[strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags
Tobias Brunner
tobias at strongswan.org
Wed Oct 30 19:12:23 CET 2019
Hi,
> but when I do:
>
> $ strongswan pki --issue .... --flag nonRepudiation
That's not a flag value supported by strongSwan (it will just be ignored).
> and then:
>
> $ strongswan pki --print --in ipsec.d/certs/sucker at openstack.der.new
>
> ...
>
> flags:
> ..
>
> nothing gets there?
With the pki tool you don't have to do anything special as it doesn't
encode keyUsage flags (except for CA certificates and CRL signer
certificates, which you both don't want to use as end-entity
certificates for IKE authentication).
Regards,
Tobias
More information about the Users
mailing list