[Openswan Users] x509 certificate question

Andreas Steffen andreas.steffen at strongsec.net
Sun Mar 21 14:15:04 CET 2004

My X.509 howto found at


might help you.

Usually you must only load your own cert locally using leftcert=
(assuming that left is local and right remote).

    ipsec auto --listcerts

shows all the certs loaded locally. The remote cert is transmitted
by the peer as part of the IKE Main Mode protocol. openswan/strongswan
keeps only the public key which is listed by the command

   ipsec auto --listpubkey

In order for the received peer cert to be trusted a  CA cert is
required which must be put into /etc/ipsec.d/cacerts. The command

   ipsec auto --listcacerts

shows you all loaded CA certs.

If you have problems with your connection setup please post a barf


set in ipsec.conf.

Kind regards


James Harper wrote:

> I've read and googled and read some more and can't find a clear answer
> to this question. If anyone can tell me the answer or where to find it I
> would be very grateful!
> I'm investigating using x509 instead of psk which I currently use, and
> finally have it working but I had to specify leftcert and rightcert on
> at least the non-initiating end or it claimed not to be able to find a
> matching certificate. I was under the impression that public keys were
> exchanged at setup time and validated against a ca, but then I have also
> read that you should have a local copy of all public keys that might be
> involved, and now I find I have to specify the .pem certificate file
> explicitly. I think I'm doing something wrong.
> Looking at the logs, the only certs it loads are the ones I specify in
> the config. Is that right? I expected it to pre-load all the ones in the
> certs directory so that it could match them up to the asn id's I
> specified.
> Either I'm making a common error and someone will say 'oh yeah I know
> what that is, do this', or I'll have to post more information about my
> setup... hopefully it's the former.
> Tia
> James

Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list