[strongSwan] Authentication of a CERT payload with only the subject certificate

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 26 11:15:17 CET 2013


Hello Mugur,

this should work because the sub-CAy certificate is stored locally
on the client, so there is no need for the SEG to send it via the
CERT payload. See also our example scenario

https://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-cr-resp

Regards

Andreas

On 03/26/2013 10:59 AM, ABULIUS, MUGUR (MUGUR) wrote:
> Hello,
> Our IKEv2 strongSwan Linux client systems should interoperate with a SEG
> having limited capabilities
> for building up the CERT payload of the IKE-SA-AUTH response. The SEG's
> CERT includes only the subject
> certificate (no other ancestor certificates are sent within its CERT).
> Under which client configuration strongSwan is able to validate the
> remote SEG?
> More details on a specific use case:
> Trust anchor “RootX” configured on client and SEG
> Client cert chain : “RootX / sub-CAy / client” (all certificates stored
> on client)
> Client sends “sub-CAy/client” certificates in IKEv2 CERT payload (RootX
> cert.  not sent)
> SEG cert chain : “RootX/sub-CAy/SEG” (same hierarchy, different end
> entities)
> SEG sends only the “SEG” certificate in CERT payload (instead of
> sub-CAy/SEG”)
>  
> Does authentication work?
>  
> Best Regards
> Mugur
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/8aebf569/attachment.bin>


More information about the Users mailing list