On Sep 1, 2023, at 14:53, Nels Lindquist <[email protected]> wrote: > > I noted in a previous email thread that newer versions do more stringent > certificate validating; the endpoint which is failing is version 4.7. Clients > are Windows, btw.
Windows checks its own certificate chain validity and if not valid won’t use the certificate. Apple products just use their end certificate and as long as they can validate the server cert, they don’t care about the client cert not having a valid path. > Is what I'm trying to do even possible with later versions? What attributes > of the CA certificate are being used to validate the chain? Not with windows, they need a new valid PKCS12 certificate bundle. Note for the server you can use a LetsEncrypt certificate and it will validate for the clients. You don’t have to have to same CA for both ends. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
