[strongSwan] PKCS#12 and leftid

Jacques Monin jacques.monin01 at gmail.com
Mon May 11 17:09:23 CEST 2015

Thanks for your answers.

I don't really get how I'm supposed to use leftid, am I supposed to find a
string-ASN.1 converter ?

Is there an other way to specify the certification we want to use that
using leftid ?


2015-05-11 14:48 GMT+02:00 Martin Willi <martin at strongswan.org>:

> Hi,
> > 1) [...]
> > For example my certificate subjet is :
> > C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org, E=
> jacques.monin01 at gmail.com
> > but when I do ipsec listall I have :
> > C=FR, ST=R?gion Parisienne, L=Paris, OU=Org, CN=1.Org, E=
> jacques.monin01 at gmail.com
> Converting Distinguished Names to strings is very conservative in
> strongSwan, anything non-ASCII gets replaced by '?'. However, actually
> comparing distinguished names is more flexible, as it is not done on
> that converted string, but the ASN.1 encoding.
> Specifying leftid correctly probably depends on your ipsec.conf encoding
> and your locale.
> > 2) I would rather specify which p12 the connection has to use.
> > Is there any way to specify in each connection configuration which p12
> file
> > is supposed to be use ?
> No, not for PKCS#12. You can enforce a plain certificate to use using
> leftcert, and leftid gets replaced by the cert subject if it is not
> contained in the cert as subjectAltName.
> But this requires that you extract your PKCS#12 container and configure
> the certificates and keys separately, as leftcert does not take
> containers.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150511/297728c5/attachment.html>

More information about the Users mailing list