[strongSwan] A couple of offerings for the community

Tobias Brunner tobias at strongswan.org
Mon Jan 28 11:29:08 CET 2019


Hi Derek,

> Originally I wanted to use p12 files with everything in them (CA cert,
> client cert, client key), but this created messiness on the Windows
> end.

As mentioned in the previous mail, the CA certificate that issued the
client and server certificates don't have to be the same (often they
aren't).  Does Windows require the complete chain for the client
certificate?

> This is why I separated out the CA cert, with the client cert and
> the client key going into a pfx file.

Because you expect the PKCS#12/PFX file in local.p12 to contain CA
certificates?  That isn't necessarily the case, it could just as well be
only the client certificate and key (because the issuing CA certificate
is not required on Android).  Providing CA certificates to verify the
server certificate (if it's even necessary) via remote.cert is usually
better anyway as that avoids warnings on older Android releases (and
maybe cleaner if the CAs are different).

Regards,
Tobias


More information about the Users mailing list