[strongSwan] pki --verify Command

Andreas Steffen andreas.steffen at strongswan.org
Sat Feb 10 09:09:11 CET 2018

Hi Jafar,

"pki --verify" is a command that is not intended to be used very often.

There are some rare cases where you might be in doubt whether a
certificate trust chain is correct and therefore might want to check
it out by usually increasing the debug level to 3.

Thus no effort has been taken to automate the verification process for
multi-level trust chains. You are free to propose and implement some
extensions to the "pki --verify" command.



On 09.02.2018 22:10, Jafar Al-Gharaibeh wrote:
> Hi,
>    When invoking the "pki --verify" command, the user has to supply all
> of the CA certs along the trust chain for the verification to take place
> appropriately. This could be cumbersome if the trust chain is long
> (>1).  If there are CRLs, they also have to be supplied as well. If the
> certificate store is known (default location for example such as
> /etc/ipsec.d/), shouldn't this all be done automatically? i.e, once you
> know the certificate to be verified,  you can lookup the issuers all the
> way up to the root CA with their associated CRLs. Is there any reason
> why it doesn't work that way, other than nobody gotten around to doing it?
> Regards,
> Jafar
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180210/86e3d54f/attachment.bin>

More information about the Users mailing list