[Openswan Users] end certificate with identical subject and issuer not accepted
Paul Wouters
paul at xelerance.com
Fri Nov 24 00:44:29 EST 2006
On Thu, 23 Nov 2006, Albert Chin wrote:
> What does the following mean?
> 002 "tww" #2: Main mode peer ID is ID_FQDN: '@vpn.thewrittenword.com'
> 002 "tww" #2: end certificate with identical subject and issuer not accepted
> 002 "tww" #2: X.509 certificate rejected
The CN= (Common name) of your Certificate Agency (CA) is the same name as
one of its clients certificates. This would allow the client to pretend
to be the CA to other clients, and is therefor rejected by Openswan.
Always put the string "CA" in the CN of your CA to prevent this.
> Are self-signed CA certs summarily rejected?
Do not use the CA as client certificate. Only use it for signing client
certificates. Remember that whoever has the CA private key, has full
power to generate more certs, or sign revocations for others. It should
be kept offline, and most certainly should NOT be used in any VPN gateway
itself.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list