[strongSwan] Certificates in cacerts directory

Andreas Steffen andreas.steffen at strongswan.org
Mon Feb 22 15:39:31 CET 2010

> Hello,
> A certificates hierarchy has 3 levels. I want to check which
> certificates are required in "/etc/ipsec.d/cacerts/" for the
> following scenarios:
> - The strongSwan system's certificate C1 is signed by CA2. - The
> CA2's certificate C2 is signed by CA3. - The CA3's certificate C3 is
> a self-signed root certificate.
> At authentication phase the peer system requests the certificate from
> strongSwan systems specifying a CA=CA3 (the same CA as the root for
> the local strongSwan system). Can you confirm that certificates C2
> and C3 should be provided in "/etc/ipsec.d/cacerts/" and C1 in
> "/etc/ipsec.d/certs/" and loaded by "charon" at start-up? and then
> all three certificates are sent by strongSwan in the same message to
> peer for authentication?
If the peer has CA3 in its CERTREQ then the strongSwan system
sends C1 and C2 but not C3 since a self-signed certficate will
never be acccepted. The peer must have the C3 root CA certificate stored
locally. You can check this behaviour in our sample scenario


were carol and dave possess certs issued by multi-level CA hierarchy.
Gateway moon has the root CA certificate but does not possess the
intermediate CA and end entity certificates and therefore puts the
root CA into its CERTREQ:


: 13[IKE] sending cert request for "C=CH, O=Linux strongSwan,
                           CN=strongSwan Root CA"
: 14[IKE] received end entity cert "C=CH, O=Linux strongSwan,
                           OU=Research, CN=carol at strongswan.org"
: 14[IKE] received issuer cert "C=CH, O=Linux strongSwan, OU=Research,
                           CN=Research CA"

> Can charon manage both PEM and binary DER formats for all
> certificates?
Yes charon recognizes DER and PEM formats irrespective of the
certificate file suffix and automatically converts PEM into
DER format. Certificates sent via IKEv2 in CERT payloads are always
in binary DER format and certificates fetched via hash-and-url
from a http server must be in binary DER, too.

> Thank you Mugur

Best regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list