[strongSwan] multiple server certificates

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Sep 4 21:15:45 CEST 2017


Hi,

You can switch certs on the fly by loading the new one, replacing the value in the configuration, then flushing the certificate cache.
AFAIR charon identifies the certificates by the ID in the conn and does not use the path it was loaded from (would only be applicable with starter/stroke anyway).
So it is uncertain to me what certificate charon would use as soon as you have two with the same DN (ID). Try to avoid having two certificates with the same DN.
Switch while it doesn't matter what certificate is used. Do it as is described in the first sentence, unless vetoed by a dev.

Kind regards

Noel

On 04.09.2017 16:40, Mike.Ettrich at bertelsmann.de wrote:
>
> Hi!
>
> I would like to know if it is possible to have two server certificates with the same subjectDN the ipsec.d/private directory and ccontained in the ipsec.secrets configuration file.
>
>  
>
> This scenario becomes interesting when the current server certificate expires and a new certificate should be used.
>
>  
>
> Is the strongSwan implementation supporting this?
>
>  
>
> Kind regards,
>
> Mike.
>
>  
>
>  
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170904/77a56872/attachment.sig>


More information about the Users mailing list