Hello, Does IPSec in general and strongSwan in particular support certificate authentication with ECDSA keys?
I generated new CA / server / client certs using keys like this instead of "genrsa" openssl ecparam -genkey -name prime256v1 -out key.pem The rest of certificate generation is the same. Now the client (also strongSwan) complains that no private key found for '< its own certificate CN here >' I did put the certificate's private key under /etc/swanctl/private/ The key looks like this: -----BEGIN EC PARAMETERS----- Bgg.....== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCA.......yDpwQ== -----END EC PRIVATE KEY----- But I see in strongSwan logs that this key doesn't get auto-loaded (as the rsa key from same directory does). Mar 14 14:12:09 swanctl[11380]: loaded private key from '/etc/swanctl/private/my_rsa_key.pem' --> no similar line for the ecdsa key I tried putting the ECDSA key under /etc/swanctl/ecdsa/ - no change. Also tried explicitly loading the ECDSA key from my swanctl config file like this - also no change: secrets { private_ecdsa_tunnel { private_pki { file = ecdsa_tunnel_server.pem } } } Is there a "secret" or "trick" to getting ECDSA certificates / keys to work? Thanks, -- Kostya Vasilyev k...@fastmail.com