[strongSwan] Loading certificate fails
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jun 5 10:47:10 CEST 2018
Hi Mike,
with strongSwan 5.7.0dr, pki --print returns the following information:
subject: "C=DE, ST=Berlin, L=Berlin, O=gematik GmbH TEST-ONLY -
NOT-VALID, CN=80276883130047021254-20170828, postalCode=10117,
STREET=Friedrichstra??e 136"
issuer: "C=DE, O=gematik GmbH NOT-VALID, OU=Komponenten-CA der
Telematikinfrastruktur, CN=GEM.KOMP-CA27 TEST-ONLY"
validity: not before Aug 28 14:23:52 2017, ok
not after Aug 27 14:23:51 2022, ok (expires in 1544 days)
serial: 49
flags: serverAuth clientAuth
OCSP URIs: http://ocsp-testref.komp-ca.telematik-test/ocsp
authkeyId: 7d:6d:64:43:c5:89:f0:04:a7:62:d9:00:6a:eb:64:cc:5e:ed:77:74
subjkeyId: b8:df:ef:87:8e:a7:1b:13:66:90:2a:9f:81:00:46:96:96:93:70:72
pubkey: RSA 2048 bits
keyid: ef:5d:7e:46:2c:56:c9:87:33:70:f4:ba:8f:b1:ad:74:54:00:5e:a1
subjkey: b8:df:ef:87:8e:a7:1b:13:66:90:2a:9f:81:00:46:96:96:93:70:72
There is an otherName defined in the subjectAltName extension of type-id
"organisation"
L6 - generalNames:
L7 - generalName:
L8 - otherName:
=> 80 bytes @ 0xd78923
0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B ..U...I.Ggematik
16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3 Gesellschaft f.
32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65 .r Telematikanwe
48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75 ndungen der Gesu
64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48 ndheitskarte mbH
L9 - type-id:
'O'
L9 - value:
=> 73 bytes @ 0xd7892a
0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C .Ggematik Gesell
16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65 schaft f..r Tele
32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E matikanwendungen
48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73 der Gesundheits
64: 6B 61 72 74 65 20 6D 62 48 karte mbH
which is just being ignored.
Best regards
Andreas
On 05.06.2018 11:49, Ettrich, Mike, NMU-DSJ wrote:
> Hi!
>
> Because the strongswan log doesn’t tell a lot about the reasons I have
> to call for help solving the problem “building CRED_CERTIFICATE - ANY
> failed, tried 1 builders”.
>
> We do use a symlink to the certificate but it seems to be a structural
> problem.
>
> We have problems to load the certificate (80276883130047021254.cert.pem):
>
> -----BEGIN CERTIFICATE-----
> MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx
> HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv
> bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH
> RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx
> MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH
> DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt
> VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w
> DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0
> FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln
> wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM
> 2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh
> n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX
> rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB
> AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j
> BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG
> AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl
> c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
> BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq
> ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0
> IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg
> bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU
> AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA
> 86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB
> xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt
> UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em
> chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5
> lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg==
> -----END CERTIFICATE-----
>
> PKI – Call:
>
> ipsec pki --print --in 80276883130047021254.cert.pem
>
> building CRED_CERTIFICATE - X509 failed, tried 3 builders
>
> parsing input failed
>
> OpenSsl – Call:
>
> openssl x509 -in 80276883130047021254.cert.pem -text –noout
>
> X509v3 Subject Alternative Name:
>
> othername:<unsupported>
>
> 1.3.36.8.3.3:
>
> Netzkonnektor0...*...L.h0.0..
>
> Signature Algorithm: sha256WithRSAEncryption
>
> 20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff:
>
> db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90:
>
> 09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a:
>
> 37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41:
>
> c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f:
>
> 62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51:
>
> 8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e:
>
> 13:7d:ac:55:99:58:9d:fd:26:ed:29:97:b7:d5:ed:90:ee:de:
>
> 37:eb:32:9e:52:41:47:c2:54:a2:0c:b1:41:f3:0e:ab:07:d9:
>
> 3c:ae:d1:7f:b7:a6:72:12:ac:e1:61:50:b5:c3:ec:3c:6c:d4:
>
> e1:0d:72:47:31:b7:3f:10:22:0d:55:20:74:28:f6:ce:e3:65:
>
> d1:ea:51:92:39:84:ed:93:d1:23:fb:a6:b7:2a:2b:26:6c:79:
>
> 95:60:3a:b6:2f:99:c6:d5:19:50:89:8b:6e:d2:99:cb:70:9e:
>
> 36:1a:21:15:43:50:e6:8b:de:43:8d:80:0f:2c:a9:dd:21:e7:
>
> 1a:cb:01:42
>
> If this certificate is used by our Test-Roadwarrior Charon.log contains:
>
> Jun 5 09:20:56 14[LIB] building CRED_CERTIFICATE - ANY failed, tried 1
> builders
>
> Jun 5 09:20:56 14[CFG] loading certificate from 'my.C_NK_VPN.pem' failed
>
> Kind regards,
>
> Mike.
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180605/958737aa/attachment.bin>
More information about the Users
mailing list