[strongSwan] how to send/request the intermediate CAs?

Tobias Brunner tobias at strongswan.org
Mon Feb 26 09:28:57 CET 2018


Hi Harri,

>>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>>> would help, but apparently it doesn't.
>>
>> strongSwan reads only the first certificate from PEM encoded files.  So
>> put them in separate files.
>>
> 
> This is unusual, is it?

What is?

> If I do, will charon send or request the whole chain?

Depends on the settings (send_certreq, send_cert in swanctl.conf,
left|rightsendcert in ipsec.conf).  With the default settings the client
will send certificate requests for all trusted CA certificates it has
loaded (root or intermediate), or if a CA is assigned in the config only
for that CA.  As responder, if any certificate requests are received (no
matter for what CA) the end entity certificate along with the
intermediate CA certificates will be sent to the client.

> I would suggest to improve logging here. asn = 1 doesn't list the subject
> and authority key IDs, for example. asn = 2 overwhelms you with unwanted
> details. Something inbetween would be nice.

Logging of what?  When?

Regards,
Tobias


More information about the Users mailing list