[strongSwan] Intermediate CAs unknown to peer?

Shea Levy shea at shealevy.com
Wed Sep 24 22:14:56 CEST 2014

Hi all,

I have the setup described at [1] working currently.
shea-intermediate.crt is signed by zalora-ca.crt, and each machine's
cert in /etc/x509 is signed by and concatenated with
shea-intermediate.crt. If I remove the 'ca inter' section from each
config, I get:

> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-ebc130d19292466287791571653eac79, E=it-services at zalora.com"

Is there any way to get this to work without each machine needing to
know about the intermediate cas that may be used by the others? Since
the intermediate ca is signed by the root ca and bundled with the
end-user ca, it seems like it shouldn't be necessary...


[1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc

More information about the Users mailing list