[strongSwan] Help: using certificate chains
张亚东
yadong_zhang at hotmail.com
Tue Jan 25 10:55:29 CET 2011
Hi Martin,
Thanks for your reply.
as your said, I used the same certificate chain.
when I delete sub ca1, sub ca2, from one side.
I got it from the peer.
> Subject: Re: [strongSwan] Help: using certificate chains
> From: martin at strongswan.org
> To: yadong_zhang at hotmail.com
> CC: users at lists.strongswan.org
> Date: Tue, 25 Jan 2011 09:11:15 +0100
>
> Hi,
>
> > Dose strongswan support certificate chains?
> > I means that I want to use the certificates as below.
> > root ca -> sub ca1 -> sub ca2 ->end
>
> Yes.
>
> > I put root ca, sub ca1, sub ca2's certificates in ipsec.d/cacerts put
> > end's certificate in ipsec.d/certs
> >
> > but I found that only end's certificate was sent to the peer.
>
> The IKEv2 daemon should send all certificates, but only if required.
>
> Each peer sends certificate requests for all CAs it has installed (ca,
> ca1 and ca2). The other then builds a trustchain up to the first trust
> anchor. If both peers use the same sub-CAs, only the end entity
> certificates are exchanged. If a peer does not have the sub-CAs
> installed, all certs should get exchanged.
>
> Regards
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110125/ad4aea28/attachment.html>
More information about the Users
mailing list