[strongSwan] Self signed ca cert fails policy check
Martin Willi
martin at strongswan.org
Mon Apr 23 10:40:07 CEST 2012
Hi Andreas,
> 01[CFG] policy 1.1.1.1.1 missing in issuing certificate 'CN=CA, ... C=DE'
The constraint plugin enforces different X.509 constraints, such as path
length, name and policy constraints.
In your case, it seems that your end entity certificate has a
certificate policy 1.1.1.1.1.1. Your CA certificate, however, does not
have this policy, an "anyPolicy" nor an appropriate policy mapping. See
[1] for details about certificate policies.
If you don't need certificate policies validation, it is fine to disable
the constraints plugin. Basic CA validation is performed anyway, but
extended x.509 constraint validation is skipped.
Regards
Martin
[1]http://tools.ietf.org/html/rfc5280#section-4.2.1.4
More information about the Users
mailing list