[strongSwan] Help: using certificate chains

Martin Willi martin at strongswan.org
Tue Jan 25 09:11:15 CET 2011


Hi,

> Dose strongswan support certificate chains?
> I means that I want to use the certificates as below.
> root ca -> sub ca1 -> sub ca2 ->end 

Yes.

> I put root ca, sub ca1, sub ca2's certificates in ipsec.d/cacerts put 
> end's certificate in ipsec.d/certs
> 
> but I found that only end's certificate was sent to the peer.

The IKEv2 daemon should send all certificates, but only if required.

Each peer sends certificate requests for all CAs it has installed (ca,
ca1 and ca2). The other then builds a trustchain up to the first trust
anchor. If both peers use the same sub-CAs, only the end entity
certificates are exchanged. If a peer does not have the sub-CAs
installed, all certs should get exchanged.

Regards
Martin





More information about the Users mailing list