[strongSwan] building CRED_CERTIFICATE - X509 failed, tried 3 builders

Yogesh Purohit yogeshpurohit2 at gmail.com
Fri May 10 06:55:23 CEST 2019 

Hi All,

I tried verifying the same ecdsa certificate and ca cert on both strongswan
versions:
On strongswan 5.5.2 version:

[root at mac-6 ~]# pki --verify --in /etc/ipsec.d/certs/certificate-1.pem --ca
/etc/ipsec.d/cacerts/certificate-2.pem
  using certificate "C=IN, ST=M, L=M, O=Yam, OU=Ya, CN=prime1"
  using trusted ca certificate "C=IN, ST=M, L=P, O=Yam, OU=Ya, CN=primeCA"
  reached self-signed root ca with a path length of 0
certificate trusted, lifetimes valid

Whereas when i tried verifying the same set on strongswan version 5.6.3:

[root at mac-7 ~]# pki --verify --in /etc/ipsec.d/certs/certificate-1.pem --ca
/etc/ipsec.d/cacerts/certificate-2.pem
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate from '/etc/ipsec.d/cacerts/certificate-2.pem' failed
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing certificate failed

Please let me know if there are any changes in two version for ECDSA
certificates, because same RSA certificate are working on both versions for
me ?

On Thu, May 9, 2019 at 4:17 PM Yogesh Purohit <yogeshpurohit2 at gmail.com>
wrote:

> Hi,
>
> I was using strongswan 5.5.2 version where I was using ECDSA certificates.
> Recently i have moved to strongswan version 5.6.3.
> But with this new version I am facing issue in loading my certificates and
> keys. Strongswan fails to load certificates.
> I noticed this new line in it 'building CRED_CERTIFICATE - X509 failed,
> tried 3 builders'
>
> charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux
> 4.4.0-116-generic, x86_64)
> charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
> charon: 00[CFG]   loading ca certificate from
> '/etc/ipsec.d/cacerts/ca_dummy.pem' failed
> charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
> charon: 00[CFG]   loading ca certificate from
> '/etc/ipsec.d/cacerts/ca_ecdsa.pem' failed
>
> Is there any new plugin which is needed for it because same certificate I
> was able to use it with previous version ?
>
> --
> Best Regards,
>
> Yogesh Purohit
>


-- 
Best Regards,

Yogesh Purohit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190510/88a63bad/attachment-0001.html>

More information about the Users mailing list