[strongSwan] CRL issues

Martin Willi martin at strongswan.org
Wed Sep 5 15:11:48 CEST 2012

Hi Claude,

> crluri=VPNCA-crl.pem

> fetching crl from 'VPNCA-crl.pem' ...
> crl fetching failed

crluri takes an URI, not a file name (see ipsec.conf (5)). It might have
worked with pluto, but it certainly does not with charon.

> fetching crl from 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ...

A X.509 CRL distribution point always points to a DER encoded CRL (see
[1]). We tread crluri the exactly same way, hence it must be encoded as
DER, too.

> issuer of fetched CRL 'C=LU,[...]' does not match CRL issuer
>  'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac'

The relation between CRL and CRL issuer is resolved using the CRL
authorityKeyIdentifier. This means that the CRL must contain an
authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
issuer (see [2]).



More information about the Users mailing list