Skip to main content
The strongSwan pki tool is a command-line utility for managing the full lifecycle of X.509 certificates and private keys used in IKEv2 VPN authentication. It can generate keys, build certificate authorities, issue end-entity certificates, sign CRLs, and inspect or verify existing credentials — all without depending on OpenSSL’s openssl CLI.

Subcommands

CommandDescription
pki --genGenerate a private key (RSA, ECDSA, Ed25519, Ed448)
pki --selfCreate a self-signed CA certificate from a private key
pki --issueIssue a signed end-entity certificate using a CA key and cert
pki --reqCreate a PKCS#10 certificate signing request (CSR)
pki --signcrlSign a Certificate Revocation List
pki --printPrint the contents of a certificate, CRL, or key
pki --verifyVerify a certificate’s signature chain
pki --pubExtract the public key from a private key
pki --pkcs12Create or extract PKCS#12 bundles
pki --pkcs7PKCS#7 container operations
pki --acertIssue attribute certificates
pki --dnExtract the distinguished name from a certificate
pki --keyidCompute the key identifier of a key or certificate
pki --ocspPerform OCSP requests
pki --scepSCEP certificate enrollment
pki --estEST certificate enrollment
Run pki --help or pki <subcommand> --help for full option documentation.

Supported key types

TypeSizes / CurvesNotes
RSA2048, 3072, 4096 bitsTraditional; use 3072+ for new deployments
ECDSA256, 384, 521 bitsNIST P-curves; good performance and security
Ed25519256 bitsRecommended for new CAs and host keys
Ed448448 bitsHigher security margin EdDSA variant
Ed25519 is the recommended default for new strongSwan deployments. It offers 128-bit security with fast operations and compact keys.

Output formats

All pki commands that write credentials support --outform:
  • der — Binary ASN.1 DER (default for most commands)
  • pem — Base64 PEM (human-readable, preferred for config files)
strongSwan automatically detects the format from file content regardless of the file extension.

File locations under /etc/swanctl/

strongSwan’s swanctl loads credentials from a well-known directory tree: 
/etc/swanctl/
├── x509ca/        # CA certificates (DER or PEM)
├── x509/          # Host and user end-entity certificates
├── x509crl/       # Certificate Revocation Lists
├── private/       # Private keys (restrict permissions: 600)
└── pkcs12/        # PKCS#12 bundles for client import
Files under private/ must be readable only by root (mode 600 or 400). A world-readable private key compromises the entire VPN.
After placing or updating credential files, reload them into the running daemon: 
swanctl --load-creds

Where to go next

CA Setup

Generate a CA key and self-signed root certificate.

Generating Certificates

Issue host and user certificates signed by your CA.

CRL Management

Sign and distribute Certificate Revocation Lists.

Build docs developers (and LLMs) love

Get started for freeTalk to us