[strongSwan] mobileconfig file - do i need to install a root CA

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:01:47 CET 2018


You only need to install a root certificate, if the issuer of your server certificate or its root certificate are not in the client's certificate store.
A client needs to be able to verify the server's certificate from the root to the server certificate. That includes CRLs and OCSP.

That's PKI 101.

Kind regards


On 10.01.2018 12:44, Alex Sharaz wrote:
> Hi,
> I've got a .mobileconfig file set up that will allow a macOS/iOS user to connect to my SSwan VPN server (5.6.1)
> In it I have a cert payload defined containing both the intermediate and root cert of the server certificate. This all works just fine
> However, our security people are objecting to the fact that I'm installing a root CA on the client device.
> Server cert has an intermediate cet between it and the root CA
> server config is
> conn it-services-ikev2
>   left=%any
>   leftauth=pubkey
>   leftcert=vpn.york.ac.uk.pem
>   leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk>
>   leftsendcert=always
>   leftsubnet=,::/0 <,::/0>
>   leftfirewall=yes
>   right=%any
>   rightauth=eap-radius
>   rightsendcert=never
>   rightgroups="Cserv"
>   eap_identity=%any
>   keyexchange=ikev2
>   rightsourceip=%itservices
>   fragmentation=yes
>   auto=add
> If I remove the root cert from the mobileconfig, connection fails. Should I be able to connect without the root CA in the payload?
> Rgds
> Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/8d34e48f/attachment.sig>

More information about the Users mailing list