Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

These commands manage the credential store of the running daemon. Credentials loaded over VICI are tracked separately from those read from the filesystem at startup. Use clear-creds to remove all VICI-loaded credentials at once.

load-cert

Load a certificate into the daemon. Input
type
string
required
Certificate type. One of: X509, X509_AC, X509_CRL.
flag
string
X.509 certificate flag. One of: NONE, CA, AA, OCSP.
data
string
required
PEM or DER encoded certificate data.
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.

load-key

Load a private key into the daemon. Input
type
string
required
Private key type. One of: rsa, ecdsa, ed25519, ed448, any.
data
string
required
PEM or DER encoded private key data.
Response
success
string
yes on success, no on failure.
id
string
Hex-encoded SHA-1 identifier of the corresponding public key. Present on success and used for subsequent unload-key calls.
errmsg
string
Human-readable error description on failure.

unload-key

Unload the private key with the given identifier. Only keys loaded over VICI can be unloaded. Input
id
string
required
Hex-encoded SHA-1 key identifier of the private key to unload. Obtain this from the id field returned by load-key or load-token.
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.

get-keys

Return identifiers of private keys loaded exclusively over VICI. Keys loaded by other backends are not included. Input No input parameters. Response
keys
list
List of hex-encoded SHA-1 key identifiers.

load-token

Load a private key stored on a PKCS#11 hardware token into the daemon. Keys loaded this way can be listed and unloaded using get-keys and unload-key. Input
handle
string
required
Hex-encoded CKA_ID attribute of the private key object on the token.
slot
string
Optional PKCS#11 slot number.
module
string
Optional PKCS#11 module (shared library path or configured module name).
pin
string
Optional PIN to access the token. If not provided, the PIN must be supplied by another means (e.g., a PIN callback configured in the PKCS#11 plugin).
Response
success
string
yes on success, no on failure.
id
string
Hex-encoded SHA-1 identifier of the public key, derived from the token key.
errmsg
string
Human-readable error description on failure.

load-shared

Load a shared secret (PSK, EAP password, XAuth password, or NTLM hash) into the daemon. Input
id
string
Optional unique identifier for this shared key. Used to unload it later with unload-shared.
type
string
required
Shared key type. One of: IKE (PSK), EAP, XAUTH, NTLM.
data
string
required
Raw shared key data.
owners
list
List of IKE identity strings that own this shared key. Used to match the key to specific peers. Omit to allow any peer to use the key.
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.
Python example 
v.load_shared({
    "type": "IKE",
    "data": "s3cr3t",
    "owners": ["moon.strongswan.org", "sun.strongswan.org"]
})

unload-shared

Unload a previously loaded shared secret by its unique identifier. Input
id
string
required
Unique identifier of the shared key to unload, as set during load-shared.
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.

get-shared

Return a list of identifiers of shared keys loaded exclusively over VICI. Input No input parameters. Response
keys
list
List of unique identifiers of VICI-loaded shared keys.

load-authority

Load a single certification authority (CA) definition into the daemon. An existing authority with the same name is replaced. The input message contains a top-level section named after the CA. The contents follow the swanctl.conf(5) authority format. Input
<authority name>
section
required
A section named after the CA. Refer to swanctl.conf(5) for the supported parameters (cacert, crl_uris, ocsp_uris, cert_uri_base, etc.).
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.

unload-authority

Unload a previously loaded CA definition by name. Input
name
string
required
Name of the certification authority to unload.
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.

flush-certs

Flush the certificate cache. Optionally restrict flushing to a specific certificate type. Input
type
string
Certificate type to flush. One of: X509, X509_AC, X509_CRL, OCSP_RESPONSE, PUBKEY, or ANY (default — flushes all types).
Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.

clear-creds

Clear all certificates, private keys, and shared keys loaded over VICI. This also flushes the credential cache.
This command removes all VICI-loaded credentials. Credentials loaded by other backends (e.g., from the filesystem) are not affected, but the shared credential cache is flushed for all backends.
Input No input parameters. Response
success
string
yes on success, no on failure.
errmsg
string
Human-readable error description on failure.