[Openswan Users] Re: Forwarding client certs

Paul Wouters paul at xelerance.com
Mon Apr 18 19:01:31 CEST 2005


On Mon, 18 Apr 2005, Twum K. Djin wrote:

> My intention is to have Openswan set up to accept ANY certificate signed by the trusted CA of the server so I really won't have each cert that the CA has ever signed.

It works like that out of the box. Any cert signed by a CA listed in /etc/ipsec.d/cacerts/, optionally
restriected by RDN's, will work. You can pattern patch in the conn's if you want.

> When a client get granted access then they must have presented a valid cert (i.e. signed by this trusted CA) but I would still like to know the particular client hence the need for another tool that processes their certs.

You can get the client DN in your _updown script and do what you want. Unless you really need the
certificate contents for obscure reasons, there is no need to copy the certificate.

Paul


More information about the Users mailing list