[strongSwan] ipsec.conf:: rightca= ?

Tobias Brunner tobias at strongswan.org
Mon May 5 13:53:50 CEST 2014

Hi Mark,

> 17:03:45 06[CFG] CA certificate *"C=US, O=Entrust, Inc.,
> OU=www.entrust.net/rpa is incorporated by
> reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority
> - L1C" not found, discarding CA constraint*

That's due to a limitation of the DN string parser:  It can't handle
comma's in RDNs (which are already separated with commas).

According to RFC 4514 [1] commas could be escaped with backslashes in
string representations (e.g. "O=Entrust\, Inc.") but strongSwan
currently doesn't support such escape sequences either.

And because the parser supports an alternative encoding that uses
slashes to separate RDNs (e.g. "/C=US/O=Entrust, Inc./OU=..."), but
currently handles commas and slashes interchangeably, the slash in the
URL in the first OU RDN triggers the same issue.

We could easily change the parser so it uses either commas or slashes
(if the string starts with a slash) as separator in one DN.  But this
would only help if you could get rid of either the slash or the commas.
 Otherwise, a bigger change in the parser would be required (e.g. adding
support for escape sequences).

Fortunately there is a simple workaround for this.  You can use key IDs
instead of DNs to identify the CA.  Something like rightca=@#<hex> where
<hex> is the hex encoded SHA1 hash of either subjectPublicKey or
subjectPublicKeyInfo of your CA certificate.  You can determine those
with pki --print.  The hash over the subjectPublicKey is also encoded in
certificates issued by the pki utility, as subjectKeyIdentifier
extension, and also as authorityKeyIdentifier extension in end-entity
certificates issued by a CA.


[1] http://tools.ietf.org/html/rfc4514#section-3

More information about the Users mailing list