[Openswan Users] Regarding Self Signed ceretificate usage with openswan...

Paul Wouters paul at xelerance.com
Tue Aug 31 13:07:11 EDT 2010


On Fri, 27 Aug 2010, Somashekar S V (svs) wrote:

> 
> Currently we installed openswan version “openswan-2.4.12-32.el4” on our machines and tried to bring up
> 
> the IPSEC connection between them using X.509 self signed certificate. However the IKE bring up fails
> 
> with the following message
> 
> Aug 26 21:41:12 ccm111 authpriv 4 pluto[25840]: "ipsecx509" #11: end certificate with identical subject and issuer not accepted
> 
> Aug 26 21:41:12 ccm111 authpriv 4 pluto[25840]: "ipsecx509" #11: X.509 certificate rejected
> 
> Does openSWAN rejects self signed x.509 certificates? How to get rid of this issue?

Openswan allows self-signed certs. However, you Certificate Authority ("CA") has the
identical DN as a certificate it signed. This is not allowed as this signed client
certificate could impersonate the "CA". As a rule of thumb, always add "CA" to the
CN= of the Certificate Agency to avoid this exact problem. And do not use the CA itself
as a client certificate on the gateway.

Paul


More information about the Users mailing list