[Openswan Users] multiple root CA
Jorge Daniel Sequeira Matias
martin at andorinha.ist.utl.pt
Tue Oct 4 18:39:03 CEST 2005
On Monday 03 October 2005 17:56, Laurent Jouannic wrote:
> Hi to the forum,
>
> Well, I'm still using freeswan with x509 path and I send my question to
> this forum, because freeswan one is obsolete.
>
> My problem is the following:
>
> My root CA will be soon obsolete and I want to know if it's possible to use
> multiple (in fact 2) root CA in /etc/ipsec.d/cacerts/, during a certain
> time (needed for the transition).
>
> Is it possible?
>
I have tested that setup with openswan a few days ago and it works!
But, for example, if you want to renew a SubCA, from the same root CA, that
certifies your users certificates, it doesn't work. I have tested this setup
too because my VPN Server certificate is signed by a SubCA. This SubCA is
going to expire. I had to create a new SubCA of the same RootCA.
In this case, as the users and VPN Server certificates are all "suns" of the
RootCA, Openswan doesn't know how select the right VPN Server certificate to
send to the user.
I see only one solution for the second scenario problem: Install a second
VPN Server with a new IP address.
Anyone knows if is possible to install 2 openswans in the same machine each
one listening on different IP address? This could solve my problem.
My setup is kernel v2.6.11 with a CVS version obtained one or two weeks
later after openswan 2.3.1 was released (with some bug fixes).
Best Regards,
Jorge Matias
System Administrator at
Technical University of Lisbon
Instituto Superior Técnico
Centro de Informática
More information about the Users
mailing list