Hi, > Concerning strongSwan configuration I intend to put all the chain of > certificates concerning a remote SEG in a separate "cacert" directory > (specified with a "ca" section). E.g. /etc/ipsec.d/cacert1 and > /etc/ipsec.d/ceacert2. I don't intend to use "/etc/ipsec.d/certs".
> * This is a correct configuration for strongSwan? Usually you don't mix up CA and peer certificates. CA and intermediate Certificates go to /etc/ipsec.d/cacerts, peer certificates in /etc/ipsec.d/certs. All certificates in the cacerts directory are loaded automatically, while peer certificates must be specified with leftcert=. To specify CA certificates outside of cacerts, use "ca" sections (man ipsec.conf). > * Does strongSwan accept sub-directories in 'cacert1' and 'cacert2' > (empties or not)? What do you mean by accept? > * Does strongSwan looks (by default) for certificates also in the > sub-directories created in 'cacert1' and 'cacert2'. No, it only loads certificates directly found in the default cacert dir. Other certificates must be specified with a dedicated "ca" section. > * It may be possible that the certificates from 'cacert1' and 'cacert2' > to be identical (but probably not their file name), unless the local > certificates that are always different. Is this configuration valid > for strongSwan? Certificates get compared during startup, identical certificates get discarded. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
