Hi, You only need to install a root certificate, if the issuer of your server certificate or its root certificate are not in the client's certificate store. A client needs to be able to verify the server's certificate from the root to the server certificate. That includes CRLs and OCSP.
That's PKI 101. Kind regards Noel On 10.01.2018 12:44, Alex Sharaz wrote: > Hi, > I've got a .mobileconfig file set up that will allow a macOS/iOS user to > connect to my SSwan VPN server (5.6.1) > In it I have a cert payload defined containing both the intermediate and root > cert of the server certificate. This all works just fine > > However, our security people are objecting to the fact that I'm installing a > root CA on the client device. > > Server cert has an intermediate cet between it and the root CA > > server config is > > conn it-services-ikev2 > left=%any > leftauth=pubkey > leftcert=vpn.york.ac.uk.pem > [email protected] <http://vpn.york.ac.uk> > leftsendcert=always > leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0> > leftfirewall=yes > right=%any > rightauth=eap-radius > rightsendcert=never > rightgroups="Cserv" > eap_identity=%any > keyexchange=ikev2 > rightsourceip=%itservices > fragmentation=yes > auto=add > > > If I remove the root cert from the mobileconfig, connection fails. Should I > be able to connect without the root CA in the payload? > > Rgds > Alex >
signature.asc
Description: OpenPGP digital signature
