[strongSwan] mobileconfig file - do i need to install a root CA
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:31:51 CET 2018
Actually not. Just refer to the right file in your system's CA store. (e.g. /etc/ca-certificates/extracted/cadir/bla.pem).
Or play around with symlinking /etc/ipsec.d/cacerts or a subdirectory of it to your system's CA store.
Kind regards
Noel
On 11.01.2018 13:29, Giuseppe De Marco wrote:
> You can even use charon-cmd this way:
>
> charon-cmd --host SERVER_HOSTNAME --profile ikev2-eap --identity LOGIN --cert /PATH/TO/ca.crt
>
> Using a valid CA lets Windows10 and MacOSX clients run without CA.crt, with GNU/Linux we have to have ca.crt instead
>
> 2018-01-11 13:17 GMT+01:00 Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>>:
>
> Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then run `ipsec stroke rereadcacerts` and then retry.
> If that does not help, check the logs of iOS. You can get access to them via Apple's SDK.
>
> On 11.01.2018 13:13, Alex Sharaz wrote:
> > Thats what is confusing, its the QuoVadis root CA which is one we use on a whole batch of servers and my osx machine validates those certs just fine. ... and I can see them ( root and intermediate) in the system root keystore... but certainly if I remove it from the mobileconfig file I don't connect ,if I put it in there I do
> > A
> >
> > On 11 January 2018 at 12:01, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze%2Bstrongswan-users-ml at thermi.consulting>>> wrote:
> >
> > Hi,
> >
> > You only need to install a root certificate, if the issuer of your server certificate or its root certificate are not in the client's certificate store.
> > A client needs to be able to verify the server's certificate from the root to the server certificate. That includes CRLs and OCSP.
> >
> > That's PKI 101.
> >
> > Kind regards
> >
> > Noel
> >
> > On 10.01.2018 12:44, Alex Sharaz wrote:
> > > Hi,
> > > I've got a .mobileconfig file set up that will allow a macOS/iOS user to connect to my SSwan VPN server (5.6.1)
> > > In it I have a cert payload defined containing both the intermediate and root cert of the server certificate. This all works just fine
> > >
> > > However, our security people are objecting to the fact that I'm installing a root CA on the client device.
> > >
> > > Server cert has an intermediate cet between it and the root CA
> > >
> > > server config is
> > >
> > > conn it-services-ikev2
> > > left=%any
> > > leftauth=pubkey
> > > leftcert=vpn.york.ac.uk.pem
> > > leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk> <http://vpn.york.ac.uk> <http://vpn.york.ac.uk>
> > > leftsendcert=always
> > > leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0> <http://0.0.0.0/0,::/0> <http://0.0.0.0/0,::/0>
> > > leftfirewall=yes
> > > right=%any
> > > rightauth=eap-radius
> > > rightsendcert=never
> > > rightgroups="Cserv"
> > > eap_identity=%any
> > > keyexchange=ikev2
> > > rightsourceip=%itservices
> > > fragmentation=yes
> > > auto=add
> > >
> > >
> > > If I remove the root cert from the mobileconfig, connection fails. Should I be able to connect without the root CA in the payload?
> > >
> > > Rgds
> > > Alex
> > >
> >
> >
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/00c6b990/attachment.sig>
More information about the Users
mailing list