[strongSwan] Certificates in cacerts directory

ABULIUS, MUGUR (MUGUR) mugur.abulius at alcatel-lucent.com
Mon Feb 22 14:48:54 CET 2010


A certificates hierarchy has 3 levels. I want to check which certificates are required in "/etc/ipsec.d/cacerts/" for the following scenarios:

- The strongSwan system's certificate C1 is signed by CA2.
- The CA2's certificate C2 is signed by CA3.
- The CA3's certificate C3 is a self-signed root certificate.

At authentication phase the peer system requests the certificate from strongSwan systems specifying a CA=CA3 (the same CA as the root for the local strongSwan system). Can you confirm that certificates C2 and C3 should be provided in "/etc/ipsec.d/cacerts/" and C1 in "/etc/ipsec.d/certs/" and loaded by "charon" at start-up? and then all three certificates are sent by strongSwan in the same message to peer for authentication?

Can charon manage both PEM and binary DER formats for all certificates?

Thank you

More information about the Users mailing list