[strongSwan] pki --verify Command

Jafar Al-Gharaibeh jafar at atcorp.com
Mon Feb 12 15:16:08 CET 2018

Hi Tobias,

On 2/12/2018 6:37 AM, Tobias Brunner wrote:
> Hi Jafar,
>> 2- "pki --verify --in certfile "  change it to use the "default" trust
>> store if no additional arguments  are supplied
> There is no "default" trust store.  It very much depends on the
> configuration backend used by the daemon from where certificates are
> loaded automatically (if at all).

I understand the limitation here, that is why I quoted  "default"

>> Independent of the first choice above, we can add new commands line
>> options to point to the paths of where
>> CA/crls are stored:
>> 3-"pki --verify --in certfile --capath path-to-ca's --crlpath path-to-crls
>> 4-Or we can change existing options --cacert and --crl such the if the
>> supplied argument is a directory we treat them as such and load whatever
>> CA's CRLs needed for verification.
> Both are simple enough to implement, the latter can be found in the
> pki-verify-dirs branch.  I guess you could also just wrap calls to pki
> --verify with a script and add --cacert/crl arguments as appropriate
> (then you'd have more control if the CA certs and CRLs are e.g. stored
> in the same directory with different file extensions).

I did write a script that does that but I thought it is very inefficient 
since you have to sweep through CAs/CRLs with pki --print to figure out 
the correct chain in order to use them with pki --verify.  Thanks for 
letting me know abot pki-verify-dirs. Sounds like what I'm looking for. 
I wish I knew it exists before wasting time on scripting :-).

Is that branch going to be merged any time soon?


More information about the Users mailing list