Tobias, Perfect, great explanation. The "rightca=@#<hex SHAH hash>" worked great for me.
Thank you, ~Mark On Mon, May 5, 2014 at 6:53 AM, Tobias Brunner <[email protected]>wrote: > Hi Mark, > > > 17:03:45 06[CFG] CA certificate *"C=US, O=Entrust, Inc., > > OU=www.entrust.net/rpa is incorporated by > > reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority > > - L1C" not found, discarding CA constraint* > > That's due to a limitation of the DN string parser: It can't handle > comma's in RDNs (which are already separated with commas). > > According to RFC 4514 [1] commas could be escaped with backslashes in > string representations (e.g. "O=Entrust\, Inc.") but strongSwan > currently doesn't support such escape sequences either. > > And because the parser supports an alternative encoding that uses > slashes to separate RDNs (e.g. "/C=US/O=Entrust, Inc./OU=..."), but > currently handles commas and slashes interchangeably, the slash in the > URL in the first OU RDN triggers the same issue. > > We could easily change the parser so it uses either commas or slashes > (if the string starts with a slash) as separator in one DN. But this > would only help if you could get rid of either the slash or the commas. > Otherwise, a bigger change in the parser would be required (e.g. adding > support for escape sequences). > > Fortunately there is a simple workaround for this. You can use key IDs > instead of DNs to identify the CA. Something like rightca=@#<hex> where > <hex> is the hex encoded SHA1 hash of either subjectPublicKey or > subjectPublicKeyInfo of your CA certificate. You can determine those > with pki --print. The hash over the subjectPublicKey is also encoded in > certificates issued by the pki utility, as subjectKeyIdentifier > extension, and also as authorityKeyIdentifier extension in end-entity > certificates issued by a CA. > > Regards, > Tobias > > [1] http://tools.ietf.org/html/rfc4514#section-3 > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
