Hi, Maybe this will help:
1. use the standard procedure for generating certs in DER form only, as below ========================================================= CA certificate ------------------ First, generate a private key, the default generates a 2048 bit RSA key: ipsec pki --gen > caKey.der For a real-world setup, make sure to keep this key absolutely private. Now self-sign a CA certificate using the generated key: -------------------------------------------------------- ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwan CA" --ca > caCert.der Adjust the distinguished name to your needs, it will be included in all issued certificates. That's it, your CA is ready to issue certificates. End entity certificates ----------------------- For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA: ipsec pki --gen > peerKey.der ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey cakey.der --dn "C=IN, O=strongSwan, CN=peer" > peerCert.der ========================================================================= 2. Next use the below sample commands to convert the DER certs/keys to PEM -------------------------------------------------------------------------------- convert cert from pem to der encoding and vice-versa ----------------------------------------------------------------------------------- #openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der To convert a certificate from PEM to DER: #openssl x509 -in input.pem -inform PEM -out output.crt -outform DER To convert a certificate from DER to PEM: #openssl x509 -in input.crt -inform DER -out output.pem -outform PEM To convert a key from PEM to DER: #openssl rsa -in input.key -inform PEM -out output.key -outform DER To convert a key from DER to PEM: #openssl rsa -in input.key -inform DER -out output.key -outform PEM hope this helps regards On Sun, Dec 2, 2012 at 8:35 AM, Chris Arnold <[email protected]>wrote: > I am trying to run: > ipsec pki --self --in iOScaKey.pem --dn "C=CH, O=ELC, CN=strongSwan CA" > --ca --outform pem > iOScaCert.pem > and get: > /usr/lib64/ipsec/pki: unrecognized option '--outform' > > Is this because we are running 4.5.x of strongSwan? If so, how can we > produce a pem with ipsec pki tool in 4.5? > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
