[strongSwan] Certificates in cacerts directory
Andreas Steffen
andreas.steffen at strongswan.org
Wed Feb 24 14:26:44 CET 2010
Hello Mugur,
ca sections are mainly used to add additional CRL and OCSP URIs.
In the ikev2/multi-level-ca-cr-init scenario the intermediate CA
certificates do not contain any CDPs, so the CDP must be
added via a ca section statement for the root CA.
Of course a ca section could also be used to just add
CA certificates which are not located in the default
/etc/ipsec.d/cacerts/ directory but this is not the
main intent.
Best regards
Andreas
ABULIUS, MUGUR (MUGUR) wrote:
> Hello Andreas,
>
>> You can check this behaviour in our sample scenario
>> http://www.strongswan.org/uml/testresults43/ikev2/multi-level-ca-cr-init/
>>
>
> In the example the < ca section > for moon specifies the CA's
> certificate with "cacert=" (almost all other examples do not use
> "cacert=").
>
> Why "cacert=" is necessary? Which will be the behaviour if "cacert="
> is not specified (for strongSwan and IKEv2 exchanges point of view)?
>
> In the example the moon's certificate happens to be signed by a
> self-signed root certificate. In general, does "cacert=" specify the
> CA's certificate or the root's certificate (in case is not the same)?
>
>
> Thank you Mugur
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list