[strongSwan] how to send/request the intermediate CAs?

Tobias Brunner tobias at strongswan.org
Tue Feb 27 14:55:53 CET 2018

Hi Harald,

>>>>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>>>>> would help, but apparently it doesn't.
>>>> strongSwan reads only the first certificate from PEM encoded files.  So
>>>> put them in separate files.
>>> This is unusual, is it?
>> What is?
> AFAICT its unusual, that the other certificates a chain file
> are ignored. In most cases they have been added on purpose,
> e.g. to simplify the deployment of certificate files, it is the
> regular output of openssl pkcs12 -cacerts ..., etc. IMHO its
> unexpected, that they are silently ignored. But maybe I don't
> see the downside of these chain files.

PKCS#12 files are something different than stuffing multiple PEM encoded
certificates into a file.  You can load PKCS#12 files with swanctl or

>>> If I do, will charon send or request the whole chain?
>> Depends on the settings (send_certreq, send_cert in swanctl.conf,
>> left|rightsendcert in ipsec.conf).  With the default settings the client
>> will send certificate requests for all trusted CA certificates it has
>> loaded (root or intermediate), or if a CA is assigned in the config only
>> for that CA. 
> Understood (hopefully). I would assume that if leftsendcert is set
> to "always", then charon will push the certificates to the
> peer without having received a request. But what about "never"?
> How is authentication supposed to happen in this case? (Sorry for
> asking, but its not documented in the Wiki, AFAICS.)

You obviously have to load the certificate or the public key manually on
the other end (or use some other means to fetch the public
key/certificate e.g. DNS via ipseckey plugin).

>> As responder, if any certificate requests are received (no
>> matter for what CA) the end entity certificate along with the
>> intermediate CA certificates will be sent to the client.
> Thats the part I would like to see in charon's log file.
> Some basic certificate info should show up, for each certificate,
> as it is sent or received.

That's already the case.  You'll see the subject of every certificate
sent or received.

> Subject, issuers and KeyIDs should do.
> Maybe the notBefore and notAfter entries as well, to spot
> expired certificates.

Why would you need to spot that manually?  If a certificate expired it
is rejected and if that happens the times are logged.

Do you know the certificate listing commands both swanctl/vici and
stroke provide?

> I understand that this option might severely impact performance.
> Surely not a default log setting.

You can always write your own plugin if you need additional information
for something somewhere.


More information about the Users mailing list