[Openswan Users] x509 certificate question
andreas.steffen at strongsec.net
Sun Mar 21 14:15:04 CET 2004
My X.509 howto found at
might help you.
Usually you must only load your own cert locally using leftcert=
(assuming that left is local and right remote).
ipsec auto --listcerts
shows all the certs loaded locally. The remote cert is transmitted
by the peer as part of the IKE Main Mode protocol. openswan/strongswan
keeps only the public key which is listed by the command
ipsec auto --listpubkey
In order for the received peer cert to be trusted a CA cert is
required which must be put into /etc/ipsec.d/cacerts. The command
ipsec auto --listcacerts
shows you all loaded CA certs.
If you have problems with your connection setup please post a barf
set in ipsec.conf.
James Harper wrote:
> I've read and googled and read some more and can't find a clear answer
> to this question. If anyone can tell me the answer or where to find it I
> would be very grateful!
> I'm investigating using x509 instead of psk which I currently use, and
> finally have it working but I had to specify leftcert and rightcert on
> at least the non-initiating end or it claimed not to be able to find a
> matching certificate. I was under the impression that public keys were
> exchanged at setup time and validated against a ca, but then I have also
> read that you should have a local copy of all public keys that might be
> involved, and now I find I have to specify the .pem certificate file
> explicitly. I think I'm doing something wrong.
> Looking at the logs, the only certs it loads are the ones I specify in
> the config. Is that right? I expected it to pre-load all the ones in the
> certs directory so that it could match them up to the asn id's I
> Either I'm making a common error and someone will say 'oh yeah I know
> what that is, do this', or I'll have to post more information about my
> setup... hopefully it's the former.
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users