Thanks Andreas for the reply. I have tried generating certificates without
the e-mail id RDN and it works.
I will try generating new certificate with CN and email RDNs separated.

If    *CN=AXC\ODC ROOT/#12345*
will this give a problem because of the "/" separator.
If yes, is it possible to get a workaround on this from strongswan side ?

Thanks & Regards,
Ashish.

On Wed, Dec 30, 2009 at 4:52 AM, Andreas Steffen <
[email protected]> wrote:

> Dear Ashish,
>
> If you write
>
> rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX,
>         CN=FTM/[email protected]"
>
> then this ASCII string is converted into the following ASN.1
> representation
>
>        C=IN, ST=KAR, O=XXXXX, OU=XXXX,
>        CN=FTM, [email protected]"
>
> because both the ',' and '/' character are recognized as an
> RDN separator:
>
> openssl x509 -in cert.pem -subject -noout generates
>
> subject=/C=IN/ST=KAR/O=XXXXX/OU=XXXX/CN=FTM/emailAddress=
> [email protected]
>
> Unfortunately in the certificate the emailAddress got coded right into
> the Common Name:
>
>  CN=FTM/[email protected]
>
> as the ASN.1 parsing clearly shows. This single CN RDN is not equal to
>
>  CN=FTM, [email protected]"
>
> which consists of a CN RDN followed by an emailAddress RDN.
>
> So please generate a new certificate with separate CN and emailAddress
> RDNs or even better just omit the emailAddress in the subject DN
> because this is bad practice anyway.
>
> Best regards
>
> Andreas
>
> Andreas Steffen wrote:
> > Dear Ashish,
> >
> > there is an error in the rightid definition. The correct syntax is
> >
> > rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX, CN=FTM,
> >          [email protected]"
> >
> > OpenSSL glues the email attribute with a slash right after the CN
> > but it should be separated by a comma.
> >
> > Regards
> >
> > Andreas
> >
> > ashish mahalka wrote:
> >> Hello Andreas,
> >>
> >> I am getting an INVALID_ID_INFORMATION error with the certificate that I
> >> am using. (the certificate is attached with this mail). From this error,
> >> I understand that the subject of the certificate is not in the correct
> >> format.
> >> When I give the format as C=, ST=, O=, OU=, CN= it works but when the
> >> format is (as mentioned in the certificate), it gives this error. The
> >> pluto logs on both the peers are also attached. Below is the ipsec.conf
> >> file that I am using :-
> >>
> >> config setup
> >>         strictcrlpolicy=no
> >>         plutodebug=all
> >>         plutostart=yes
> >>         charonstart=yes
> >>         charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2,
> >> net 2, lib 2"
> >>         nat_traversal=no
> >>
> >> ca  ipsec
> >>        cacert=cacert.pem
> >>        auto=add
> >>
> >> conn %default
> >>         ikelifetime=24h
> >>         keylife=10m
> >>         rekeymargin=2m
> >>         keyingtries=1
> >>         keyexchange=ikev1
> >>         mobike=no
> >>
> >>
> >> conn host-host
> >>        left=10.10.10.5
> >>        leftsubnet=10.10.10.0/24 <http://10.10.10.0/24>
> >>        leftcert=cert.pem
> >>        leftsendcert=always
> >>        right=10.10.10.2
> >>        rightsubnet=10.10.10.0/24 <http://10.10.10.0/24>
> >>        rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX,
> >> CN=FTM/[email protected]"
> >>        auto=add
> >>
> >> ( To maintain confidentiality, I have masked the actual values, though
> >> you can see the actual values in the logs and the certificate)
> >>
> >> Thanks & Regards,
> >> Ashish
>
> ======================================================================
> Andreas Steffen                         [email protected]
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to