[strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer

Thu Jul 28 12:15:00 CEST 2011

Thanks Tobias, 

But how can I add X509v3 Authority Key Identifier extension to my CRLs? Please help.

my openssl.cnf
------------------------------------------------------
[ server ]

basicConstraints=CA:FALSE
nsCertType                      = server
nsComment                       = "Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth, serverAuth, 1.3.6.1.5.5.8.2.2
subjectAltName=DNS:lag2.igvpn.com
keyUsage = digitalSignature, keyEncipherment

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
------------------------------------------------------

--
Best Regards
Jacky

-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org] 
Sent: Thursday, July 28, 2011 5:30 PM
To: Jacky.He
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer

Hi,

> Jul 23 12:41:28 lag3 charon: 03[CFG] issuer of fetched CRL 'C=US, ST=CO,
> L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com' does not match
> CRL issuer '9b:00:ad:ef:3d:af:74:3b:72:6e:28:33:f5:33:4a:6a:e8:77:2e:bb'

It seems your CA certificate contains the X509v3 Subject Key Identifier 
extension which in turn means your CRL has to contain the X509v3 
Authority Key Identifier extension.  Otherwise charon won't be able to 
match the two.

Regards,
Tobias

__________ Information from ESET NOD32 Antivirus, version of virus signature database 6330 (20110727) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com