Riku, Kindly asking to keep the discussion on the list, thanks.
> Is it so that, if (e.g., server side) ipsec.d/certs folder contains the > same cert than client side is using as a subject cert, the certificate > is automatically trusted? Just having a cert in ipsec.d/certs does not load it implicitly at all. Specifying such a cert in a left/rightcert on any connection loads that certificate as trusted, which means no trust chain validation is required for any user having a private key for it. Alternatively you may add a trust anchor constraint by setting a rightca. This ensures that the peer certificate is issued under a specific CA, and for example not the one you are using to authenticate yourself. Explicitly setting rightcert requires that the peer authenticates with a private key for exactly that certificate specified. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
