Thanks Tobias, But how can I add X509v3 Authority Key Identifier extension to my CRLs? Please help.
my openssl.cnf ------------------------------------------------------ [ server ] basicConstraints=CA:FALSE nsCertType = server nsComment = "Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth, serverAuth, 1.3.6.1.5.5.8.2.2 subjectAltName=DNS:lag2.igvpn.com keyUsage = digitalSignature, keyEncipherment [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always ------------------------------------------------------ -- Best Regards Jacky -----Original Message----- From: Tobias Brunner [mailto:[email protected]] Sent: Thursday, July 28, 2011 5:30 PM To: Jacky.He Cc: [email protected] Subject: Re: [strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer Hi, > Jul 23 12:41:28 lag3 charon: 03[CFG] issuer of fetched CRL 'C=US, ST=CO, > L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]' does not match > CRL issuer '9b:00:ad:ef:3d:af:74:3b:72:6e:28:33:f5:33:4a:6a:e8:77:2e:bb' It seems your CA certificate contains the X509v3 Subject Key Identifier extension which in turn means your CRL has to contain the X509v3 Authority Key Identifier extension. Otherwise charon won't be able to match the two. Regards, Tobias __________ Information from ESET NOD32 Antivirus, version of virus signature database 6330 (20110727) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
