[Swan] RSA keys help

Paul Wouters paul at nohats.ca
Wed Jan 23 18:11:19 UTC 2019

On Wed, 23 Jan 2019, Kostya Vasilyev wrote:

> Yes I know the syntax for adding alt subject names, thanks. The problem is Mikrotik wants something specific there (from server cert) and I can't figure out what, it seems undocumented. Some people say it wants an email address (any email address) but that didn't work.

It might also insist on certain EKU flags. Try adding serverAuth. If
that is not enough try adding the Microsoft IPsec EKU's


> ...has anyone used rsa key *only* auth with Libre where the other side was a different system (not Libre)? How did you manage your keys?

That is usually not done, because unfortunately, the world decided not
to move as much on using raw keys, but using certificates instead.
Increased use of raw keys these days are for IoT devices, and those
tend to use raw TLS keys, and for Opportunistic IPsec, which is all
raw keys using libreswan.

> Any suggestions on keys management?

Any tool that uses a CA and certs and pkcs#12 should work. You just need
to figure out what SAN and EKU flags your router insists on. Note that
it is was compliant to RFC 4945, it would not care about EKU's. But
sadly a lot of X.509 processing libraries implicitdly assume TLS as
the only use case for PKIX.


More information about the Swan mailing list