strongSwan – Setting Up Intermediate Certificate Authority for VPN

certificate-authorityipseclinuxstrongswanwindows

I have been testing out strongSwan VPN on a Linux server in a Windows Active Directory domain.

I have managed to get a single-tier PKI with EAP authentication to work, but when I attempt to add a intermediate certificate authority to the setup connecting to the VPN fails.

The VPN and both CA's are Debian 9 boxes.

I have already taken this whole test domain down and I am getting ready to start over from scratch and was wondering if any one had any input on what I might be doing wrong.

Heres the commands I ran to create the CAs and server key pair.

Creating root CA private key:

$ ipsec pki --gen --type rsa --size 4096 --outform pem > ca.key.pem
$ chmod 600 ca.key.pem

Create self-signed certificate:

$ ipsec pki --self --flag serverAuth --in ca.key.pem \ 
  --type rsa --digest sha256 \
  --dn "C=US, O=IT_Testing, CN=VPN Root CA" --ca > ca.crt.der

Create intermediate CA private key:

$ ipsec pki --gen --type rsa --size 4096 --outform pem > intca.key.pem

Generate intermediate CA CSR:

$ ipsec pki --pub --in intca.key.pem --type rsa >  intca.csr

Sign the intermediate CA CSR:

$ ipsec pki --issue --cacert ca.crt.der \ 
  --cakey ca.key.pem --digest sha256 \
  --dn "C=US, O=IT_Testing, CN=INT CA" \
  --san "intca.testdomain.com" --flag serverAuth \ 
  --flag ikeIntermediate --outform pem \
  < intca.csr > intca.crt.pem

Create the VPN server private key and CSR:

$ ipsec pki --gen --type rsa --size 2048 --outform pem > vpn.testdomain.com.key.pem

$ ipsec pki --pub --in vpn.testdomian.com.key.pem --type rsa > vpn.testdomain.com.csr

Sign the VPN server certificate:

$ ipsec pki --issue --cacert intca.crt.pem \ 
  --cakey intca.key.pem --digest sha256 \
  --dn "C=US, O=IT_Testing, CN=vpn.testdomain.com" \
  --san "vpn.testdomain.com" --flag serverAuth --outform pem \
  < vpn.testdomain.com.csr > vpn.testdomain.com.crt.pem

I copy the root CA certificate to /etc/ipsec.d/cacerts, the VPN certificate to /etc/ipsec.d/certs, and the VPN server key to /etc/ipsec.d/private.

I add the line leftcert=/etc/ipsec.d/certs/vpn.testdomain.com.crt.pem to ipsec.conf. As well as point ipsec.secrets to the VPN server's private key.

The rest of the config is the same as the working single-tier pki.

Best Answer

When issuing the intermediate CA certificate make sure you add --ca to the command line to add the CA basicConstraint and actually create a CA certificate.

And don't add the serverAuth and ikeIntermediate flags to it, only add them to the server certificate. ikeIntermediate does not refer to intermediate CA certificates, but IPsec intermediate systems, and it's probably not necessary to add it anymore (it was only defined in a draft and I think only very old version of macOS required it).

Related Solutions

OpenSSL – Certification Authority Root Certificate Expiry and Renewal

Keeping the same private key on your root CA allows for all certificates to continue to validate successfully against the new root; all that's required of you is to trust the new root.

The certificate signing relationship is based on a signature from the private key; keeping the same private key (and, implicitly, the same public key) while generating a new public certificate, with a new validity period and any other new attributes changed as needed, keeps the trust relationship in place. CRLs, too, can continue over from the old cert to the new, as they are, like certificates, signed by the private key.

So, let's verify!

Make a root CA:

openssl req -new -x509 -keyout root.key -out origroot.pem -days 3650 -nodes

Generate a child certificate from it:

openssl genrsa -out cert.key 1024
openssl req -new -key cert.key -out cert.csr

Sign the child cert:

openssl x509 -req -in cert.csr -CA origroot.pem -CAkey root.key -create_serial -out cert.pem
rm cert.csr

All set there, normal certificate relationship. Let's verify the trust:

# openssl verify -CAfile origroot.pem -verbose cert.pem
cert.pem: OK

Ok, so, now let's say 10 years passed. Let's generate a new public certificate from the same root private key.

openssl req -new -key root.key -out newcsr.csr
openssl x509 -req -days 3650 -in newcsr.csr -signkey root.key -out newroot.pem
rm newcsr.csr

And.. did it work?

# openssl verify -CAfile newroot.pem -verbose cert.pem
cert.pem: OK

But.. why? They're different files, right?

# sha1sum newroot.pem
62577e00309e5eacf210d0538cd79c3cdc834020  newroot.pem
# sha1sum origroot.pem
c1d65a6cdfa6fc0e0a800be5edd3ab3b603e1899  origroot.pem

Yes, but, that doesn't mean that the new public key doesn't cryptographically match the signature on the certificate. Different serial numbers, same modulus:

# openssl x509 -noout -text -in origroot.pem
        Serial Number:
            c0:67:16:c0:8a:6b:59:1d
...
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bd:56:b5:26:06:c1:f6:4c:f4:7c:14:2c:0d:dd:
                    3c:eb:8f:0a:c0:9d:d8:b4:8c:b5:d9:c7:87:4e:25:
                    8f:7c:92:4d:8f:b3:cc:e9:56:8d:db:f7:fd:d3:57:
                    1f:17:13:25:e7:3f:79:68:9f:b5:20:c9:ef:2f:3d:
                    4b:8d:23:fe:52:98:15:53:3a:91:e1:14:05:a7:7a:
                    9b:20:a9:b2:98:6e:67:36:04:dd:a6:cb:6c:3e:23:
                    6b:73:5b:f1:dd:9e:70:2b:f7:6e:bd:dc:d1:39:98:
                    1f:84:2a:ca:6c:ad:99:8a:fa:05:41:68:f8:e4:10:
                    d7:a3:66:0a:45:bd:0e:cd:9d
# openssl x509 -noout -text -in newroot.pem
        Serial Number:
            9a:a4:7b:e9:2b:0e:2c:32
...
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bd:56:b5:26:06:c1:f6:4c:f4:7c:14:2c:0d:dd:
                    3c:eb:8f:0a:c0:9d:d8:b4:8c:b5:d9:c7:87:4e:25:
                    8f:7c:92:4d:8f:b3:cc:e9:56:8d:db:f7:fd:d3:57:
                    1f:17:13:25:e7:3f:79:68:9f:b5:20:c9:ef:2f:3d:
                    4b:8d:23:fe:52:98:15:53:3a:91:e1:14:05:a7:7a:
                    9b:20:a9:b2:98:6e:67:36:04:dd:a6:cb:6c:3e:23:
                    6b:73:5b:f1:dd:9e:70:2b:f7:6e:bd:dc:d1:39:98:
                    1f:84:2a:ca:6c:ad:99:8a:fa:05:41:68:f8:e4:10:
                    d7:a3:66:0a:45:bd:0e:cd:9d

Let's go a little further to verify that it's working in real world certificate validation.

Fire up an Apache instance, and let's give it a go (debian file structure, adjust as needed):

# cp cert.pem /etc/ssl/certs/
# cp origroot.pem /etc/ssl/certs/
# cp newroot.pem /etc/ssl/certs/
# cp cert.key /etc/ssl/private/

We'll set these directives on a VirtualHost listening on 443 - remember, the newroot.pem root certificate didn't even exist when cert.pem was generated and signed.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/cert.key
SSLCertificateChainFile /etc/ssl/certs/newroot.pem

Let's check out how openssl sees it:

# openssl s_client -showcerts -CAfile newroot.pem -connect localhost:443

Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server.lan
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
MIICHzCCAYgCCQCapHvpKw4sMjANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJB
...
-----END CERTIFICATE-----
(this should match the actual contents of newroot.pem)
...
Verify return code: 0 (ok)

Ok, and how about a browser using MS's crypto API? Gotta trust the root, first, then it's all good, with the new root's serial number:

newroot

And, we should still be working with the old root, too. Switch Apache's config around:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/cert.key
SSLCertificateChainFile /etc/ssl/certs/origroot.pem

Do a full restart on Apache, a reload won't switch the certs properly.

# openssl s_client -showcerts -CAfile origroot.pem -connect localhost:443

Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server.lan
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
MIIC3jCCAkegAwIBAgIJAMBnFsCKa1kdMA0GCSqGSIb3DQEBBQUAMFQxCzAJBgNV
...
-----END CERTIFICATE-----
(this should match the actual contents of origroot.pem)
...
Verify return code: 0 (ok)

And, with the MS crypto API browser, Apache's presenting the old root, but the new root's still in the computer's trusted root store. It'll automatically find it and validate the cert against the trusted (new) root, despite Apache presenting a different chain (the old root). After stripping the new root from trusted roots and adding the original root cert, all is well:

oldroot

So, that's it! Keep the same private key when you renew, swap in the new trusted root, and it pretty much all just works. Good luck!

PfSense/strongSwan “deleting half open IKE_SA after timeout” – IPSec connection Android 4.4 to pfSense 2.2.1 fails

I've been having this exact same issue.

As per this [IKEv1 can't connect from Android's default vpn client], there is a bug in the current Android VPN IKEv1 client that happens if aggressive mode is selected and a "IPsec identifier" is used to configure the Android client.

The solution is to clear the "IPsec identifier" entry from the android client and in Phase 1 proposal the negotiation mode should be Main.

In my setup the Phase 1 proposal (Authentication) : Authentication method is Mutual PSK + Xauth and not just Mutual PSK.

Best Answer

Related Solutions

OpenSSL – Certification Authority Root Certificate Expiry and Renewal

PfSense/strongSwan “deleting half open IKE_SA after timeout” – IPSec connection Android 4.4 to pfSense 2.2.1 fails

Related Topic