[strongSwan] ipsec.conf:: rightca= ?
Mark Enstone
mark at m-87.com
Fri May 2 19:29:28 CEST 2014
Strongswan 5.1.2 on Android.
Am I correct in understanding that the rightca= ipsec.conf directive
should over-rule sending CERTREQs for each of the certs in
...ipsec.d/cacerts/ ? That is, only the CERTREQ for rightca should be
requested?
If so, that sounds like what I want, but I'm seeing:
...
17:03:45 00[CFG] *loaded ca certificate "C=US, O=Entrust, Inc.,
OU=www.entrust.net/rpa <http://www.entrust.net/rpa> is incorporated by
reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority -
L1C" from '<path-to-certs>/ipsec.d/cacerts/entrust_l1c.cer'*
17:03:45 00[CFG] loaded ca certificate "O=Entrust.net, OU=
www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999
Entrust.net Limited, CN=Entrust.net Certification Authority (2048)" from
'<path-to-certs>/ipsec.d/cacerts/entrust_2048_chain_root.cer'
17:03:45 00[CFG] loaded ca certificate "C=US, O=Entrust.net, OU=
www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net
Limited, CN=Entrust.net Secure Server Certification Authority" from
'<path-to-certs>/ipsec.d/cacerts/entrust_ssl_ca.cer'
...
17:03:45 06[CFG] CA certificate *"C=US, O=Entrust, Inc.,
OU=www.entrust.net/rpa <http://www.entrust.net/rpa> is incorporated by
reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority -
L1C" not found, discarding CA constraint*
[Where <path-to-certs> is where my ipsec.d directory is located]
The error seems pretty clear: I'm mis-configuring rightca= ... however, can
anyone help me, as to me the "not found" line matches exactly one of the
"loaded ca certificate" lines above it. Namely:
loaded ca certificate
"C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by
reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority -
L1C"
vs.
"C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by
reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority -
L1C" not found
Those two DNs are the same. What am I missing?
Is there a different format for rightca than I'm using? Does it perhaps
need just the "CN=" part or something?
Thanks,
~Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140502/0df32999/attachment.html>
More information about the Users
mailing list