[strongSwan] Certificates in cacerts directory
ABULIUS, MUGUR (MUGUR)
mugur.abulius at alcatel-lucent.com
Mon Feb 22 14:48:54 CET 2010
Hello,
A certificates hierarchy has 3 levels. I want to check which certificates are required in "/etc/ipsec.d/cacerts/" for the following scenarios:
- The strongSwan system's certificate C1 is signed by CA2.
- The CA2's certificate C2 is signed by CA3.
- The CA3's certificate C3 is a self-signed root certificate.
At authentication phase the peer system requests the certificate from strongSwan systems specifying a CA=CA3 (the same CA as the root for the local strongSwan system). Can you confirm that certificates C2 and C3 should be provided in "/etc/ipsec.d/cacerts/" and C1 in "/etc/ipsec.d/certs/" and loaded by "charon" at start-up? and then all three certificates are sent by strongSwan in the same message to peer for authentication?
Can charon manage both PEM and binary DER formats for all certificates?
Thank you
Mugur
More information about the Users
mailing list