Complete Flow:
Step 1 - Generate Private Key and CSR on Ubuntu.
All certificate generation happens on Ubuntu. The private key never leaves the machine.
Create working directory:
mkdir -p ~/vpn-cert && cd ~/vpn-cert
Generate 2048-bit RSA private key:
openssl genrsa -out ubuntu-client.key 2048
ls -la ubuntu-client.key
Expected: -rw------- 1 wells wells 1675 ... ubuntu-client.key.
Generate the Certificate Signing Request (CSR)
openssl req -new -key ubuntu-client.key -out ubuntu-client.csr \
-subj "/CN=ubuntu/O=wellscompany/C=US"
The warning below is harmless - CSR is still created:
It is not possible to load /home/wells/.rnd into RNG:
ls -la ubuntu-client.csr
Confirm CSR was created:
openssl req -in ubuntu-client.csr -text -noout | grep -E 'Subject:|Public Key'
Expected: Subject: C=US, O=wellscompany, CN=ubuntu
Display CSR content (to copy to AD):
cat ubuntu-client.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICejCCAWICAQAwNTEPMA0GA1UEAwwGdWJ1bnR1MRUwEwYDVQQKDAx3ZWxsc2Nv
bXBhbnkxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAzObCePQQZ158FJXSYmFeX7EP5FN0n5wIV5CiqsI4lUaSCMQrammsn7W4P/SS
zj+Mlx4AggIm+87mDns5nMOu7fBCAltOhl71zRpMTaw4IGwJ+4Tfk+dv/u9SvCQW
9UiL0+UHEz9cHN0g0PhWiEI2RoTvCtJdbF+YTfDJ6gI1cKBvVCTvK4XW0ADOS0mK
uzJ9en1L0pRvMX9bPmhG3VLcmomRciaut/hf9ZXNGlrHuPjt6RmmK+gt4YuLjvir
Ae4xMKqsiZDFXSFspDZracXwu4b3XZNDiRa6K2l1Cy9jJKCqtJuW09BBf9JIwd1c
qjvQHmEk5ND/6xTv96Mkae6LFwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAKdt
ZE9mtGq07zdurRmdP5NaHwt31SkGtdOKG7fuw/h/9nLX53kSDkgpV2lNrtwUQals
dFozVpt2iawKGHKe36ohlhPg8QDyJpv/vYogunMkY4XgEbwzjACdf0ecxyC1egYf
4hnupWjFJvxYgJx5uPHpQay+8CWenpYMOg/Yi0oxlYZwZzizXOcNljtGhbtkRmiJ
g9gTvVlKZtrIRTTvzOzNWdr7qtyq0NlUBp/JkN6gLn0vvcVQvFkGUwSPNfV0HlDs
f0H5Denj+dt/hYRuivsK+xiDxHDKTaGlNfl4leTstc3Z4/ZOofsTWshioghFICvh
iglUQ/zQcmYslmF3QQ8=
-----END CERTIFICATE REQUEST-----
Select all content including the BEGIN/END lines.
Note: This key will not be used again, so it was sent only as an example of what needs to be copied to be signed in Active Directory.
Keep the terminal open with the CSR content visible to copy and paste it into the AD certsrv web interface in the next step.
Step 2 - Transfer CSR to AD Server and Sign the CSR with AD CA (certsrv).
The AD Certificate Services web interface (certsrv) is used to submit the CSR and obtain a signed certificate.
IMPORTANT: VPN-Client template (custom). Using Web Server or User templates will overwrite the CSR Subject with the logged-in AD user data, resulting in CN=Administrator instead of CN=ubuntu.
Prerequisite: Create VPN-Client template (if not done yet):
Open certtmpl.msc on the AD server. Right-click Web Server -> Duplicate Template. In the general tab, set Name = VPN-Client. Subject Name tab: Select Supply in the request. Extensions -> Application Policies: Add Client Authentication. Security tab: give the user Enroll permission. Select OK and publish the template:
Add-CATemplate -Name "VPN-Client"
Press Y to confirm. Verify it was published:
certutil -catemplates | findstr VPN-Client
Expected: VPN-Client: VPN-Client.
Submit CSR via certsrv.
On the AD server, open the following IP in the browser: http://127.0.0.1/certsrv Select Request a certificate. Select Advanced certificate request. Select Submit a certificate request and use a base-64-encoded CMC or PKCS #10 file. Paste the entire CSR content in the Saved Request field In Certificate Template, select: VPN-Client Select Submit.
Download the signed certificate:
On the Certificate Issued page, select Base 64 encoded. Select Download certificate. Save as 'ubuntu-client.cer'.
Note: The Download certificate option downloads only the client certificate. The download certificate chain downloads the full chain including the CA cert. For this procedure, downloading the certificate (single cert) is sufficient.
Step 3 - Transfer the signed certificate back to Ubuntu.
Step 4 - Install and validate on Ubuntu.
Verify the certificate format:
cd ~/vpn-cert
Check the file format:
file ubuntu-client.cer
Expected: ubuntu-client.cer: PEM certificate.
If it is DER format, convert it:
openssl x509 -inform DER -in ubuntu-client.cer -out ubuntu-client.pem
If it is already PEM, rename it:
cp ubuntu-client.cer ubuntu-client.pem
Install certificate and key into StrongSwan:
Install the signed certificate:
sudo cp ubuntu-client.pem /etc/ipsec.d/certs/ubuntu-client.pem
sudo chmod 644 /etc/ipsec.d/certs/ubuntu-client.pem
Install the private key:
sudo cp ubuntu-client.key /etc/ipsec.d/private/ubuntu-client.key
sudo chmod 600 /etc/ipsec.d/private/ubuntu-client.key
Confirm all files are in place:
ls -la /etc/ipsec.d/certs/ubuntu-client.pem
ls -la /etc/ipsec.d/private/ubuntu-client.key
ls -la /etc/ipsec.d/cacerts/CA_Cert_1.pem
Step 5 - Validation checklist:
Run through each item below in sequence to confirm the full certificate lifecycle is complete and functional:
CSR generated correctly:
openssl req -in ~/vpn-cert/ubuntu-client.csr -text -noout | grep Subject
Certificate subject is correct:
openssl x509 -in ~/vpn-cert/ubuntu-client.pem -noout -subject
Private key matches the certificate:
openssl x509 -noout -modulus -in ubuntu-client.pem | openssl md5
openssl rsa -noout -modulus -in ubuntu-client.key | openssl md5
CA trusts the certificate:
openssl verify -CAfile /etc/ipsec.d/cacerts/CA_Cert_1.pem ~/vpn-cert/ubuntu-client.pem
Certificate registered in AD CA - CLI:
certutil -view -restrict "CommonName=ubuntu,Disposition=20" -out "RequestID,CommonName,NotAfter,CertificateTemplate"
StrongSwan files installed with correct permissions:
ls -la /etc/ipsec.d/certs/ubuntu-client.pem
ls -la /etc/ipsec.d/private/ubuntu-client.key
ls -la /etc/ipsec.d/cacerts/CA_Cert_1.pem
Expected: certs: 644 | private: 600 | cacerts: 644.
VPN tunnel connects successfully:
Restart the IPsec connection.
sudo ipsec restart
Start the connection with IPsec:
sudo ipsec up vpn-fortigate
Verify status:
sudo ipsec status
Related article:
| 
