Just so this gets into google: If you are creating a Windows Certificate Server CA to use with FreeSWAN/OpenSWAN/etc, don’t set it to be valid past the end of the unix epoch (ie 2038). FreeSWAN barfs on the RootCA cert, with nothing resembling a useful error (mentioned here). Now, back to running around like a chicken with it’s head cut off getting the labs ready to open.