[strongSwan] Fwd: CRL validation failing
Matthew Winnett
mswinnett at gmail.com
Thu Jan 4 10:07:55 CET 2018
I am running 5.6.1 and trying to establish a site to site vlan to a F5
bigip using ikev2 and certificates. The tunnel works ok with psk but when
using certificates I get the following in the log:
11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech,
O=f5, OU=es, CN=moriarty_k-server_1.winnett.gb"
11[CFG] fetching crl from
'file:///usr/local/etc/swanctl/x509crl/ca-cacert.crl'
...
11[CFG] issuer of fetched CRL 'C=gb, ST=anglesey, L=benllech, O=f5, OU=es,
CN=moriarty_k-Root_CA.winnett.gb' does not match CRL issuer
'0e:db:41:37:bb:8c:b8:1c:de:9b:35:31:de:4d:6b:67:5a:02:57:22'
I found a previous thread indicating that the "CRL must contain an
authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
issuer", which I now have ...
$ openssl crl -in ca-cacert.crl -noout -text | grep -E "CRL extensions:" -A
4
CRL extensions:
X509v3 Authority Key Identifier:
keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:
57:22
DirName:/C=gb/ST=anglesey/L=benllech/O=f5/OU=es/CN=moriart
y_k-Root_CA.winnett.gb
serial:5A:4D:03:09
$ openssl x509 -in ca-cacert.pem -text | grep -E "X509v3 extensions:" -A 6
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22
X509v3 Authority Key Identifier:
keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:
57:22
Any idea what is wrong ?
Many thanks ...
Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180104/bc61330a/attachment.html>
More information about the Users
mailing list