[strongSwan] preloading client certificates
Martin Willi
martin at strongswan.org
Thu Oct 2 09:36:59 CEST 2014
Pete,
> I've copied them to the /etc/ipsec.d/certs directory and restarted the
> daemon but "ipsec listcerts" still only lists the certificates that I
> have a private key for.
Certificates from the cert directory do not get loaded automatically.
The directory merely holds the certificates you can directly reference
with left/rightcert. This is a little different from the swanctl x509
directory [1], for which all contained certificates get loaded
implicitly.
If you have a large bunch of client certificates to handle, you probably
don't want a conn entry in ipsec.conf for each. Usually you issue all
the certificates from a CA to avoid handling all the client certificates
separately, and just install the CA to cacerts.
Regards
Martin
[1]https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
More information about the Users
mailing list