[Openswan Users] Regarding Self Signed ceretificate usage with openswan...
Paul Wouters
paul at xelerance.com
Tue Aug 31 13:07:11 EDT 2010
On Fri, 27 Aug 2010, Somashekar S V (svs) wrote:
>
> Currently we installed openswan version “openswan-2.4.12-32.el4” on our machines and tried to bring up
>
> the IPSEC connection between them using X.509 self signed certificate. However the IKE bring up fails
>
> with the following message
>
> Aug 26 21:41:12 ccm111 authpriv 4 pluto[25840]: "ipsecx509" #11: end certificate with identical subject and issuer not accepted
>
> Aug 26 21:41:12 ccm111 authpriv 4 pluto[25840]: "ipsecx509" #11: X.509 certificate rejected
>
> Does openSWAN rejects self signed x.509 certificates? How to get rid of this issue?
Openswan allows self-signed certs. However, you Certificate Authority ("CA") has the
identical DN as a certificate it signed. This is not allowed as this signed client
certificate could impersonate the "CA". As a rule of thumb, always add "CA" to the
CN= of the Certificate Agency to avoid this exact problem. And do not use the CA itself
as a client certificate on the gateway.
Paul
More information about the Users
mailing list