[strongSwan] CRL: Parsing x509 certificate failed

bls s bls3427 at outlook.com
Sat Sep 8 17:20:26 CEST 2018


I'm working with CRLs. I have what I believe is a well-formed CRL using strongSwan 5.6.3:

Rpi31/etc/swanctl# pki --print --in /etc/swanctl/x509/revoked.der --type crl
  issuer:   "C=US, O=rpi31-strongSwan, CN=strongSwan rpi31 Root CA"
  update:    this on Sep 08 08:05:51 2018, ok
             next on Sep 15 08:05:51 2018, ok (expires in 6 days)
  serial:    01
  authKeyId: 58:5e:05:3b:53:6e:00:2f:99:a2:1e:3b:ce:c0:86:c7:37:fb:89:fc
  1 revoked certificate:
    72:50:d2:f7:36:0d:08:af: Sep 08 08:05:51 2018, superseded

However, swanctl --load-creds reports:

Rpi31/etc/swanctl# swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/bls-iPhone7-rpi31Cert.pem'
loaded certificate from '/etc/swanctl/x509/strongSwanCert.pem'
loading '/etc/swanctl/x509/revoked.der' failed: parsing X509 certificate failed
loaded certificate from '/etc/swanctl/x509/bls-android-rpi31Cert.pem'
loaded certificate from '/etc/swanctl/x509/bls-scout-rpi31Cert.pem'

In another thread I saw a mention that pem must be loaded, and it appears that it is:

Sep  7 14:30:05 rpi31 charon-systemd[31880]: loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-tls xauth-generic counters

Greatly appreciate solutions, suggestions, or pointers to help resolve.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180908/cb36e932/attachment.html>


More information about the Users mailing list