[strongSwan] mobileconfig file - do i need to install a root CA

Alex Sharaz alex.sharaz at york.ac.uk
Thu Jan 11 13:13:40 CET 2018 

Thats what is  confusing, its the QuoVadis root CA which is one we use on a
whole batch of servers and my osx machine validates those certs just fine.
... and I can see them ( root and intermediate)  in the system root
keystore... but certainly if I remove it from the mobileconfig file I don't
connect ,if I put it in there I do
A

On 11 January 2018 at 12:01, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hi,
>
> You only need to install a root certificate, if the issuer of your server
> certificate or its root certificate are not in the client's certificate
> store.
> A client needs to be able to verify the server's certificate from the root
> to the server certificate. That includes CRLs and OCSP.
>
> That's PKI 101.
>
> Kind regards
>
> Noel
>
> On 10.01.2018 12:44, Alex Sharaz wrote:
> > Hi,
> > I've got a .mobileconfig file set up that will allow a macOS/iOS user to
> connect to my SSwan VPN server (5.6.1)
> > In it I have a cert payload defined containing both the intermediate and
> root cert of the server certificate. This all works just fine
> >
> > However, our security people are objecting to the fact that I'm
> installing a root CA on the client device.
> >
> > Server cert has an intermediate cet between it and the root CA
> >
> > server config is
> >
> > conn it-services-ikev2
> >   left=%any
> >   leftauth=pubkey
> >   leftcert=vpn.york.ac.uk.pem
> >   leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk>
> >   leftsendcert=always
> >   leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0>
> >   leftfirewall=yes
> >   right=%any
> >   rightauth=eap-radius
> >   rightsendcert=never
> >   rightgroups="Cserv"
> >   eap_identity=%any
> >   keyexchange=ikev2
> >   rightsourceip=%itservices
> >   fragmentation=yes
> >   auto=add
> >
> >
> > If I remove the root cert from the mobileconfig, connection fails.
> Should I be able to connect without the root CA in the payload?
> >
> > Rgds
> > Alex
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/e2580c30/attachment-0001.html>

More information about the Users mailing list