[strongSwan] Error using pki in StrongSwan 5.1.0

Andreas Steffen andreas.steffen at strongswan.org
Sat Aug 10 17:09:15 CEST 2013 

Hi Gregg,

any root or intermediate CA certificate used by strongSwan to verify
end entity certificates must contain the CA basicConstraint.
If you generate a root CA certificate using the ipsec pki tool then you
must add the --ca option as in

  ipsec pki --self --ca

or if generating an intermediate ca certificate

  ipsec pki --issue --ca

End entity certificates must not contain a CA basicConstraint, though.

Hope this helps

Andreas

On 08/09/2013 11:41 PM, Gregg Hughes wrote:
> Good afternoon, all!
> 
>  
> 
> I’m retesting Strongswan 5.1 in a virtual environment and have managed
> to overcome most obstacles until this one.  Following the directions on
> generating a simple CA structure using ipsec pki, I got as far as
> generating a new host certificate and got the error “CA certificate
> misses CA basicConstraint.”  I did the googling thing and found some
> older postings (over a year ago) with a couple of patches that don’t
> apply to my version. 
> 
>  
> 
> I don’t see any way to insert this into the ipsec pki process to add
> that constraint condition back to the CA.
> 
>  
> 
> Is this a bug or am I missing a part of the process?
> 
>  
> 
> Thanks in advance!
> 
>  
> 
>  
> 
> Gregg
> 
>  
> 
> *Gregg Hughes*
> 
> IT Administrator
> 
> www.iscinternational.com
> 
> 414.721.0301 phone
> 
> 262.313.3106 fax
> 
>  
> 
> 	
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130810/c8bb8d58/attachment.bin>

More information about the Users mailing list