[strongSwan] need help for host2host-cert setup
Johannes Hubertz
johannes at hubertz.de
Tue Mar 30 00:09:32 CEST 2010
Hello Abbishek, hello listreaders,
On Monday 29 March 2010 12:23:35 Abbhishek Misra wrote:
> Still i get following.
>
> could not parse loaded certificate file
> '/etc/ipsec.d/cacerts/cacert-new.pem'
Perhaps you like to have a close look at the output of:
openssl x509 -in /etc/ipsec.d/cacerts/cacert-new.pem -noout -text
That should give all content of the cert in cleartext onto the console.
If there is no error at all using this command, perhaps we need to
increase debugging of charon.
After rereading your first posting, I found:
: RSA cakey.pem "password"
What the hell do you need the cacert key decrypted for in ipsec
sessions, sorry? There _should_ be no need of that within the
ipsec-context. Or I'm missing some new features like signing keys on
the fly or the like? ;-) I'm rather sure, you need the cacert itself,
but a no time the corresponding private key. You only need private keys
for the local end cert. Each side, of course. So please have a review
of your config and the contained keys.
The cacert key you only need to sign both end certifcates. I'm rather
sure. And thats the only reason beside the signing of a crl (sheduled
on a regular basis).
Anyhow, this unneccessary added line in ipsec.conf should not give any
reason for not being able to read the cert. Please have a look at the
cert-file.
Hope that helps,
happy working.
Johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100330/17fcc9ac/attachment.pgp>
More information about the Users
mailing list