[strongSwan] About leftca and rightca
Martin Willi
martin at strongswan.org
Tue Jul 13 10:24:47 CEST 2010
Hi Mugur,
> Can you confirm please that the “rightca” is the distinguished name of
> the CA used by the local system to designate its unique trust anchor
> via the CERTREQ payload?
Yes, but this works only as initiator. The responder sends the CERTREQ
in the IKE_SA_INIT message. At this stage, we do not have enough
information to select a configuration and enforce a CA policy.
The specified CA is also used as connection constraint: If the peers
trust chain has been validated, the trust anchor must match to the one
specified in rightca.
> If this assumption is true, can you please confirm that a certificates
> whose SubjectName having the same value as “rightca” must reside in
> "/etc/ipsec.d/cacerts/"?
Yes. Unless you specify a separate "ca" section with a CA certificate
stored somewhere else. These certificates are handled the same way.
> I am not able to figure out the exact meaning of “leftca”
Defining a local CA does not make much sense, as you usually specify the
certificate (and implicitly its trust chain) directly.
Regards
Martin
More information about the Users
mailing list