[strongSwan] Does Strongswan support PEM format

Andreas Steffen andreas.steffen at strongswan.org
Wed Nov 3 08:25:50 CET 2010

Hello Michalle,

Section 3.6 of RFC 5996 on the IKEv2 Certificate Payload


clearly states

     "X.509 Certificate - Signature" contains a DER-encoded X.509
      certificate whose public key is used to validate the sender's AUTH

This means that even if the certificate is loaded as a file in
PEM format it will always be transmitted in binary DER format.
And this is what strongSwan does.

Concerning your authentication error it can be caused either by
a certificate with a wrong public key or a wrong subject Distinguished
Name or a flawed signature contained the AUTH payload.



On 11/03/2010 07:17 AM, michalle OY wrote:
> Hi, all
> I met a problem when did interoperability test between Strongswan and my 
> IPsec implementation.
> I try to send a certificate with PEM format to Strongswan point, but it 
> reports that doesn't support. I found that the Strongswan uses the DER 
> "X.509 Certificate - Signature" format in Certificate Payload even if in 
> the Ipsec.conf file the "leftcert" point to a PEM file.
> The other issue is that after I changed the Certificate from PEM to DER 
> and try again, the strongswan reported "Authentication of 'CN=**, ST=**, 
> E=***, OU=SSG, O=SGG' with RSA signature failed."
> My questions are: 1. Does Strongswan support PEM format? 2. The 
> authentication failed means the Certificate has problem or the 
> authentication Payload has problem?
> Your answer are appreciated.
> Thanks
> Michalle

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list