[Openswan Users] Problems with cert from sub CA

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Jun 30 22:44:13 CEST 2005

We have been having problems connecting a roadwarrior running 2.6sec
with racoon to a *swan device (CyberGuard SG570) using certificates
issued by sub CAs even if they both use certificates from the same sub
CA.  In other words, our PKI has a root CA which has certified secondary
CAs.  The certs for the user and gateway were issued from these sub CAs.

There errors from the *swan side were not very descriptive -- just a
statement that the certificate was invalid (my apologies but I deleted
the error messages before sending this e-mail).  However, if the *swan
side initiated, we got more descriptive errors on the 2.6sec side.  It
complained about not finding the CA certificate at depth(1).  That gave
us the clue about hierarchy.

We reissued the certs from the root CA and all worked perfectly.  Has
anyone else experienced this? Can anyone explain why it happens? Is it
possible to use *swan with sub CAs?  Thanks - John
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit

More information about the Users mailing list