Skip to content

Instantly share code, notes, and snippets.

@marcinhlybin

marcinhlybin/01-self-signed.txt

Last active October 7, 2023 13:35
Show Gist options
  • Save marcinhlybin/4c1f35637faff71a67bf2dc07ce3df1a to your computer and use it in GitHub Desktop.
Save marcinhlybin/4c1f35637faff71a67bf2dc07ce3df1a to your computer and use it in GitHub Desktop.
Download ZIP
Strongswan with Letsencrypt certificates issue
Raw
01-self-signed.txt
# Self-signed server certificates
Strongswan 5.6.2
Mac OS X 10.14.2 / Windows 7 / Windows 10
Without doing anything MacOS X VPN error: User Authentication failed.
After adding ca.crt and setting IP Security (IPSec) to "Always Trust", VPN connection works.
After adding ca.crt also works for Windows 7 and Windows 10.
# CA
ipsec pki --gen -t rsa -s 2048 -f pem > cacerts/ca.key
ipsec pki --self --in cacerts/ca.key --lifetime 3650 --dn "C=PL, O=Company, CN=vpn.company.com" --ca > cacerts/ca.crt
# Server
ipsec pki --gen -t rsa -s 2048 -f pem > private/server.key
ipsec pki --issue --lifetime 3650 --in private/server.key --type priv --cacert cacerts/ca.crt --cakey cacerts/ca.key --dn "C=PL, O=Company, CN=vpn.company.com" --san vpn.company.com > certs/server.crt
# PKI verify
$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt
no issuer certificate found for "C=PL, O=Company, CN=vpn.company.com"
issuer is "C=PL, O=Company, CN=vpn.company.com"
using trusted certificate "C=PL, O=Company, CN=vpn.company.com"
certificate trusted, lifetimes valid
$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt --cacert /etc/ipsec.d/cacerts/ca.crt
using trusted certificate "C=PL, O=Company, CN=vpn.company.com"
certificate trusted, lifetimes valid
# Certificates details
$ openssl x509 -inform DEM -in certs/server.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4081973233565571827 (0x38a6150759541af3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = PL, O = Company, CN = vpn.company.com
Validity
Not Before: Mar 2 08:47:04 2019 GMT
Not After : Feb 27 08:47:04 2029 GMT
Subject: C = PL, O = Company, CN = vpn.company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:4b:d9:a7:ff:62:43:1e:11:0f:d6:a1:ec:db:
c4:78:e9:06:7c:64:e5:c1:56:e6:bb:fe:14:6a:2c:
26:87:50:e1:e9:bb:a3:d3:eb:52:b6:01:b6:e2:57:
10:bb:de:34:53:28:3f:ca:e4:de:2b:e4:15:17:dc:
1d:73:5b:41:01:1e:bb:89:71:2c:4a:bd:9a:9f:20:
da:a6:9f:c2:47:f2:f7:7a:85:4a:fc:f2:1b:9a:6b:
ef:cf:aa:19:59:42:87:29:27:28:a0:7f:01:82:da:
8e:cd:41:73:79:52:10:7c:3d:4d:e4:8b:90:c2:09:
d3:ac:12:43:9f:93:53:00:97:d8:f4:04:6c:63:99:
1f:ca:23:9b:16:88:2a:b8:88:56:a9:5b:1d:18:11:
c0:b0:90:8a:eb:de:a2:36:d4:8a:a0:22:15:ed:29:
f7:6a:05:02:47:8e:68:98:68:f0:f6:f7:c2:63:ad:
da:3c:b0:90:ef:a1:52:64:f4:e6:83:2e:85:61:13:
ec:10:41:26:5d:1b:ce:33:0e:a8:3c:d1:bd:db:7e:
78:2c:c4:0d:a6:a1:6a:01:be:25:a4:bd:38:a8:3a:
a2:d8:9a:50:53:21:b1:6e:92:fb:e8:97:72:25:ee:
73:72:fe:56:b8:19:e2:42:2a:34:8b:79:0c:b5:4a:
ff:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:FF:DB:31:A7:35:27:37:02:D4:94:44:D1:CD:05:47:8A:DB:3F:CB:7F
X509v3 Subject Alternative Name:
DNS:vpn.company.com
Signature Algorithm: sha256WithRSAEncryption
8f:8c:7b:6c:66:eb:f0:31:85:ba:46:36:ea:c1:d0:72:24:c5:
01:9e:77:9b:2e:ee:eb:4e:44:ed:25:e2:06:e9:05:52:98:13:
a3:3c:68:c6:26:e2:67:91:42:1a:ac:e2:ec:95:3f:10:57:f8:
e8:e4:e4:a8:81:ba:c0:c1:8c:9c:93:cd:1c:5d:36:8d:e3:2b:
10:4b:ee:57:1d:5c:7b:c8:8e:d5:cf:9a:85:59:3a:2f:6a:3a:
c2:85:53:d9:ca:9b:cd:23:6f:78:36:69:bf:aa:22:ad:e7:bb:
f2:3e:a5:69:5f:22:7c:b0:1d:c1:dc:84:79:75:41:0f:3e:3f:
ef:76:64:b3:9a:ac:03:0a:19:7c:2d:5a:8e:1d:e2:97:87:a7:
d7:b1:22:a4:f1:15:d5:5a:63:eb:15:bf:b9:de:e6:0a:70:fd:
49:fa:76:c1:eb:8f:50:d9:ec:13:98:be:fd:94:12:54:0a:40:
be:fa:dd:9c:51:f7:36:20:a3:a7:d4:f9:07:00:34:37:98:8f:
b0:3c:5a:04:60:45:52:68:2b:59:2e:a2:36:60:63:e6:4a:88:
60:9e:34:50:1a:ea:7d:87:01:18:a4:92:7c:58:5a:ef:d9:4b:
4c:2f:78:f9:9c:20:9c:21:de:05:c5:9d:00:83:05:b3:11:6e:
8d:a3:5a:50
$ openssl x509 -inform DEM -in cacerts/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 720625869032946288 (0xa002d68ebaa7a70)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = PL, O = Company, CN = vpn.company.com
Validity
Not Before: Mar 2 08:47:04 2019 GMT
Not After : Feb 27 08:47:04 2029 GMT
Subject: C = PL, O = Company, CN = vpn.company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:06:d2:0e:d6:cd:75:63:24:8b:12:9d:76:79:
ea:76:26:b9:13:a6:9c:83:1c:f5:d5:cb:0e:5c:82:
07:63:9c:ba:35:87:67:80:02:af:89:5c:42:6e:43:
fe:ec:ee:6e:5a:88:69:5a:74:a2:85:9b:01:f6:d3:
13:80:5c:6e:ad:08:f7:a4:5e:3d:14:77:b6:d7:d4:
8d:c2:45:33:1e:fe:0a:17:ae:18:60:2e:d7:2e:eb:
4b:df:20:80:8b:d1:02:63:b5:70:b0:8d:92:d0:bb:
64:15:ba:35:19:1a:85:ea:41:57:45:36:c6:ac:18:
6e:33:b8:9b:fd:b2:ec:b1:dd:1a:02:79:ca:79:0d:
0c:04:30:8c:63:c8:63:8d:73:e2:51:36:9f:12:d0:
81:c9:6a:4e:23:7a:c7:78:e6:f0:76:c4:bb:4d:a7:
97:88:0a:82:38:ae:f5:de:36:d4:29:1f:10:24:89:
56:b0:2c:8e:85:87:10:e2:73:ac:3c:15:31:d4:25:
af:10:3f:15:42:cb:72:b2:45:84:e6:ae:55:38:72:
fb:20:24:49:ab:0d:9f:ff:a5:77:24:fd:e8:97:7e:
be:54:11:2b:ea:99:1d:f8:bb:49:46:9d:6f:83:05:
ea:35:49:f1:8f:d3:df:e7:c1:d7:a7:2d:c7:c5:09:
2b:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
FF:DB:31:A7:35:27:37:02:D4:94:44:D1:CD:05:47:8A:DB:3F:CB:7F
Signature Algorithm: sha256WithRSAEncryption
7a:a6:66:79:86:a3:eb:dc:65:1a:6e:b4:62:a6:6a:d3:5b:d6:
f9:8d:fd:b0:e1:f0:cb:a7:74:3b:d0:74:19:e0:55:36:5e:a6:
cd:6e:f5:f3:ff:db:24:a1:08:43:d7:22:7b:af:17:45:f7:ec:
4a:81:0c:17:15:92:e4:43:66:81:d4:09:74:12:f3:c9:39:0c:
59:58:a1:75:7f:0c:5b:54:4c:26:8c:00:d5:f6:f3:1e:e4:d8:
d8:0b:c1:ae:08:ec:1b:90:fe:a7:4a:76:a9:fe:3c:23:b1:0b:
df:6e:ef:3c:9d:5e:7d:8f:e4:70:73:d3:57:ed:2d:d1:94:34:
68:b7:c3:bd:4f:d0:50:da:69:10:ac:5f:6a:be:10:25:be:b8:
15:29:d9:3d:da:5a:bf:7d:89:0b:02:0e:ae:07:a4:bd:64:1b:
7b:86:f0:f3:ed:d1:42:74:9c:db:19:f1:60:9c:e2:d7:7a:a3:
45:90:46:25:14:9c:27:4c:c4:ce:a8:af:48:28:24:78:0f:db:
a5:43:2b:f5:61:cc:23:58:2a:d3:94:72:1b:52:c7:5c:f9:16:
b0:a8:1d:79:75:55:89:77:b6:1d:03:a1:8d:2c:7b:a1:bd:a5:
90:ea:29:d9:9b:be:15:c3:dc:af:90:74:72:e7:a9:f9:e0:04:
41:e8:15:fa
Raw
02-letsencrypt.txt
# Letsencrypt certificates
Strongswan 5.6.2
Mac OS X 10.14.2 / Ubuntu 18.04 / Windows 7 / Windows 10
Without doing anything MacOS X VPN error: The VPN server did not respond
* server.crt key viewed in MacOS X: This certificate is valid
* setting IP Security (IPsec) to "Always Trust" for DST ROOT CA X3 does not help
* adding server.crt to the system and setting "Always Trust" does not help
Tested on Linux client (with strongswan) connection works after adding DST_Root_CA_X3.pem file to /etc/ipsec.d/cacerts on client.
# Server
$ certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email info@company.com -d vpn.company.com
$ cp /etc/letsencrypt/live/vpn.company.com/fullchain.pem /etc/ipsec.d/certs/server.crt
$ cp /etc/letsencrypt/live/vpn.company.com/privkey.pem /etc/ipsec.d/private/server.key
$ cp /etc/letsencrypt/live/vpn.company.com/chain.pem /etc/ipsec.d/cacerts/chain.crt
$ cp /etc/ssl/certs/ISRG_Root_X1.pem /etc/ipsec.d/cacerts/ca.crt
# PKI verify
$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt
no issuer certificate found for "CN=vpn.company.com"
issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
using trusted certificate "CN=vpn.company.com"
certificate trusted, lifetimes valid
$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt --cacert /etc/ipsec.d/cacerts/ca.crt
using certificate "CN=vpn.company.com"
no issuer certificate found for "CN=vpn.company.com"
issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
certificate untrusted
$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt --cacert /etc/ipsec.d/cacerts/chain.crt
using certificate "CN=vpn.company.com"
using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
issuer is "O=Digital Signature Trust Co., CN=DST Root CA X3"
certificate untrusted
# Certificates details
$ openssl x509 -in certs/server.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:50:51:b0:1e:0e:d8:12:fd:cc:63:47:7c:63:6b:d7:3a:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Mar 1 13:40:42 2019 GMT
Not After : May 30 13:40:42 2019 GMT
Subject: CN = vpn.company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:a8:ea:8e:c5:74:7f:86:30:d3:c4:da:8a:df:
14:e9:ee:80:20:6c:ac:b8:4c:2f:90:d6:ea:6f:ab:
1c:37:3a:55:80:50:11:92:48:ee:46:68:30:24:93:
22:c7:d9:33:db:3e:bc:6d:5c:2a:31:09:e9:ea:f7:
b9:e7:6f:91:de:6f:e6:01:37:eb:84:eb:1e:d3:b5:
61:08:6c:48:43:a3:48:c6:95:6a:cb:a5:cd:00:03:
08:da:c8:9f:f5:20:ba:fc:c5:12:20:c1:6e:41:c4:
8d:02:a1:fe:e4:cb:95:0e:6b:cd:ba:0e:3c:1e:38:
ec:e9:7c:8b:31:e1:15:e4:f8:8c:08:76:4b:4f:3d:
4d:2c:fa:f7:93:9d:7b:42:23:37:02:4d:a9:2d:10:
36:75:21:b0:ba:8e:af:e5:5a:8f:c3:e2:a0:64:7a:
4c:aa:e0:28:33:c1:0d:01:36:14:32:2d:d4:3f:d0:
af:5e:2c:69:26:1a:19:23:ab:1d:8d:bb:35:5a:1c:
22:5e:4f:8b:81:35:f3:82:8a:35:2a:b5:d9:a2:b6:
fb:6c:98:79:d9:56:8c:1e:33:ae:e6:d0:76:ce:15:
bb:2a:bc:8c:4a:a4:21:dc:20:3c:fc:34:db:0b:c6:
fa:05:f4:aa:b2:b5:bc:f5:bf:61:38:bc:c7:8e:30:
73:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
EC:6A:23:F7:7E:2E:F4:29:FD:57:AA:0A:10:BC:D5:A3:5F:55:1B:8C
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:vpn.company.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : Mar 1 14:40:42.419 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:00:D9:9D:93:04:F8:BF:4E:72:81:89:C2:
77:F6:CA:89:39:C3:5A:E3:9A:4E:7E:51:2A:A2:20:BA:
38:E5:16:7A:02:21:00:91:7A:18:EF:EE:79:4F:CF:84:
53:02:6A:53:A7:5D:9E:A3:8C:36:E5:97:09:36:82:F4:
9C:9B:92:24:AD:01:43
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Mar 1 14:40:42.499 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:E6:B3:73:80:40:40:5A:D9:BD:10:34:
E6:0F:D9:DA:A4:73:A0:35:EB:7B:71:74:83:3B:F0:C0:
EA:18:E1:23:6D:02:21:00:C0:91:09:3C:28:2F:B4:5B:
CD:DF:54:58:53:F9:B1:AA:95:BB:DE:87:D3:E7:0D:B1:
B0:86:1D:3E:66:C9:16:A1
Signature Algorithm: sha256WithRSAEncryption
8e:da:a3:2d:e7:28:2d:02:ff:6c:1d:1d:ec:12:15:34:67:69:
af:cf:a3:1c:9a:c6:ea:37:ad:60:c4:c8:4c:e1:55:b4:9d:26:
e1:1b:2d:a6:74:12:7f:34:de:95:e9:77:ad:d0:65:89:66:ad:
0b:8d:79:02:65:e7:65:cd:0f:50:12:d6:30:44:0b:e2:ed:c1:
be:b2:36:6e:a8:ae:85:09:0b:fd:ff:b6:7f:65:bf:d9:1b:e7:
2c:04:ef:50:dd:34:05:10:3c:da:f0:24:56:32:6f:34:d3:96:
ab:cc:4c:46:0a:3a:3c:5c:30:90:22:9f:b6:20:d0:fc:17:45:
f7:ef:b9:bd:02:1a:3f:1a:cd:ed:de:df:6d:56:c9:4a:d3:d6:
ef:63:30:74:9e:61:2f:5d:d2:aa:bc:7c:08:96:8b:eb:16:71:
bd:1e:c5:1c:f7:ca:0c:68:51:8f:70:51:d5:b0:e8:63:86:bd:
81:e9:a7:44:4f:97:e8:79:25:a8:ef:1b:03:f9:82:dc:08:b1:
b2:64:5a:a1:36:f1:a3:ba:e5:03:66:a5:8d:8d:3c:5d:45:51:
28:c6:8a:96:ef:27:f0:ac:d5:d9:f5:45:c6:f2:fc:71:78:06:
aa:de:4f:03:04:55:f4:f9:63:57:ec:27:1e:2b:54:09:b3:94:
db:15:58:26
$ openssl x509 -in cacerts/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
33:43:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Signature Algorithm: sha256WithRSAEncryption
55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
9d:7e:62:22:da:de:18:27
$ openssl x509 -in cacerts/chain.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
c3:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Authority Information Access:
OCSP - URI:http://isrg.trustid.ocsp.identrust.com
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c
X509v3 Authority Key Identifier:
keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl
X509v3 Subject Key Identifier:
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Signature Algorithm: sha256WithRSAEncryption
dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
34:5b:b4:42
Raw
ipsec.conf
config setup
charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1, tnc 1, imc 1, imv 1, pts 1"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes256-sha1-modp1024
esp=aes256-sha1
fragmentation=no
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vpn.company.com
leftauth=pubkey
leftcert=server.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.255.255.0/24
rightdns=1.1.1.1
rightsendcert=never
eap_identity=%identity
Raw
ipsec.secrets
vpn.company.com : RSA server.key
user %any% : EAP "user_password"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment