[strongSwan] Intermediate CAs unknown to peer?
Shea Levy
shea at shealevy.com
Sat Sep 27 23:02:52 CEST 2014
Ah ha, thanks! Will give it a shot.
~Shea
On Thu, Sep 25, 2014 at 08:43:06AM +0200, Andreas Steffen wrote:
> Hi Shea,
>
> concatenating multiple certificates into a single PEM file is not
> supported by strongSwan. You could import the user certificate,
> the corresponding private key and the trust chain via a key file
> in PKCS#12 format as in the following example:
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.secrets
>
> The user certificate and any intermediate certificates will be
> sent to the peer via the IKE protocol.
>
> In ipsec.conf you don't need a leftcert parameter. Just indicate
> leftid so that the matching user certificate can be found.
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.conf
>
> Best regards
>
> Andreas
>
> On 09/24/2014 10:14 PM, Shea Levy wrote:
> > Hi all,
> >
> > I have the setup described at [1] working currently.
> > shea-intermediate.crt is signed by zalora-ca.crt, and each machine's
> > cert in /etc/x509 is signed by and concatenated with
> > shea-intermediate.crt. If I remove the 'ca inter' section from each
> > config, I get:
> >
> >> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-ebc130d19292466287791571653eac79, E=it-services at zalora.com"
> >
> > Is there any way to get this to work without each machine needing to
> > know about the intermediate cas that may be used by the others? Since
> > the intermediate ca is signed by the root ca and bundled with the
> > end-user ca, it seems like it shouldn't be necessary...
> >
> > ~Shea
> >
> > [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list