Hi Shea, concatenating multiple certificates into a single PEM file is not supported by strongSwan. You could import the user certificate, the corresponding private key and the trust chain via a key file in PKCS#12 format as in the following example:
http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.secrets The user certificate and any intermediate certificates will be sent to the peer via the IKE protocol. In ipsec.conf you don't need a leftcert parameter. Just indicate leftid so that the matching user certificate can be found. http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.conf Best regards Andreas On 09/24/2014 10:14 PM, Shea Levy wrote: > Hi all, > > I have the setup described at [1] working currently. > shea-intermediate.crt is signed by zalora-ca.crt, and each machine's > cert in /etc/x509 is signed by and concatenated with > shea-intermediate.crt. If I remove the 'ca inter' section from each > config, I get: > >> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, >> CN=strongswan-ebc130d19292466287791571653eac79, [email protected]" > > Is there any way to get this to work without each machine needing to > know about the intermediate cas that may be used by the others? Since > the intermediate ca is signed by the root ca and bundled with the > end-user ca, it seems like it shouldn't be necessary... > > ~Shea > > [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
