How-To
Services
Internal
Historical
External Tools
Many IKE implementations support manually configuring trusted public keys, without having to create a CA, generate CSRs, sign certificates, or remember/look up the commands to do those things.
Keep in mind that certificates are just public keys wrapped with some extra metadata so that your router can automatically verify that it belongs to someone you trust. Certificates are useful for instances where there are so many peers that it's infeasible to manually configure each one's public key, such as a "road warrior" configuration or DMVPN. In those scenarios it makes sense to set up a Certificate Authority to handle it.
Different implementations use different formats to represent public keys, and it's necessary to be able to convert between them. Here is a script for that purpose:
https://raw.githubusercontent.com/zeroae/pubkey-converter/master/pubkey-converter.pl
Implementation | Key format |
---|---|
strongSwan >= 5.0.0 | PEM |
Cisco IOS | Hexadecimal DER |
Mikrotik RouterOS | PEM |
OpenBSD | PEM |
Racoon | Base64 RFC 3110 |
strongSwan < 5.0.0 | Base64 RFC 3110 |
VyOS/EdgeOS | Base64 RFC 3110 |
Hosted by: BURBLE-MNT, GRMML-MNT, XUU-MNT, JAN-MNT, LARE-MNT, SARU-MNT, ANDROW-MNT, MARK22K-MNT | Accessible via: dn42, dn42.dev, dn42.eu, wiki.dn42.us, dn42.de (IPv6-only), dn42.cc (wiki-ng), dn42.wiki, dn42.pp.ua, dn42.obl.ong
Last edited by lare, 2023-04-08 21:53:12