Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

The --list-certs command queries charon for all credentials loaded into its certificate store and prints their details. It covers end-entity certificates, CA certificates, certificate revocation lists (CRLs), OCSP responses, and trusted raw public keys.

Synopsis

swanctl --list-certs [--type <type>] [--flag <flag>] [--subject <dn/san>]
                     [--pem] [--short] [--utc] [--raw|--pretty]

Options

--type
string
Filter by credential type. Accepted values:
ValueDescription
x509X.509 end-entity and CA certificates (default if omitted)
x509_acX.509 attribute certificates
x509_crlCertificate revocation lists
ocsp_responseCached OCSP responses
pubkeyTrusted raw public keys (without a wrapping certificate)
--flag
string
Filter X.509 certificates by their usage flag. Only meaningful with --type x509. Accepted values:
ValueDescription
noneEnd-entity certificates (no special flag)
caCA certificates (CA:TRUE in Basic Constraints)
aaAttribute authority certificates
ocspOCSP signing certificates
anyMatch all flags
--subject
string
Filter certificates whose Subject Distinguished Name or Subject Alternative Name contains the given string. Accepts a full DN, a partial DN component (e.g., CN=moon), or an IP/DNS SAN.
--pem
boolean
Print the PEM encoding of each matching certificate instead of the human- readable summary. Useful for extracting certificates from the daemon store.
--short
boolean
Omit extended certificate details (Subject Alternative Names, Key Usage extensions, etc.) and print a condensed one-block summary per certificate.
--utc
boolean
Display validity timestamps in UTC instead of local time.
--raw
boolean
Dump the raw VICI event messages for each certificate.
--pretty
boolean
Dump raw VICI event messages with pretty-print indentation. Implies --raw.
--uri
string
VICI socket URI. Overrides the default unix:///var/run/charon.vici.

Example output

List all loaded certificates

swanctl --list-certs

List of X.509 End Entity Certificates

  subject:  "C=CH, O=strongSwan, CN=moon.strongswan.org"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan CA"
  validity:  not before Jan 01 00:00:00 2024, ok
             not after  Dec 31 23:59:59 2026, ok (expires in 1000 days)
  serial:    01
  flags:     
  subjkeyId: aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd
  pubkey:    RSA 3072 bits, has private key
  keyid:     aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd
  subjkey:   aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd

List of X.509 CA Certificates

  subject:  "C=CH, O=strongSwan, CN=strongSwan CA"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan CA"
  validity:  not before Jan 01 00:00:00 2020, ok
             not after  Dec 31 23:59:59 2030, ok (expires in 2500 days)
  serial:    00
  flags:     CA CRLSign self-signed
  subjkeyId: 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44
  pubkey:    RSA 4096 bits
  keyid:     11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44
  subjkey:   11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44

Output field reference

FieldDescription
subjectSubject Distinguished Name of the certificate
issuerIssuer Distinguished Name. Identical to subject for self-signed CA certificates
validitynot before and not after timestamps with remaining validity in days
serialCertificate serial number (hex)
flagsX.509 extension flags: CA, CRLSign, self-signed, serverAuth, clientAuth, etc.
subjkeyIdSubject Key Identifier extension value (hex)
pubkeyAlgorithm and key size. Shows has private key when the corresponding private key is also loaded
keyidSHA-1 hash of the public key (used for key matching in strongSwan)
subjkeySHA-1 hash of the SubjectPublicKeyInfo DER encoding

Filtering examples

Show only CA certificates

swanctl --list-certs --type x509 --flag ca

Find a certificate by subject

swanctl --list-certs --subject "CN=moon"

List loaded CRLs

swanctl --list-certs --type x509_crl

Export a certificate in PEM format

swanctl --list-certs --subject "CN=moon.strongswan.org" --pem > moon.pem

Compact listing of all certificates

swanctl --list-certs --short

See also