[strongSwan] OCSP & CA question

John Brown jb20141125 at gmail.com
Wed Mar 2 11:51:59 CET 2016

Hello all,

I'm using ocsp for certificate checks and this works ok. But I have
explicitly specified cacert parameter in ca section of ipsec.conf. CA chain
may looks like this: (devcert)<-subca1<-subca2<...<-rootca. All of them are
installed in /etc/ipsec.d/cacerts (with exception of devcert of course).
When cacert points to subca1 the ocsp request is ok, i.e. the serial number
of certificate to check is serial number of remote device's certificate.

But as far as I understand there is no need for having in
/etc/ipsec.d/cacerts all subca installed, rootca is enough (when oscp is
disabled). But in that scenario how should I set the cacert option in ca
section if I want to use ocsp?

And I am curious is this possible to omit cacert setting and use
certificate "from transmission". i.e. the subca1 certificate that was
received from remote device. Is far I understand when only rootca is
installed on the device, this device will receive subca* from remote device
during ikev2 negotiation.

Thanks in advance for any answers.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160302/229586f1/attachment.html>

More information about the Users mailing list