[strongSwan] Does Strongswan support PEM format
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 3 08:25:50 CET 2010
Hello Michalle,
Section 3.6 of RFC 5996 on the IKEv2 Certificate Payload
http://tools.ietf.org/html/rfc5996#section-3.6
clearly states
"X.509 Certificate - Signature" contains a DER-encoded X.509
certificate whose public key is used to validate the sender's AUTH
payload.
This means that even if the certificate is loaded as a file in
PEM format it will always be transmitted in binary DER format.
And this is what strongSwan does.
Concerning your authentication error it can be caused either by
a certificate with a wrong public key or a wrong subject Distinguished
Name or a flawed signature contained the AUTH payload.
Regards
Andreas
On 11/03/2010 07:17 AM, michalle OY wrote:
> Hi, all
> I met a problem when did interoperability test between Strongswan and my
> IPsec implementation.
> I try to send a certificate with PEM format to Strongswan point, but it
> reports that doesn't support. I found that the Strongswan uses the DER
> "X.509 Certificate - Signature" format in Certificate Payload even if in
> the Ipsec.conf file the "leftcert" point to a PEM file.
> The other issue is that after I changed the Certificate from PEM to DER
> and try again, the strongswan reported "Authentication of 'CN=**, ST=**,
> E=***, OU=SSG, O=SGG' with RSA signature failed."
>
> My questions are: 1. Does Strongswan support PEM format? 2. The
> authentication failed means the Certificate has problem or the
> authentication Payload has problem?
>
> Your answer are appreciated.
>
> Thanks
> Michalle
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list