Documentation Index
Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt
Use this file to discover all available pages before exploring further.
strongSwan reads credentials from a well-known directory structure under /etc/swanctl/ and from the secrets section of swanctl.conf. Credentials are loaded into the daemon at runtime using swanctl --load-creds.
Directory structure
Place credential files in the appropriate subdirectory. swanctl --load-creds scans each directory and loads all recognized files automatically.
/etc/swanctl/
├── swanctl.conf
├── conf.d/ # Optional config snippets
├── x509/ # End-entity certificates (PEM or DER)
├── x509ca/ # CA certificates
├── x509crl/ # Certificate Revocation Lists
├── x509aa/ # Attribute Authority certificates
├── x509ac/ # Attribute Certificates
├── private/ # Private keys (RSA, ECDSA, EdDSA — PKCS#1 PEM)
├── rsa/ # RSA private keys
├── ecdsa/ # ECDSA private keys
├── pubkey/ # Raw public keys
├── pkcs8/ # PKCS#8 private keys
└── pkcs12/ # PKCS#12 bundles
Private keys placed in private/, rsa/, or ecdsa/ are automatically associated with certificates in x509/ by matching the public key. You do not need to reference them explicitly in swanctl.conf.
Loading credentials
# Load all credentials (certificates, keys, and secrets)
swanctl --load-creds
# Load credentials from an alternate config directory
swanctl --load-creds --file /path/to/swanctl.conf
Run swanctl --load-creds after adding or replacing any certificate or key file. The daemon does not watch the filesystem for changes automatically.
Certificates
End-entity certificates
Place PEM or DER-encoded certificates in /etc/swanctl/x509/. Reference them in connection config using the certs parameter:
connections {
vpn {
local {
auth = pubkey
certs = server-cert.pem
}
}
}
certs is relative to /etc/swanctl/x509/ unless an absolute path is given.
CA certificates
Place CA certificates in /etc/swanctl/x509ca/. You can also reference them per-connection with cacerts:
connections {
vpn {
remote {
auth = pubkey
cacerts = my-ca.pem
}
}
}
Certificate Revocation Lists
Place CRL files in /etc/swanctl/x509crl/. strongSwan also fetches CRLs dynamically from URIs embedded in certificates.
Enable automatic CRL caching in strongswan.conf to persist fetched CRLs across restarts:
charon {
cache_crls = yes
}
Private keys
Place private keys in /etc/swanctl/private/ (or the type-specific directories rsa/ or ecdsa/). Keys are matched to certificates automatically based on the public key.
PKCS#1 PEM (recommended)
PKCS#8 PEM
PKCS#12 bundle
Unencrypted PKCS#1 PEM files placed in private/, rsa/, or ecdsa/.# Generate an RSA key with pki
pki --gen --type rsa --size 4096 > /etc/swanctl/private/server-key.pem
PKCS#8 keys (encrypted or unencrypted) placed in pkcs8/.# Convert PKCS#1 to PKCS#8
openssl pkcs8 -topk8 -nocrypt \
-in server-key.pem \
-out /etc/swanctl/pkcs8/server-key-pkcs8.pem
PKCS#12 bundles (containing both certificate and key) placed in pkcs12/.openssl pkcs12 -export \
-in server-cert.pem -inkey server-key.pem \
-out /etc/swanctl/pkcs12/server.p12
Secrets in swanctl.conf
The secrets section of swanctl.conf holds PSKs, EAP passwords, and optional key passphrases.
IKE pre-shared keys
secrets {
ike-peer1 {
id = peer1.example.org
secret = "very-secret-psk"
}
ike-peer2 {
id-1 = peer2.example.org
id-2 = 192.0.2.2
secret = 0x0102030405060708090a0b0c0d0e0f10
}
}
0x prefix, or Base64-encoded with a 0s prefix.
EAP and XAuth passwords
secrets {
eap-alice {
id = alice
secret = "alice-password"
}
eap-bob {
id = bob
secret = "bob-password"
}
# xauth is an alias for eap
xauth-charlie {
id = charlie
secret = "charlie-password"
}
}
Private key passphrases
secrets {
private-server {
file = server-key.pem
secret = "key-passphrase"
}
pkcs8-client {
file = client-key-pkcs8.pem
secret = "pkcs8-passphrase"
}
pkcs12-bundle {
file = server.p12
secret = "bundle-passphrase"
}
}
Storing private key passphrases in swanctl.conf removes the security benefit of key encryption. Prefer storing private keys unencrypted with strict filesystem permissions (chmod 600), or enter passphrases interactively with swanctl --load-creds.
File permissions
The charon daemon must be able to read all credential files. Recommended permissions:
# Restrict access to credentials directory
chmod 700 /etc/swanctl/private/
chmod 600 /etc/swanctl/private/*.pem
chown root:root /etc/swanctl/private/*.pem
# Certificates can be world-readable
chmod 644 /etc/swanctl/x509/*.pem
chmod 644 /etc/swanctl/x509ca/*.pem
