[strongSwan] Certificates in cacerts directory

Andreas Steffen andreas.steffen at strongswan.org
Wed Feb 24 14:26:44 CET 2010

Hello Mugur,

ca sections are mainly used to add additional CRL and OCSP URIs.
In the ikev2/multi-level-ca-cr-init scenario the intermediate CA
certificates do not contain any CDPs,  so the CDP must be
added via a ca section statement for the root CA.

Of course a ca section could also be used to just add
CA certificates which are not located in the default
/etc/ipsec.d/cacerts/ directory but this is not the
main intent.

Best regards


> Hello Andreas,
>> You can check this behaviour in our sample scenario 
>> http://www.strongswan.org/uml/testresults43/ikev2/multi-level-ca-cr-init/
> In the example the < ca section > for moon specifies the CA's
> certificate with "cacert=" (almost all other examples do not use
> "cacert=").
> Why "cacert=" is necessary? Which will be the behaviour if "cacert="
> is not specified (for strongSwan and IKEv2 exchanges point of view)?
> In the example the moon's certificate happens to be signed by a
> self-signed root certificate. In general, does "cacert=" specify the
> CA's certificate or the root's certificate (in case is not the same)?
> Thank you Mugur

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list