[strongSwan] pki --verify Command
Jafar Al-Gharaibeh
jafar at atcorp.com
Mon Feb 12 15:16:08 CET 2018
Hi Tobias,
On 2/12/2018 6:37 AM, Tobias Brunner wrote:
> Hi Jafar,
>
>> 2- "pki --verify --in certfile " change it to use the "default" trust
>> store if no additional arguments are supplied
> There is no "default" trust store. It very much depends on the
> configuration backend used by the daemon from where certificates are
> loaded automatically (if at all).
I understand the limitation here, that is why I quoted "default"
>
>> Independent of the first choice above, we can add new commands line
>> options to point to the paths of where
>> CA/crls are stored:
>> 3-"pki --verify --in certfile --capath path-to-ca's --crlpath path-to-crls
>>
>> 4-Or we can change existing options --cacert and --crl such the if the
>> supplied argument is a directory we treat them as such and load whatever
>> CA's CRLs needed for verification.
> Both are simple enough to implement, the latter can be found in the
> pki-verify-dirs branch. I guess you could also just wrap calls to pki
> --verify with a script and add --cacert/crl arguments as appropriate
> (then you'd have more control if the CA certs and CRLs are e.g. stored
> in the same directory with different file extensions).
I did write a script that does that but I thought it is very inefficient
since you have to sweep through CAs/CRLs with pki --print to figure out
the correct chain in order to use them with pki --verify. Thanks for
letting me know abot pki-verify-dirs. Sounds like what I'm looking for.
I wish I knew it exists before wasting time on scripting :-).
Is that branch going to be merged any time soon?
Cheers,
Jafar
More information about the Users
mailing list