[Swan] RSA keys help

Paul Wouters paul at nohats.ca
Wed Jan 23 18:06:23 UTC 2019

On Wed, 23 Jan 2019, Kostya Vasilyev wrote:

> Were you exporting keys that are part of some certificates?
> Yes this is possible (and importing too).
> But in this case here I'm dealing with "standalone" keys - not keys which are part of certificates - and this does not seem possible.

You can use certutil -d sql:/etc/ipsec.d -K to list all the raw keys,
even those that came in via pkcs#12 imports. that lists the ckaid,
which you can use to load the key, eg leftckaid=.....

But a CKAID is not a public key format that the other endpoint can use,
so to get the public key in base64 format, you can use:
ipsec showhostkey --left --ckaid ....

I don't know how the remote expects its public key format, there is not
a great standard for this.

> I can't use certificate auth because of some issues on Mikrotik side (it seems to want "something" in subjectAltName but I can't figure out what... a Mikrotik forum post is pending moderation).

Whatever the IDs used in IKE are, those should appear as SubjectAltName
in the certificate. So if your leftid=@foo.bar you need a DNS:foo.bar
SAN. Same goes for not using any leftid= which means it is using its IP
address as ID, so you need an IP:a.b.c.d SAN.

The only exception is if you are using a Distinguished Name (DN) as ID.
In that case, the DN of the certificate is matched as a whole to the ID.


More information about the Swan mailing list