ABULIUS, MUGUR (MUGUR) wrote: >> If rightca is specified then we only request certificates issued by rightca. >> Otherwise we send certificate requests for all CAs contained in >> /etc/ipsec.d/cacerts/ > > If "rightca=" is specified, then it is required that a certificate matching > the specified > DN to be present locally in "/etc/ipsec.d/cacerts/" ? > Yes, since RFC 4306 defines that the SHA-1 hash over the publicKeyInfo of the CA certificate is sent in the CERTREQ payload, we must look up the CA certificate based on the distinguished name and compute the hash.
> Best regards > Mugur Best regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
