[strongSwan] CRL issues
Martin Willi
martin at strongswan.org
Wed Sep 5 15:11:48 CEST 2012
Hi Claude,
> crluri=VPNCA-crl.pem
> fetching crl from 'VPNCA-crl.pem' ...
> crl fetching failed
crluri takes an URI, not a file name (see ipsec.conf (5)). It might have
worked with pluto, but it certainly does not with charon.
> fetching crl from 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ...
A X.509 CRL distribution point always points to a DER encoded CRL (see
[1]). We tread crluri the exactly same way, hence it must be encoded as
DER, too.
> issuer of fetched CRL 'C=LU,[...]' does not match CRL issuer
> 'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac'
The relation between CRL and CRL issuer is resolved using the CRL
authorityKeyIdentifier. This means that the CRL must contain an
authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
issuer (see [2]).
Regards
Martin
[1]http://tools.ietf.org/html/rfc5280#section-4.2.1.13
[2]http://tools.ietf.org/html/rfc5280#section-5.2.1
More information about the Users
mailing list