[strongSwan] pki --verify Command

Tobias Brunner tobias at strongswan.org
Mon Feb 12 13:37:41 CET 2018

Hi Jafar,

> 2- "pki --verify --in certfile "  change it to use the "default" trust 
> store if no additional arguments  are supplied

There is no "default" trust store.  It very much depends on the
configuration backend used by the daemon from where certificates are
loaded automatically (if at all).

> Independent of the first choice above, we can add new commands line 
> options to point to the paths of where
> CA/crls are stored:
> 3-"pki --verify --in certfile --capath path-to-ca's --crlpath path-to-crls
> 4-Or we can change existing options --cacert and --crl such the if the 
> supplied argument is a directory we treat them as such and load whatever 
> CA's CRLs needed for verification.

Both are simple enough to implement, the latter can be found in the
pki-verify-dirs branch.  I guess you could also just wrap calls to pki
--verify with a script and add --cacert/crl arguments as appropriate
(then you'd have more control if the CA certs and CRLs are e.g. stored
in the same directory with different file extensions).


More information about the Users mailing list