[strongSwan] pki --verify Command

Jafar Al-Gharaibeh jafar at atcorp.com
Fri Feb 9 22:10:09 CET 2018


    When invoking the "pki --verify" command, the user has to supply all 
of the CA certs along the trust chain for the verification to take place 
appropriately. This could be cumbersome if the trust chain is long 
(>1).  If there are CRLs, they also have to be supplied as well. If the 
certificate store is known (default location for example such as 
/etc/ipsec.d/), shouldn't this all be done automatically? i.e, once you 
know the certificate to be verified,  you can lookup the issuers all the 
way up to the root CA with their associated CRLs. Is there any reason 
why it doesn't work that way, other than nobody gotten around to doing it?


More information about the Users mailing list