[strongSwan] How to use "cacert" directory
Martin Willi
martin at strongswan.org
Thu Jul 15 18:48:40 CEST 2010
Hi,
> Concerning strongSwan configuration I intend to put all the chain of
> certificates concerning a remote SEG in a separate "cacert" directory
> (specified with a "ca" section). E.g. /etc/ipsec.d/cacert1 and
> /etc/ipsec.d/ceacert2. I don't intend to use "/etc/ipsec.d/certs".
> * This is a correct configuration for strongSwan?
Usually you don't mix up CA and peer certificates. CA and intermediate
Certificates go to /etc/ipsec.d/cacerts, peer certificates
in /etc/ipsec.d/certs.
All certificates in the cacerts directory are loaded automatically,
while peer certificates must be specified with leftcert=.
To specify CA certificates outside of cacerts, use "ca" sections (man
ipsec.conf).
> * Does strongSwan accept sub-directories in 'cacert1' and 'cacert2'
> (empties or not)?
What do you mean by accept?
> * Does strongSwan looks (by default) for certificates also in the
> sub-directories created in 'cacert1' and 'cacert2'.
No, it only loads certificates directly found in the default cacert dir.
Other certificates must be specified with a dedicated "ca" section.
> * It may be possible that the certificates from 'cacert1' and 'cacert2'
> to be identical (but probably not their file name), unless the local
> certificates that are always different. Is this configuration valid
> for strongSwan?
Certificates get compared during startup, identical certificates get
discarded.
Regards
Martin
More information about the Users
mailing list