Hi Andreas, I'm getting the following error on startup when trying to use pkcs12:
> Oct 01 03:16:13 machine2 charon[2576]: 00[LIB] building CRED_CONTAINER - > PKCS12 failed, tried 2 builders > Oct 01 03:16:13 machine2 charon[2576]: 00[CFG] loading credentials from > '/etc/x509/strongswan.p12' failed strace shows the file being opened and mmapped just before this failure. Config files: https://gist.github.com/shlevy/cab44a79c200140c5647 ~Shea On Thu, Sep 25, 2014 at 08:43:06AM +0200, Andreas Steffen wrote: > Hi Shea, > > concatenating multiple certificates into a single PEM file is not > supported by strongSwan. You could import the user certificate, > the corresponding private key and the trust chain via a key file > in PKCS#12 format as in the following example: > > http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.secrets > > The user certificate and any intermediate certificates will be > sent to the peer via the IKE protocol. > > In ipsec.conf you don't need a leftcert parameter. Just indicate > leftid so that the matching user certificate can be found. > > http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.conf > > Best regards > > Andreas > > On 09/24/2014 10:14 PM, Shea Levy wrote: > > Hi all, > > > > I have the setup described at [1] working currently. > > shea-intermediate.crt is signed by zalora-ca.crt, and each machine's > > cert in /etc/x509 is signed by and concatenated with > > shea-intermediate.crt. If I remove the 'ca inter' section from each > > config, I get: > > > >> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, > >> CN=strongswan-ebc130d19292466287791571653eac79, [email protected]" > > > > Is there any way to get this to work without each machine needing to > > know about the intermediate cas that may be used by the others? Since > > the intermediate ca is signed by the root ca and bundled with the > > end-user ca, it seems like it shouldn't be necessary... > > > > ~Shea > > > > [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
