[strongSwan] mobileconfig file - do i need to install a root CA

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:01:47 CET 2018


Hi,

You only need to install a root certificate, if the issuer of your server certificate or its root certificate are not in the client's certificate store.
A client needs to be able to verify the server's certificate from the root to the server certificate. That includes CRLs and OCSP.

That's PKI 101.

Kind regards

Noel

On 10.01.2018 12:44, Alex Sharaz wrote:
> Hi,
> I've got a .mobileconfig file set up that will allow a macOS/iOS user to connect to my SSwan VPN server (5.6.1)
> In it I have a cert payload defined containing both the intermediate and root cert of the server certificate. This all works just fine
>
> However, our security people are objecting to the fact that I'm installing a root CA on the client device.
>
> Server cert has an intermediate cet between it and the root CA
>
> server config is
>
> conn it-services-ikev2
>   left=%any
>   leftauth=pubkey
>   leftcert=vpn.york.ac.uk.pem
>   leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk>
>   leftsendcert=always
>   leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0>
>   leftfirewall=yes
>   right=%any
>   rightauth=eap-radius
>   rightsendcert=never
>   rightgroups="Cserv"
>   eap_identity=%any
>   keyexchange=ikev2
>   rightsourceip=%itservices
>   fragmentation=yes
>   auto=add
>
>
> If I remove the root cert from the mobileconfig, connection fails. Should I be able to connect without the root CA in the payload?
>
> Rgds
> Alex
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/8d34e48f/attachment.sig>


More information about the Users mailing list