[Openswan Users] Re: [strongSwan] Problems with cert from sub CA

Andreas Steffen andreas.steffen at strongsec.net
Fri Jul 1 09:00:41 CEST 2005

Hi John,

the strongSwan test case


shows a working example with subCAs. The case


even requires the availability of CRLs issued by the subCAs and
the root CA. The test case


how the CRLs can be fetch from an LDAP server.

Without any log files it is very difficult to diagnose your problem.
In x509.c there is an error message "certificate signature is invalid"
which usually signifies that the correct subCA or rootCA certificate
was not found in /etc/ipsec.d/cacerts.



John A. Sullivan III wrote:
> We have been having problems connecting a roadwarrior running 2.6sec
> with racoon to a *swan device (CyberGuard SG570) using certificates
> issued by sub CAs even if they both use certificates from the same sub
> CA.  In other words, our PKI has a root CA which has certified secondary
> CAs.  The certs for the user and gateway were issued from these sub CAs.
> There errors from the *swan side were not very descriptive -- just a
> statement that the certificate was invalid (my apologies but I deleted
> the error messages before sending this e-mail).  However, if the *swan
> side initiated, we got more descriptive errors on the 2.6sec side.  It
> complained about not finding the CA certificate at depth(1).  That gave
> us the clue about hierarchy.
> We reissued the certs from the root CA and all worked perfectly.  Has
> anyone else experienced this? Can anyone explain why it happens? Is it
> possible to use *swan with sub CAs?  Thanks - John

Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list