN EC PRIVATE KEY- > MHcCA...yDpwQ== > -END EC PRIVATE KEY- Remove the parameters, the pem plugin only parses the first BEGIN/END section in a PEM file. > Is there a "secret" or "trick" to getting ECDSA certificates / keys to work? You also need the openssl plugin if you don't have that loaded already. Regards, Tobias
[strongSwan] ECDSDA certificates / keys?
Hello, Does IPSec in general and strongSwan in particular support certificate authentication with ECDSA keys? I generated new CA / server / client certs using keys like this instead of "genrsa" openssl ecparam -genkey -name prime256v1 -out key.pem The rest of certificate generation is the same. Now the client (also strongSwan) complains that no private key found for '< its own certificate CN here >' I did put the certificate's private key under /etc/swanctl/private/ The key looks like this: -BEGIN EC PARAMETERS- Bgg.== -END EC PARAMETERS- -BEGIN EC PRIVATE KEY- MHcCA...yDpwQ== -END EC PRIVATE KEY- But I see in strongSwan logs that this key doesn't get auto-loaded (as the rsa key from same directory does). Mar 14 14:12:09 swanctl[11380]: loaded private key from '/etc/swanctl/private/my_rsa_key.pem' --> no similar line for the ecdsa key I tried putting the ECDSA key under /etc/swanctl/ecdsa/ - no change. Also tried explicitly loading the ECDSA key from my swanctl config file like this - also no change: secrets { private_ecdsa_tunnel { private_pki { file = ecdsa_tunnel_server.pem } } } Is there a "secret" or "trick" to getting ECDSA certificates / keys to work? Thanks, -- Kostya Vasilyev k...@fastmail.com