Thanks Andreas for the reply. I have tried generating certificates without the e-mail id RDN and it works. I will try generating new certificate with CN and email RDNs separated.
If *CN=AXC\ODC ROOT/#12345* will this give a problem because of the "/" separator. If yes, is it possible to get a workaround on this from strongswan side ? Thanks & Regards, Ashish. On Wed, Dec 30, 2009 at 4:52 AM, Andreas Steffen < [email protected]> wrote: > Dear Ashish, > > If you write > > rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX, > CN=FTM/[email protected]" > > then this ASCII string is converted into the following ASN.1 > representation > > C=IN, ST=KAR, O=XXXXX, OU=XXXX, > CN=FTM, [email protected]" > > because both the ',' and '/' character are recognized as an > RDN separator: > > openssl x509 -in cert.pem -subject -noout generates > > subject=/C=IN/ST=KAR/O=XXXXX/OU=XXXX/CN=FTM/emailAddress= > [email protected] > > Unfortunately in the certificate the emailAddress got coded right into > the Common Name: > > CN=FTM/[email protected] > > as the ASN.1 parsing clearly shows. This single CN RDN is not equal to > > CN=FTM, [email protected]" > > which consists of a CN RDN followed by an emailAddress RDN. > > So please generate a new certificate with separate CN and emailAddress > RDNs or even better just omit the emailAddress in the subject DN > because this is bad practice anyway. > > Best regards > > Andreas > > Andreas Steffen wrote: > > Dear Ashish, > > > > there is an error in the rightid definition. The correct syntax is > > > > rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX, CN=FTM, > > [email protected]" > > > > OpenSSL glues the email attribute with a slash right after the CN > > but it should be separated by a comma. > > > > Regards > > > > Andreas > > > > ashish mahalka wrote: > >> Hello Andreas, > >> > >> I am getting an INVALID_ID_INFORMATION error with the certificate that I > >> am using. (the certificate is attached with this mail). From this error, > >> I understand that the subject of the certificate is not in the correct > >> format. > >> When I give the format as C=, ST=, O=, OU=, CN= it works but when the > >> format is (as mentioned in the certificate), it gives this error. The > >> pluto logs on both the peers are also attached. Below is the ipsec.conf > >> file that I am using :- > >> > >> config setup > >> strictcrlpolicy=no > >> plutodebug=all > >> plutostart=yes > >> charonstart=yes > >> charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, > >> net 2, lib 2" > >> nat_traversal=no > >> > >> ca ipsec > >> cacert=cacert.pem > >> auto=add > >> > >> conn %default > >> ikelifetime=24h > >> keylife=10m > >> rekeymargin=2m > >> keyingtries=1 > >> keyexchange=ikev1 > >> mobike=no > >> > >> > >> conn host-host > >> left=10.10.10.5 > >> leftsubnet=10.10.10.0/24 <http://10.10.10.0/24> > >> leftcert=cert.pem > >> leftsendcert=always > >> right=10.10.10.2 > >> rightsubnet=10.10.10.0/24 <http://10.10.10.0/24> > >> rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX, > >> CN=FTM/[email protected]" > >> auto=add > >> > >> ( To maintain confidentiality, I have masked the actual values, though > >> you can see the actual values in the logs and the certificate) > >> > >> Thanks & Regards, > >> Ashish > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
