Nov 6, 2017

Generate the Server Host key pair

Generate the Server Host key pair

Server Host keypair is for the server to authenticate itself to clients

First the private key:
ipsec pki --gen --type rsa --size 4096 --outform der > private/vpnHostKey.der
chmod 600 private/vpnHostKey.der
Generate the public key and use root ca to sign the public key:
ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 888 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=NL, O=Example Company, CN=vpn.i88.ca" --san vpn.i88.ca --san it.i88.ca --san 88.88.88.88  --san @88.88.88.88 --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der
The domain name or IP address of your server MUST be contained either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (--san). 
The built in Windows 7 VPN client needs the serverAuth extended key usage flag in your host certificate as shown above, or the client will refuse to connect. In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which we also add here.
The IP address is added twice, one with an @ in front so that it gets added as an subjectAltName of the DNSName type and one of the IPAddess type.
You can view the certificate:
ipsec pki --print --in certs/vpnHostCert.der
You can also use OpenSSL to see the contents:
openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text
The private key (/etc/ipsec.d/private/strongswanKey.der) of the CA should be moved somewhere safe, possibly to a special signing host without access to the Internet. Theft of this master signing key would completely compromise your public key infrastructure. Use it only to generate client certificates when needed.