[strongSwan-dev] Subject certificate signature verification
martin at strongswan.org
Tue Nov 11 09:49:21 CET 2014
Kindly asking to keep the discussion on the list, thanks.
> Is it so that, if (e.g., server side) ipsec.d/certs folder contains the
> same cert than client side is using as a subject cert, the certificate
> is automatically trusted?
Just having a cert in ipsec.d/certs does not load it implicitly at all.
Specifying such a cert in a left/rightcert on any connection loads that
certificate as trusted, which means no trust chain validation is
required for any user having a private key for it.
Alternatively you may add a trust anchor constraint by setting a
rightca. This ensures that the peer certificate is issued under a
specific CA, and for example not the one you are using to authenticate
yourself. Explicitly setting rightcert requires that the peer
authenticates with a private key for exactly that certificate specified.
More information about the Dev