[strongSwan] how to send/request the intermediate CAs?

Harald Dunkel harald.dunkel at aixigo.de
Fri Feb 23 12:03:20 CET 2018

Hi folks,

Question: How can I tell charon to send or request intermediate
certificates to/from the peer?

Sample case would be a common root CA, one or two intermediate CAs,
and a client certificate for each peer. Both are using strongswan.

IMU charon has to trust the root CA to verify the whole chain up to
the client certs. The root cert has to go to /etc/ipsec.d/cacerts,
but the intermediate CAs could be provided by the peer. Are they?
They don't show up in the log file (asn = 2).

I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
would help, but apparently it doesn't.

Every insightful comment is highly appreciated.


More information about the Users mailing list