Hi, > but when I do: > > $ strongswan pki --issue .... --flag nonRepudiation
That's not a flag value supported by strongSwan (it will just be ignored). > and then: > > $ strongswan pki --print --in ipsec.d/certs/suc...@openstack.der.new > > ... > > flags: > .. > > nothing gets there? With the pki tool you don't have to do anything special as it doesn't encode keyUsage flags (except for CA certificates and CRL signer certificates, which you both don't want to use as end-entity certificates for IKE authentication). Regards, Tobias