[strongSwan] need help for host2host-cert setup

Johannes Hubertz johannes at hubertz.de
Tue Mar 30 00:09:32 CEST 2010

Hello Abbishek, hello listreaders,

On Monday 29 March 2010 12:23:35 Abbhishek Misra wrote:
> Still i get following.
> could not parse loaded certificate file
> '/etc/ipsec.d/cacerts/cacert-new.pem'

Perhaps you like to have a close look at the output of:

openssl x509 -in /etc/ipsec.d/cacerts/cacert-new.pem -noout -text

That should give all content of the cert in cleartext onto the console.
If there is no error at all using this command, perhaps we need to 
increase debugging of charon.

After rereading your first posting, I found:

: RSA cakey.pem "password"

What the hell do you need the cacert key decrypted for in ipsec 
sessions, sorry? There _should_ be no need of that within the 
ipsec-context. Or I'm missing some new features like signing keys on 
the fly or the like? ;-) I'm rather sure, you need the cacert itself, 
but a no time the corresponding private key. You only need private keys 
for the local end cert. Each side, of course. So please have a review 
of your config and the contained keys.

The cacert key you only need to sign both end certifcates. I'm rather 
sure. And thats the only reason beside the signing of a crl (sheduled 
on a regular basis).

Anyhow, this unneccessary added line in ipsec.conf should not give any 
reason for not being able to read the cert. Please have a look at the 

Hope that helps,
happy working.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100330/17fcc9ac/attachment.pgp>

More information about the Users mailing list