IPSec Certificates

StarlingX uses x509 certificate for IPsec authentication. The following are IPsec related certificates.

• Certificates in /etc/swanctl/x509/ directory

  Files in this directory are the IPsec certificates for peer authentication and SA establishment. They are issued by system-local-ca managed by cert-manager.

• Private keys in /etc/swanctl/private/ directory

  Files in this directory are the corresponding private keys of the IPsec certificates in /etc/swanctl/x509/ directory. Together with the certificates, they are used for IPsec authentication and SA establishment.

IPsec certificates are valid for 3 months by default. They are monitored and renewed automatically by the Platform. The IPsec certificates are renewed (along with the corresponding private keys) when the certificates are within 15 days of expiration.

• Certificates in /etc/swanctl/x509ca/ directory

  Files in this directory are the root CA and intermediate CA certificates. These are the CA certificates that sign the IPsec certificates. With these CA certificates, a full certificate chain is established. They are used by IPsec to authenticate peers and SA establishment.

When the system’s root CA certificate is updated (by user running update_platform_certificates.yml for example), the certificates for IPsec, including IPsec certificates, corresponding private keys and CA certificates, will all be updated accordingly.