[strongSwan] Options available for using a certificate hierarchy or chain
Martin Willi
martin at strongswan.org
Thu May 13 12:13:00 CEST 2010
Hi,
> Our PKI guys are incredulous about this situation. They wonder "how
> have the IPsec standards managed to get into this situation ?".
Yes, this is a well known problem.
> Can anyone suggest any solutions ?
One option is to use shorter certificates, e.g. by using ECDSA. I don't
know if this is an option for you, but you might hit the MTU limit even
with ECDSA certificates with this über-chain.
> I see that hash-and-url is one proposed solution, and although it is
> implemented by strongSwan, does anyone have a feel for how widespread
> that is among other IPsec SeGW implementations ?
RFC4306 says
> MUST be capable of being configured to send and accept the
> first two Hash and URL formats (with HTTP URLs),
but I won't be this optimistic. Not many implementations supported Hash
and URL during our last interoperability workshop.
If your SeGW claims to support RFC4306, maybe you can insist on this
method?
> Another solution would be to preload the intermediate CAs onto the
> SeGW (as well as our root CA). This works in our lab, when we also use
> strongSwan as a test SeGW, but I've been informed that most of our
> customers would NOT be interested in this solution. They want to load
> ONE root CA onto their SeGW and nothing else.
You're limited to what your SeGW actually supports. Maybe a single
container with the full chain is an option, but this requires support by
the SeGW. Even other out-of-bound mechanism might be possible, you're
limited to the different SeGW capabilities.
> Are there any options left ?
Probably not.
Regards
Martin
More information about the Users
mailing list