[strongSwan] PKCS#12 and leftid

Martin Willi martin at strongswan.org
Tue May 12 10:14:02 CEST 2015

> I don't really get how I'm supposed to use leftid, am I supposed to find a
> string-ASN.1 converter ?

No, you define a string representation of your identity. strongSwan
detects the identity type, and tries to convert it to the appropriate
binary encoding (ASN.1 in the case of a DN).

While you can specify the raw binary encoding in leftid using the
asn1dn: or other prefixes, this is usually not required. Refer to the
ipsec.conf manpage for details about the leftid option.

If your certificate encodes the RDN as UTF8String, and your accent
characters are encoded properly in UTF-8, it should be possible to
create a matching subject using leftid if your ipsec.conf is UTF-8

> Is there an other way to specify the certification we want to use that
> using leftid ?

As previously discussed, you can use leftcert to directly select a plain
X.509 certificate from a certificate file or smartcard slot. But that
won't work for PKCS#12. To alternatively select the certificate by
leftid, specify an identity contained in the certificate with one of the
options from above.


More information about the Users mailing list