[strongSwan] How to retrieve remote certificates

Tobias Brunner tobias at strongswan.org
Wed Jan 25 11:31:19 CET 2017

Hi John,

> We have problems with certificate authentication and see "RSA signature
> verification failed: Bad signature" during strongswan connection try. We
> would like to retrieve all remote certificate chain to "manually" check
> this issue. Is this possible using strongswan (for example by enabling
> some debugs)?

You could increase the log level to get the certificates sent by the
peer.  But I'm not sure if that would help much.  When exactly does this
happen?  When verifying a certificate?  When verifying the IKE
authentication?  Do you use IKEv2 or IKEv1?  Do you have the correct
root CA certificate installed?

Anyway, if you want to extract the certificates from the log you may
increase the log level for the enc subsystem to 3 [1].  You'll get lots
of output that way, look for data logged for CERTIFICATE payloads
(you'll also have to reconstruct the binary data from the hex output in
the log).


[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

More information about the Users mailing list