[strongSwan] Self signed ca cert fails policy check

Martin Willi martin at strongswan.org
Mon Apr 23 10:40:07 CEST 2012

Hi Andreas,

> 01[CFG] policy missing in issuing certificate 'CN=CA, ... C=DE'

The constraint plugin enforces different X.509 constraints, such as path
length, name and policy constraints.

In your case, it seems that your end entity certificate has a
certificate policy Your CA certificate, however, does not
have this policy, an "anyPolicy" nor an appropriate policy mapping. See
[1] for details about certificate policies.

If you don't need certificate policies validation, it is fine to disable
the constraints plugin. Basic CA validation is performed anyway, but
extended x.509 constraint validation is skipped.



More information about the Users mailing list