Actually not. Just refer to the right file in your system's CA store. (e.g. /etc/ca-certificates/extracted/cadir/bla.pem). Or play around with symlinking /etc/ipsec.d/cacerts or a subdirectory of it to your system's CA store.
Kind regards Noel On 11.01.2018 13:29, Giuseppe De Marco wrote: > You can even use charon-cmd this way: > > charon-cmd --host SERVER_HOSTNAME --profile ikev2-eap --identity LOGIN --cert > /PATH/TO/ca.crt > > Using a valid CA lets Windows10 and MacOSX clients run without CA.crt, with > GNU/Linux we have to have ca.crt instead > > 2018-01-11 13:17 GMT+01:00 Noel Kuntze > <[email protected] > <mailto:[email protected]>>: > > Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then > run `ipsec stroke rereadcacerts` and then retry. > If that does not help, check the logs of iOS. You can get access to them > via Apple's SDK. > > On 11.01.2018 13:13, Alex Sharaz wrote: > > Thats what is confusing, its the QuoVadis root CA which is one we use > on a whole batch of servers and my osx machine validates those certs just > fine. ... and I can see them ( root and intermediate) in the system root > keystore... but certainly if I remove it from the mobileconfig file I don't > connect ,if I put it in there I do > > A > > > > On 11 January 2018 at 12:01, Noel Kuntze > <[email protected] > <mailto:[email protected] > <mailto:noel.kuntze%[email protected]>>> wrote: > > > > Hi, > > > > You only need to install a root certificate, if the issuer of your > server certificate or its root certificate are not in the client's > certificate store. > > A client needs to be able to verify the server's certificate from > the root to the server certificate. That includes CRLs and OCSP. > > > > That's PKI 101. > > > > Kind regards > > > > Noel > > > > On 10.01.2018 12:44, Alex Sharaz wrote: > > > Hi, > > > I've got a .mobileconfig file set up that will allow a macOS/iOS > user to connect to my SSwan VPN server (5.6.1) > > > In it I have a cert payload defined containing both the > intermediate and root cert of the server certificate. This all works just fine > > > > > > However, our security people are objecting to the fact that I'm > installing a root CA on the client device. > > > > > > Server cert has an intermediate cet between it and the root CA > > > > > > server config is > > > > > > conn it-services-ikev2 > > > left=%any > > > leftauth=pubkey > > > leftcert=vpn.york.ac.uk.pem > > > [email protected] <http://vpn.york.ac.uk> > <http://vpn.york.ac.uk> <http://vpn.york.ac.uk> > > > leftsendcert=always > > > leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0> > <http://0.0.0.0/0,::/0> <http://0.0.0.0/0,::/0> > > > leftfirewall=yes > > > right=%any > > > rightauth=eap-radius > > > rightsendcert=never > > > rightgroups="Cserv" > > > eap_identity=%any > > > keyexchange=ikev2 > > > rightsourceip=%itservices > > > fragmentation=yes > > > auto=add > > > > > > > > > If I remove the root cert from the mobileconfig, connection > fails. Should I be able to connect without the root CA in the payload? > > > > > > Rgds > > > Alex > > > > > > > > >
signature.asc
Description: OpenPGP digital signature
