<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi All,<div><br></div><div>I tried verifying the same ecdsa certificate and ca cert on both strongswan versions:</div><div>On strongswan 5.5.2 version:</div><div><br></div><div><div>[root@mac-6 ~]# pki --verify --in /etc/ipsec.d/certs/certificate-1.pem --ca /etc/ipsec.d/cacerts/certificate-2.pem</div><div> using certificate "C=IN, ST=M, L=M, O=Yam, OU=Ya, CN=prime1"</div><div> using trusted ca certificate "C=IN, ST=M, L=P, O=Yam, OU=Ya, CN=primeCA"</div><div> reached self-signed root ca with a path length of 0</div><div>certificate trusted, lifetimes valid</div></div><div><br></div><div>Whereas when i tried verifying the same set on strongswan version 5.6.3:</div><div><br></div><div>[root@mac-7 ~]# pki --verify --in /etc/ipsec.d/certs/certificate-1.pem --ca /etc/ipsec.d/cacerts/certificate-2.pem <br></div><div><div>building CRED_CERTIFICATE - X509 failed, tried 3 builders</div><div>parsing CA certificate from '/etc/ipsec.d/cacerts/certificate-2.pem' failed</div><div>building CRED_CERTIFICATE - X509 failed, tried 3 builders</div><div>parsing certificate failed</div></div><div><br></div><div>Please let me know if there are any changes in two version for ECDSA certificates, because same RSA certificate are working on both versions for me ?</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 9, 2019 at 4:17 PM Yogesh Purohit <<a href="mailto:yogeshpurohit2@gmail.com">yogeshpurohit2@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div>I was using strongswan 5.5.2 version where I was using ECDSA certificates.</div><div>Recently i have moved to strongswan version 5.6.3.</div><div>But with this new version I am facing issue in loading my certificates and keys. Strongswan fails to load certificates.<br></div><div>I noticed this new line in it 'building CRED_CERTIFICATE - X509 failed, tried 3 builders'</div><div><br></div><div>charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.4.0-116-generic, x86_64)<br>charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders<br>charon: 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/ca_dummy.pem' failed<br>charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders<br>charon: 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/ca_ecdsa.pem' failed</div><div><br></div><div>Is there any new plugin which is needed for it because same certificate I was able to use it with previous version ?<br></div><div><br>-- <br><div dir="ltr" class="gmail-m_-2920427263452619561gmail_signature"><div dir="ltr">Best Regards,<div><br></div><div>Yogesh Purohit</div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Best Regards,<div><br></div><div>Yogesh Purohit</div></div></div>