[strongSwan] pki --verify Command

Tobias Brunner tobias at strongswan.org
Mon Feb 12 15:34:28 CET 2018

Hi Jafar,

> I did write a script that does that but I thought it is very inefficient 
> since you have to sweep through CAs/CRLs with pki --print to figure out 
> the correct chain in order to use them with pki --verify.

You can just pass it all the CA certs/CRLs you (or rather the daemon)
trust.  Unless you have e.g. configs with CA cert constraints there is
not really a need to pass the exact chain to figure out whether a
certificate is valid and trusted by the daemon.

> Thanks for 
> letting me know abot pki-verify-dirs. Sounds like what I'm looking for. 
> I wish I knew it exists before wasting time on scripting :-).

It didn't, I quickly put that together this morning :-)

> Is that branch going to be merged any time soon?

Probably not with the upcoming release, but maybe the next one.


More information about the Users mailing list