[strongSwan] CA certificate in response to certificate request payload in x509 authentication

Sameer Agrawal agrawalsameer at gmail.com
Fri Apr 22 19:09:31 CEST 2016

Thanks Tobias
So is there a way to send the SHA-1 hashes of the public keys of CAs. Do we
do that already? If not, is there a way to enable it?

On Fri, Apr 22, 2016 at 12:47 AM, Tobias Brunner <tobias at strongswan.org>

> Hi Sameer,
> > The issue I am facing is the peer is request CA certificate in its
> certificate request payload in the message.
> A certificate request payload contains the SHA-1 hashes of the public
> keys of CAs a peer accepts (or prefers) end-entity certificates from.
> It's not a request to actually send the CA certificate but for the peer
> to select its end-entity certificate used for the authentication.
> > Is there a way to send the CA certificate if the peer is requesting that
> > in the certificate request payload? If yes, how can I do that?
> strongSwan does currently never send the root CA certificate of a
> certificate chain.  Because how would the other peer trust it?
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160422/65847d2c/attachment.html>

More information about the Users mailing list