[Openswan Users] X509 problem, PAYLOAD_MALFORMED

Jacco de Leeuw jacco2 at dds.nl
Mon Mar 10 10:53:38 EDT 2008

Hideo GOTO wrote:

> While client certificate was correctly installed for the Computer Account,
> CA certificate had been installed only in the User Account.
> XP's certificate utility, while checking a user certifacate for the Compter
> account, lt looks for the assoicate CA certifacate  not only in the Computer
> Account but also in the User account.

I can confirm this and it is true for Vista as well. In Certificate Manager,
if you double click on the personal certificate and the root cert is not
available in the trusted root store, the personal certificate is correctly
listed as untrusted.

But when this root certificate happens to be available in User Account (e.g.
you import the root cert file with Internet Explorer or you double click it
in File Explorer), then the personal certificate is listed as trusted,
for some reason. Nevertheless, this 'trusted' personal certificate cannot
be used for L2TP/IPsec (error 786, "no valid machine certificate"), as
Hideo reports.

This is really weird. Might be a bug in Windows?

> certificate is trust worth even if it could only find CA cert in the User
> account and not it the Computer one. Howerver, as it was in my case, XP's
> L2TP/IPSec client as logically does not accept such a situation.

Thanks for reporting! I have added a note to my webpage about this.

> (We usually do not include CA certificate in user PKCS12 files, since the CA
> certificate normaly is already installed for other purposes.)

This would probably be the easiest solution. The user is not prompted when the
root cert already exists, so I don't see much risk in always including the CA
certificate in the PKCS#12 file.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list