Last active
October 7, 2023 13:35
-
-
Save marcinhlybin/4c1f35637faff71a67bf2dc07ce3df1a to your computer and use it in GitHub Desktop.
Strongswan with Letsencrypt certificates issue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Self-signed server certificates | |
| Strongswan 5.6.2 | |
| Mac OS X 10.14.2 / Windows 7 / Windows 10 | |
| Without doing anything MacOS X VPN error: User Authentication failed. | |
| After adding ca.crt and setting IP Security (IPSec) to "Always Trust", VPN connection works. | |
| After adding ca.crt also works for Windows 7 and Windows 10. | |
| # CA | |
| ipsec pki --gen -t rsa -s 2048 -f pem > cacerts/ca.key | |
| ipsec pki --self --in cacerts/ca.key --lifetime 3650 --dn "C=PL, O=Company, CN=vpn.company.com" --ca > cacerts/ca.crt | |
| # Server | |
| ipsec pki --gen -t rsa -s 2048 -f pem > private/server.key | |
| ipsec pki --issue --lifetime 3650 --in private/server.key --type priv --cacert cacerts/ca.crt --cakey cacerts/ca.key --dn "C=PL, O=Company, CN=vpn.company.com" --san vpn.company.com > certs/server.crt | |
| # PKI verify | |
| $ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt | |
| no issuer certificate found for "C=PL, O=Company, CN=vpn.company.com" | |
| issuer is "C=PL, O=Company, CN=vpn.company.com" | |
| using trusted certificate "C=PL, O=Company, CN=vpn.company.com" | |
| certificate trusted, lifetimes valid | |
| $ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt --cacert /etc/ipsec.d/cacerts/ca.crt | |
| using trusted certificate "C=PL, O=Company, CN=vpn.company.com" | |
| certificate trusted, lifetimes valid | |
| # Certificates details | |
| $ openssl x509 -inform DEM -in certs/server.crt -noout -text | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: 4081973233565571827 (0x38a6150759541af3) | |
| Signature Algorithm: sha256WithRSAEncryption | |
| Issuer: C = PL, O = Company, CN = vpn.company.com | |
| Validity | |
| Not Before: Mar 2 08:47:04 2019 GMT | |
| Not After : Feb 27 08:47:04 2029 GMT | |
| Subject: C = PL, O = Company, CN = vpn.company.com | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (2048 bit) | |
| Modulus: | |
| 00:ea:4b:d9:a7:ff:62:43:1e:11:0f:d6:a1:ec:db: | |
| c4:78:e9:06:7c:64:e5:c1:56:e6:bb:fe:14:6a:2c: | |
| 26:87:50:e1:e9:bb:a3:d3:eb:52:b6:01:b6:e2:57: | |
| 10:bb:de:34:53:28:3f:ca:e4:de:2b:e4:15:17:dc: | |
| 1d:73:5b:41:01:1e:bb:89:71:2c:4a:bd:9a:9f:20: | |
| da:a6:9f:c2:47:f2:f7:7a:85:4a:fc:f2:1b:9a:6b: | |
| ef:cf:aa:19:59:42:87:29:27:28:a0:7f:01:82:da: | |
| 8e:cd:41:73:79:52:10:7c:3d:4d:e4:8b:90:c2:09: | |
| d3:ac:12:43:9f:93:53:00:97:d8:f4:04:6c:63:99: | |
| 1f:ca:23:9b:16:88:2a:b8:88:56:a9:5b:1d:18:11: | |
| c0:b0:90:8a:eb:de:a2:36:d4:8a:a0:22:15:ed:29: | |
| f7:6a:05:02:47:8e:68:98:68:f0:f6:f7:c2:63:ad: | |
| da:3c:b0:90:ef:a1:52:64:f4:e6:83:2e:85:61:13: | |
| ec:10:41:26:5d:1b:ce:33:0e:a8:3c:d1:bd:db:7e: | |
| 78:2c:c4:0d:a6:a1:6a:01:be:25:a4:bd:38:a8:3a: | |
| a2:d8:9a:50:53:21:b1:6e:92:fb:e8:97:72:25:ee: | |
| 73:72:fe:56:b8:19:e2:42:2a:34:8b:79:0c:b5:4a: | |
| ff:4b | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Authority Key Identifier: | |
| keyid:FF:DB:31:A7:35:27:37:02:D4:94:44:D1:CD:05:47:8A:DB:3F:CB:7F | |
| X509v3 Subject Alternative Name: | |
| DNS:vpn.company.com | |
| Signature Algorithm: sha256WithRSAEncryption | |
| 8f:8c:7b:6c:66:eb:f0:31:85:ba:46:36:ea:c1:d0:72:24:c5: | |
| 01:9e:77:9b:2e:ee:eb:4e:44:ed:25:e2:06:e9:05:52:98:13: | |
| a3:3c:68:c6:26:e2:67:91:42:1a:ac:e2:ec:95:3f:10:57:f8: | |
| e8:e4:e4:a8:81:ba:c0:c1:8c:9c:93:cd:1c:5d:36:8d:e3:2b: | |
| 10:4b:ee:57:1d:5c:7b:c8:8e:d5:cf:9a:85:59:3a:2f:6a:3a: | |
| c2:85:53:d9:ca:9b:cd:23:6f:78:36:69:bf:aa:22:ad:e7:bb: | |
| f2:3e:a5:69:5f:22:7c:b0:1d:c1:dc:84:79:75:41:0f:3e:3f: | |
| ef:76:64:b3:9a:ac:03:0a:19:7c:2d:5a:8e:1d:e2:97:87:a7: | |
| d7:b1:22:a4:f1:15:d5:5a:63:eb:15:bf:b9:de:e6:0a:70:fd: | |
| 49:fa:76:c1:eb:8f:50:d9:ec:13:98:be:fd:94:12:54:0a:40: | |
| be:fa:dd:9c:51:f7:36:20:a3:a7:d4:f9:07:00:34:37:98:8f: | |
| b0:3c:5a:04:60:45:52:68:2b:59:2e:a2:36:60:63:e6:4a:88: | |
| 60:9e:34:50:1a:ea:7d:87:01:18:a4:92:7c:58:5a:ef:d9:4b: | |
| 4c:2f:78:f9:9c:20:9c:21:de:05:c5:9d:00:83:05:b3:11:6e: | |
| 8d:a3:5a:50 | |
| $ openssl x509 -inform DEM -in cacerts/ca.crt -noout -text | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: 720625869032946288 (0xa002d68ebaa7a70) | |
| Signature Algorithm: sha256WithRSAEncryption | |
| Issuer: C = PL, O = Company, CN = vpn.company.com | |
| Validity | |
| Not Before: Mar 2 08:47:04 2019 GMT | |
| Not After : Feb 27 08:47:04 2029 GMT | |
| Subject: C = PL, O = Company, CN = vpn.company.com | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (2048 bit) | |
| Modulus: | |
| 00:ba:06:d2:0e:d6:cd:75:63:24:8b:12:9d:76:79: | |
| ea:76:26:b9:13:a6:9c:83:1c:f5:d5:cb:0e:5c:82: | |
| 07:63:9c:ba:35:87:67:80:02:af:89:5c:42:6e:43: | |
| fe:ec:ee:6e:5a:88:69:5a:74:a2:85:9b:01:f6:d3: | |
| 13:80:5c:6e:ad:08:f7:a4:5e:3d:14:77:b6:d7:d4: | |
| 8d:c2:45:33:1e:fe:0a:17:ae:18:60:2e:d7:2e:eb: | |
| 4b:df:20:80:8b:d1:02:63:b5:70:b0:8d:92:d0:bb: | |
| 64:15:ba:35:19:1a:85:ea:41:57:45:36:c6:ac:18: | |
| 6e:33:b8:9b:fd:b2:ec:b1:dd:1a:02:79:ca:79:0d: | |
| 0c:04:30:8c:63:c8:63:8d:73:e2:51:36:9f:12:d0: | |
| 81:c9:6a:4e:23:7a:c7:78:e6:f0:76:c4:bb:4d:a7: | |
| 97:88:0a:82:38:ae:f5:de:36:d4:29:1f:10:24:89: | |
| 56:b0:2c:8e:85:87:10:e2:73:ac:3c:15:31:d4:25: | |
| af:10:3f:15:42:cb:72:b2:45:84:e6:ae:55:38:72: | |
| fb:20:24:49:ab:0d:9f:ff:a5:77:24:fd:e8:97:7e: | |
| be:54:11:2b:ea:99:1d:f8:bb:49:46:9d:6f:83:05: | |
| ea:35:49:f1:8f:d3:df:e7:c1:d7:a7:2d:c7:c5:09: | |
| 2b:fd | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Basic Constraints: critical | |
| CA:TRUE | |
| X509v3 Key Usage: critical | |
| Certificate Sign, CRL Sign | |
| X509v3 Subject Key Identifier: | |
| FF:DB:31:A7:35:27:37:02:D4:94:44:D1:CD:05:47:8A:DB:3F:CB:7F | |
| Signature Algorithm: sha256WithRSAEncryption | |
| 7a:a6:66:79:86:a3:eb:dc:65:1a:6e:b4:62:a6:6a:d3:5b:d6: | |
| f9:8d:fd:b0:e1:f0:cb:a7:74:3b:d0:74:19:e0:55:36:5e:a6: | |
| cd:6e:f5:f3:ff:db:24:a1:08:43:d7:22:7b:af:17:45:f7:ec: | |
| 4a:81:0c:17:15:92:e4:43:66:81:d4:09:74:12:f3:c9:39:0c: | |
| 59:58:a1:75:7f:0c:5b:54:4c:26:8c:00:d5:f6:f3:1e:e4:d8: | |
| d8:0b:c1:ae:08:ec:1b:90:fe:a7:4a:76:a9:fe:3c:23:b1:0b: | |
| df:6e:ef:3c:9d:5e:7d:8f:e4:70:73:d3:57:ed:2d:d1:94:34: | |
| 68:b7:c3:bd:4f:d0:50:da:69:10:ac:5f:6a:be:10:25:be:b8: | |
| 15:29:d9:3d:da:5a:bf:7d:89:0b:02:0e:ae:07:a4:bd:64:1b: | |
| 7b:86:f0:f3:ed:d1:42:74:9c:db:19:f1:60:9c:e2:d7:7a:a3: | |
| 45:90:46:25:14:9c:27:4c:c4:ce:a8:af:48:28:24:78:0f:db: | |
| a5:43:2b:f5:61:cc:23:58:2a:d3:94:72:1b:52:c7:5c:f9:16: | |
| b0:a8:1d:79:75:55:89:77:b6:1d:03:a1:8d:2c:7b:a1:bd:a5: | |
| 90:ea:29:d9:9b:be:15:c3:dc:af:90:74:72:e7:a9:f9:e0:04: | |
| 41:e8:15:fa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Letsencrypt certificates | |
| Strongswan 5.6.2 | |
| Mac OS X 10.14.2 / Ubuntu 18.04 / Windows 7 / Windows 10 | |
| Without doing anything MacOS X VPN error: The VPN server did not respond | |
| * server.crt key viewed in MacOS X: This certificate is valid | |
| * setting IP Security (IPsec) to "Always Trust" for DST ROOT CA X3 does not help | |
| * adding server.crt to the system and setting "Always Trust" does not help | |
| Tested on Linux client (with strongswan) connection works after adding DST_Root_CA_X3.pem file to /etc/ipsec.d/cacerts on client. | |
| # Server | |
| $ certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email [email protected] -d vpn.company.com | |
| $ cp /etc/letsencrypt/live/vpn.company.com/fullchain.pem /etc/ipsec.d/certs/server.crt | |
| $ cp /etc/letsencrypt/live/vpn.company.com/privkey.pem /etc/ipsec.d/private/server.key | |
| $ cp /etc/letsencrypt/live/vpn.company.com/chain.pem /etc/ipsec.d/cacerts/chain.crt | |
| $ cp /etc/ssl/certs/ISRG_Root_X1.pem /etc/ipsec.d/cacerts/ca.crt | |
| # PKI verify | |
| $ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt | |
| no issuer certificate found for "CN=vpn.company.com" | |
| issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" | |
| using trusted certificate "CN=vpn.company.com" | |
| certificate trusted, lifetimes valid | |
| $ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt --cacert /etc/ipsec.d/cacerts/ca.crt | |
| using certificate "CN=vpn.company.com" | |
| no issuer certificate found for "CN=vpn.company.com" | |
| issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" | |
| certificate untrusted | |
| $ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt --cacert /etc/ipsec.d/cacerts/chain.crt | |
| using certificate "CN=vpn.company.com" | |
| using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" | |
| no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" | |
| issuer is "O=Digital Signature Trust Co., CN=DST Root CA X3" | |
| certificate untrusted | |
| # Certificates details | |
| $ openssl x509 -in certs/server.crt -noout -text | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| 03:50:51:b0:1e:0e:d8:12:fd:cc:63:47:7c:63:6b:d7:3a:8b | |
| Signature Algorithm: sha256WithRSAEncryption | |
| Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 | |
| Validity | |
| Not Before: Mar 1 13:40:42 2019 GMT | |
| Not After : May 30 13:40:42 2019 GMT | |
| Subject: CN = vpn.company.com | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (2048 bit) | |
| Modulus: | |
| 00:e3:a8:ea:8e:c5:74:7f:86:30:d3:c4:da:8a:df: | |
| 14:e9:ee:80:20:6c:ac:b8:4c:2f:90:d6:ea:6f:ab: | |
| 1c:37:3a:55:80:50:11:92:48:ee:46:68:30:24:93: | |
| 22:c7:d9:33:db:3e:bc:6d:5c:2a:31:09:e9:ea:f7: | |
| b9:e7:6f:91:de:6f:e6:01:37:eb:84:eb:1e:d3:b5: | |
| 61:08:6c:48:43:a3:48:c6:95:6a:cb:a5:cd:00:03: | |
| 08:da:c8:9f:f5:20:ba:fc:c5:12:20:c1:6e:41:c4: | |
| 8d:02:a1:fe:e4:cb:95:0e:6b:cd:ba:0e:3c:1e:38: | |
| ec:e9:7c:8b:31:e1:15:e4:f8:8c:08:76:4b:4f:3d: | |
| 4d:2c:fa:f7:93:9d:7b:42:23:37:02:4d:a9:2d:10: | |
| 36:75:21:b0:ba:8e:af:e5:5a:8f:c3:e2:a0:64:7a: | |
| 4c:aa:e0:28:33:c1:0d:01:36:14:32:2d:d4:3f:d0: | |
| af:5e:2c:69:26:1a:19:23:ab:1d:8d:bb:35:5a:1c: | |
| 22:5e:4f:8b:81:35:f3:82:8a:35:2a:b5:d9:a2:b6: | |
| fb:6c:98:79:d9:56:8c:1e:33:ae:e6:d0:76:ce:15: | |
| bb:2a:bc:8c:4a:a4:21:dc:20:3c:fc:34:db:0b:c6: | |
| fa:05:f4:aa:b2:b5:bc:f5:bf:61:38:bc:c7:8e:30: | |
| 73:f1 | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Key Usage: critical | |
| Digital Signature, Key Encipherment | |
| X509v3 Extended Key Usage: | |
| TLS Web Server Authentication, TLS Web Client Authentication | |
| X509v3 Basic Constraints: critical | |
| CA:FALSE | |
| X509v3 Subject Key Identifier: | |
| EC:6A:23:F7:7E:2E:F4:29:FD:57:AA:0A:10:BC:D5:A3:5F:55:1B:8C | |
| X509v3 Authority Key Identifier: | |
| keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 | |
| Authority Information Access: | |
| OCSP - URI:http://ocsp.int-x3.letsencrypt.org | |
| CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ | |
| X509v3 Subject Alternative Name: | |
| DNS:vpn.company.com | |
| X509v3 Certificate Policies: | |
| Policy: 2.23.140.1.2.1 | |
| Policy: 1.3.6.1.4.1.44947.1.1.1 | |
| CPS: http://cps.letsencrypt.org | |
| CT Precertificate SCTs: | |
| Signed Certificate Timestamp: | |
| Version : v1 (0x0) | |
| Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70: | |
| C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56 | |
| Timestamp : Mar 1 14:40:42.419 2019 GMT | |
| Extensions: none | |
| Signature : ecdsa-with-SHA256 | |
| 30:45:02:20:00:D9:9D:93:04:F8:BF:4E:72:81:89:C2: | |
| 77:F6:CA:89:39:C3:5A:E3:9A:4E:7E:51:2A:A2:20:BA: | |
| 38:E5:16:7A:02:21:00:91:7A:18:EF:EE:79:4F:CF:84: | |
| 53:02:6A:53:A7:5D:9E:A3:8C:36:E5:97:09:36:82:F4: | |
| 9C:9B:92:24:AD:01:43 | |
| Signed Certificate Timestamp: | |
| Version : v1 (0x0) | |
| Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7: | |
| 6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78 | |
| Timestamp : Mar 1 14:40:42.499 2019 GMT | |
| Extensions: none | |
| Signature : ecdsa-with-SHA256 | |
| 30:46:02:21:00:E6:B3:73:80:40:40:5A:D9:BD:10:34: | |
| E6:0F:D9:DA:A4:73:A0:35:EB:7B:71:74:83:3B:F0:C0: | |
| EA:18:E1:23:6D:02:21:00:C0:91:09:3C:28:2F:B4:5B: | |
| CD:DF:54:58:53:F9:B1:AA:95:BB:DE:87:D3:E7:0D:B1: | |
| B0:86:1D:3E:66:C9:16:A1 | |
| Signature Algorithm: sha256WithRSAEncryption | |
| 8e:da:a3:2d:e7:28:2d:02:ff:6c:1d:1d:ec:12:15:34:67:69: | |
| af:cf:a3:1c:9a:c6:ea:37:ad:60:c4:c8:4c:e1:55:b4:9d:26: | |
| e1:1b:2d:a6:74:12:7f:34:de:95:e9:77:ad:d0:65:89:66:ad: | |
| 0b:8d:79:02:65:e7:65:cd:0f:50:12:d6:30:44:0b:e2:ed:c1: | |
| be:b2:36:6e:a8:ae:85:09:0b:fd:ff:b6:7f:65:bf:d9:1b:e7: | |
| 2c:04:ef:50:dd:34:05:10:3c:da:f0:24:56:32:6f:34:d3:96: | |
| ab:cc:4c:46:0a:3a:3c:5c:30:90:22:9f:b6:20:d0:fc:17:45: | |
| f7:ef:b9:bd:02:1a:3f:1a:cd:ed:de:df:6d:56:c9:4a:d3:d6: | |
| ef:63:30:74:9e:61:2f:5d:d2:aa:bc:7c:08:96:8b:eb:16:71: | |
| bd:1e:c5:1c:f7:ca:0c:68:51:8f:70:51:d5:b0:e8:63:86:bd: | |
| 81:e9:a7:44:4f:97:e8:79:25:a8:ef:1b:03:f9:82:dc:08:b1: | |
| b2:64:5a:a1:36:f1:a3:ba:e5:03:66:a5:8d:8d:3c:5d:45:51: | |
| 28:c6:8a:96:ef:27:f0:ac:d5:d9:f5:45:c6:f2:fc:71:78:06: | |
| aa:de:4f:03:04:55:f4:f9:63:57:ec:27:1e:2b:54:09:b3:94: | |
| db:15:58:26 | |
| $ openssl x509 -in cacerts/ca.crt -noout -text | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 | |
| Signature Algorithm: sha256WithRSAEncryption | |
| Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 | |
| Validity | |
| Not Before: Jun 4 11:04:38 2015 GMT | |
| Not After : Jun 4 11:04:38 2035 GMT | |
| Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1 | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (4096 bit) | |
| Modulus: | |
| 00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c: | |
| 87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7: | |
| 75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86: | |
| 6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31: | |
| 9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff: | |
| 12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f: | |
| 7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2: | |
| 4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23: | |
| 53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74: | |
| b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c: | |
| fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e: | |
| cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25: | |
| 0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf: | |
| 10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4: | |
| 63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c: | |
| 76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10: | |
| e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02: | |
| 07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb: | |
| 0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4: | |
| 2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12: | |
| 1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47: | |
| 37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41: | |
| 29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40: | |
| 1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7: | |
| 12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f: | |
| 05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50: | |
| 13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30: | |
| d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b: | |
| 98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b: | |
| a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86: | |
| 3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d: | |
| 19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db: | |
| e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88: | |
| ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5: | |
| 33:43:4f | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Key Usage: critical | |
| Certificate Sign, CRL Sign | |
| X509v3 Basic Constraints: critical | |
| CA:TRUE | |
| X509v3 Subject Key Identifier: | |
| 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E | |
| Signature Algorithm: sha256WithRSAEncryption | |
| 55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08: | |
| ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73: | |
| 10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea: | |
| 17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86: | |
| 9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95: | |
| d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae: | |
| fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e: | |
| 8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33: | |
| 89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7: | |
| 4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33: | |
| 23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2: | |
| 6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d: | |
| 8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72: | |
| ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac: | |
| 28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c: | |
| 37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae: | |
| 4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d: | |
| e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7: | |
| 07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15: | |
| b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2: | |
| 84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3: | |
| 1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b: | |
| cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75: | |
| d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67: | |
| 24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7: | |
| ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f: | |
| c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77: | |
| bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40: | |
| 9d:7e:62:22:da:de:18:27 | |
| $ openssl x509 -in cacerts/chain.crt -noout -text | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08 | |
| Signature Algorithm: sha256WithRSAEncryption | |
| Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 | |
| Validity | |
| Not Before: Mar 17 16:40:46 2016 GMT | |
| Not After : Mar 17 16:40:46 2021 GMT | |
| Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (2048 bit) | |
| Modulus: | |
| 00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3: | |
| 68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70: | |
| 92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1: | |
| 2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba: | |
| 79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69: | |
| 0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d: | |
| 77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c: | |
| ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb: | |
| fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8: | |
| 7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db: | |
| fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a: | |
| ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75: | |
| 80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20: | |
| 25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba: | |
| a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d: | |
| 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d: | |
| 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d: | |
| c3:93 | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Basic Constraints: critical | |
| CA:TRUE, pathlen:0 | |
| X509v3 Key Usage: critical | |
| Digital Signature, Certificate Sign, CRL Sign | |
| Authority Information Access: | |
| OCSP - URI:http://isrg.trustid.ocsp.identrust.com | |
| CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c | |
| X509v3 Authority Key Identifier: | |
| keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 | |
| X509v3 Certificate Policies: | |
| Policy: 2.23.140.1.2.1 | |
| Policy: 1.3.6.1.4.1.44947.1.1.1 | |
| CPS: http://cps.root-x1.letsencrypt.org | |
| X509v3 CRL Distribution Points: | |
| Full Name: | |
| URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl | |
| X509v3 Subject Key Identifier: | |
| A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 | |
| Signature Algorithm: sha256WithRSAEncryption | |
| dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9: | |
| 70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37: | |
| 24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51: | |
| cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d: | |
| 6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f: | |
| c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4: | |
| e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07: | |
| 2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33: | |
| fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a: | |
| 5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25: | |
| 1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18: | |
| fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6: | |
| 4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a: | |
| 28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3: | |
| 34:5b:b4:42 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config setup | |
| charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1, tnc 1, imc 1, imv 1, pts 1" | |
| uniqueids=no | |
| conn ikev2-vpn | |
| auto=add | |
| compress=no | |
| type=tunnel | |
| keyexchange=ikev2 | |
| ike=aes256-sha1-modp1024 | |
| esp=aes256-sha1 | |
| fragmentation=no | |
| forceencaps=yes | |
| dpdaction=clear | |
| dpddelay=300s | |
| rekey=no | |
| left=%any | |
| [email protected] | |
| leftauth=pubkey | |
| leftcert=server.crt | |
| leftsendcert=always | |
| leftsubnet=0.0.0.0/0 | |
| leftfirewall=yes | |
| right=%any | |
| rightid=%any | |
| rightauth=eap-mschapv2 | |
| rightsourceip=10.255.255.0/24 | |
| rightdns=1.1.1.1 | |
| rightsendcert=never | |
| eap_identity=%identity |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vpn.company.com : RSA server.key | |
| user %any% : EAP "user_password" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment