[strongSwan-dev] [strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.

Martin Willi martin at strongswan.org
Wed May 13 11:47:02 CEST 2015


Hi,

> ca section1
>         cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem

> 6. After removing this and executing "ipsec update" we expect that the
> SA will not get established as the end which does not have root CA of
> peer will reject the IKE_AUTH.

All CA certificates placed under the cacerts directory get loaded
implicitly. The ipsec.conf ca section is there to load CA certificates
from other locations, or to define additional properties for that CA
(refer to the ipsec.conf manpage for details).

Further, CA certificate unloading was not supported until 5.3.0, see
[1]. With that version, you can re/unload all CA certificates from the
cacerts directory using the "ipsec reread" command, or use "ipsec
update" to re/unload CA certificates referenced in ipsec.conf ca
sections.

Regards
Martin

[1]https://wiki.strongswan.org/issues/842



More information about the Dev mailing list