[strongSwan] Certificates in cacerts directory
Andreas Steffen
andreas.steffen at strongswan.org
Fri Mar 5 21:32:07 CET 2010
ABULIUS, MUGUR (MUGUR) wrote:
>> If rightca is specified then we only request certificates issued by rightca.
>> Otherwise we send certificate requests for all CAs contained in /etc/ipsec.d/cacerts/
>
> If "rightca=" is specified, then it is required that a certificate matching the specified
> DN to be present locally in "/etc/ipsec.d/cacerts/" ?
>
Yes, since RFC 4306 defines that the SHA-1 hash over the publicKeyInfo
of the CA certificate is sent in the CERTREQ payload, we must look up
the CA certificate based on the distinguished name and compute the
hash.
> Best regards
> Mugur
Best regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100305/e7bf8d27/attachment.bin>
More information about the Users
mailing list