[strongSwan] Help: using certificate chains

张亚东 yadong_zhang at hotmail.com
Tue Jan 25 10:55:29 CET 2011

Hi Martin,

Thanks for your reply.
as your said, I used the same certificate chain.
when I delete sub ca1, sub ca2, from one side.
I got it from the peer.

> Subject: Re: [strongSwan] Help: using certificate chains
> From: martin at strongswan.org
> To: yadong_zhang at hotmail.com
> CC: users at lists.strongswan.org
> Date: Tue, 25 Jan 2011 09:11:15 +0100
> Hi,
> > Dose strongswan support certificate chains?
> > I means that I want to use the certificates as below.
> > root ca -> sub ca1 -> sub ca2 ->end 
> Yes.
> > I put root ca, sub ca1, sub ca2's certificates in ipsec.d/cacerts put 
> > end's certificate in ipsec.d/certs
> > 
> > but I found that only end's certificate was sent to the peer.
> The IKEv2 daemon should send all certificates, but only if required.
> Each peer sends certificate requests for all CAs it has installed (ca,
> ca1 and ca2). The other then builds a trustchain up to the first trust
> anchor. If both peers use the same sub-CAs, only the end entity
> certificates are exchanged. If a peer does not have the sub-CAs
> installed, all certs should get exchanged.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110125/ad4aea28/attachment.html>

More information about the Users mailing list