On Jan 16, 2024, at 13:51, Marc <[email protected]> wrote: > > Working with the CA of the example on this page[1] > > certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \ > -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2 > > certs xxx.example.com are accepted however aaa.bbbb.example.com seem to be > reject.
Why? Did you specify constrains in the rightid= ? > This is not really logged, is it possible to have this logged? Can you show the full log of what you see? All rejections are logged. Paul > > > in ipsec.conf > > right=%any > rightid=%fromcert > rightca="Example CA" > rightxauthclient=yes > > test2:/etc/ipsec.d# certutil -L -d sql:/var/lib/ipsec/nss > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > ZeroSSL ECC Domain Secure Site CA - The USERTRUST Network CT,, > USERTrust ECC Certification Authority - Comodo CA Limited CT,, > Example CA CTu,u,u > > [1] > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 > > > > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
