[strongSwan] Using existing CA for strongSwan; Way to specify which client certs are valid for VPN?
igor.sverkos at googlemail.com
Tue Apr 30 16:42:35 CEST 2013
Andreas Steffen wrote:
> have a look at the whitelist plugin which I think is going to
> do what you want:
Yup, sounds like I want that. But I am not sure how to handle restarts.
Does strongSwan provide a trigger/option to run a script when it
starts/stops or do I have to do it on my own?
> If your clients use the subject Distinguished Name from their
> certificates as IKE identity than you have to enter the DNs of
> the entitled users into the whitelist.
Never thought about DNs. Shouldn't I be able to use the existing CA to
create certificates with different DNs? Then we could stick with our
main CA (no new management needed) but create different certificates for
VPN usage (differen DNs).
More information about the Users