[strongSwan] Intermediate CAs unknown to peer?

Andreas Steffen andreas.steffen at strongswan.org
Thu Sep 25 08:43:06 CEST 2014

Hi Shea,

concatenating multiple certificates into a single PEM file is not
supported by strongSwan. You could import the user certificate,
the corresponding private key and the trust chain via a key file
in PKCS#12 format as in the following example:


The user certificate and any intermediate certificates will be
sent to the peer via the IKE protocol.

In ipsec.conf you don't need a leftcert parameter. Just indicate
leftid so that the matching user certificate can be found.


Best regards


On 09/24/2014 10:14 PM, Shea Levy wrote:
> Hi all,
> I have the setup described at [1] working currently.
> shea-intermediate.crt is signed by zalora-ca.crt, and each machine's
> cert in /etc/x509 is signed by and concatenated with
> shea-intermediate.crt. If I remove the 'ca inter' section from each
> config, I get:
>> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-ebc130d19292466287791571653eac79, E=it-services at zalora.com"
> Is there any way to get this to work without each machine needing to
> know about the intermediate cas that may be used by the others? Since
> the intermediate ca is signed by the root ca and bundled with the
> end-user ca, it seems like it shouldn't be necessary...
> ~Shea
> [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140925/cb284325/attachment-0001.bin>

More information about the Users mailing list