[strongSwan] CA certificate in response to certificate request payload in x509 authentication

Tobias Brunner tobias at strongswan.org
Fri Apr 22 09:47:09 CEST 2016

Hi Sameer,

> The issue I am facing is the peer is request CA certificate in its certificate request payload in the message.

A certificate request payload contains the SHA-1 hashes of the public
keys of CAs a peer accepts (or prefers) end-entity certificates from.
It's not a request to actually send the CA certificate but for the peer
to select its end-entity certificate used for the authentication.

> Is there a way to send the CA certificate if the peer is requesting that
> in the certificate request payload? If yes, how can I do that?

strongSwan does currently never send the root CA certificate of a
certificate chain.  Because how would the other peer trust it?


More information about the Users mailing list