[Openswan Users]

[Paul Wouters]

On Wed, 11 Jan 2006, Janis Daniel Bistevins wrote:

> Jan 11 11:07:31 LINUX-SERVER pluto[20419]: "roadwarrior"[2]
> xxx.xxx.xxx.xxx#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=AR,
> ST=STATE, L=City, O=CAB,
> OU=SIC, CN=user, E=user at domain.com'
> Jan 11 11:07:31 LINUX-SERVER pluto[20419]: "roadwarrior"[2]
> xxx.xxx.xxx.xxx#1: end certificate with identical subject and issuer
> not accepted
> Jan 11 11:07:31 LINUX-SERVER pluto[20419]: "roadwarrior"[2] xxx.xxx.xxx.xxx#1:
> X.509 certificate rejected
> Jan 11 11:07:31 LINUX-SERVER pluto[20419]: "roadwarrior"[2]
> xxx.xxx.xxx.xxx#1: no RSA public key known for 'C=AR, ST=STATE,
> L=City, O=CAB, OU=SIC,
> CN=user, E=user at domain.com'
> Jan 11 11:07:31 LINUX-SERVER pluto[20419]: "roadwarrior"[2]
> xxx.xxx.xxx.xxx#1: sending encrypted notification
> INVALID_KEY_INFORMATION to
> xxx.xxx.xxx.xxx:500
>
> So, what is this "end certificate with identical subject and issuer not
> accepted" ?
> I followed the guide, point by point and I can't figure out what is going
> on.

You have generated a CA with name X. Then you generated a Certificate to be signed
by X, however you also use X in the certificate.

The CN= of your Root CA may not be identical to the CN= of any certificates it signs.
Therefor, you should always include the string "CA" or "Certificate Agency" in the Root
CA's CN=

Paul
> Any help will be appreciated.
>
> Thanks in advance.
>
> Best regards.
>
>
>
> --
>             Janis Bistevins
> >Belief is 9/10 of YOUR reality<
>

-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)