[strongSwan] Does Strongswan support PEM format
andreas.steffen at strongswan.org
Wed Nov 3 08:25:50 CET 2010
Section 3.6 of RFC 5996 on the IKEv2 Certificate Payload
"X.509 Certificate - Signature" contains a DER-encoded X.509
certificate whose public key is used to validate the sender's AUTH
This means that even if the certificate is loaded as a file in
PEM format it will always be transmitted in binary DER format.
And this is what strongSwan does.
Concerning your authentication error it can be caused either by
a certificate with a wrong public key or a wrong subject Distinguished
Name or a flawed signature contained the AUTH payload.
On 11/03/2010 07:17 AM, michalle OY wrote:
> Hi, all
> I met a problem when did interoperability test between Strongswan and my
> IPsec implementation.
> I try to send a certificate with PEM format to Strongswan point, but it
> reports that doesn't support. I found that the Strongswan uses the DER
> "X.509 Certificate - Signature" format in Certificate Payload even if in
> the Ipsec.conf file the "leftcert" point to a PEM file.
> The other issue is that after I changed the Certificate from PEM to DER
> and try again, the strongswan reported "Authentication of 'CN=**, ST=**,
> E=***, OU=SSG, O=SGG' with RSA signature failed."
> My questions are: 1. Does Strongswan support PEM format? 2. The
> authentication failed means the Certificate has problem or the
> authentication Payload has problem?
> Your answer are appreciated.
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users