Hi All, I tried verifying the same ecdsa certificate and ca cert on both strongswan versions: On strongswan 5.5.2 version:
[root@mac-6 ~]# pki --verify --in /etc/ipsec.d/certs/certificate-1.pem --ca /etc/ipsec.d/cacerts/certificate-2.pem using certificate "C=IN, ST=M, L=M, O=Yam, OU=Ya, CN=prime1" using trusted ca certificate "C=IN, ST=M, L=P, O=Yam, OU=Ya, CN=primeCA" reached self-signed root ca with a path length of 0 certificate trusted, lifetimes valid Whereas when i tried verifying the same set on strongswan version 5.6.3: [root@mac-7 ~]# pki --verify --in /etc/ipsec.d/certs/certificate-1.pem --ca /etc/ipsec.d/cacerts/certificate-2.pem building CRED_CERTIFICATE - X509 failed, tried 3 builders parsing CA certificate from '/etc/ipsec.d/cacerts/certificate-2.pem' failed building CRED_CERTIFICATE - X509 failed, tried 3 builders parsing certificate failed Please let me know if there are any changes in two version for ECDSA certificates, because same RSA certificate are working on both versions for me ? On Thu, May 9, 2019 at 4:17 PM Yogesh Purohit <[email protected]> wrote: > Hi, > > I was using strongswan 5.5.2 version where I was using ECDSA certificates. > Recently i have moved to strongswan version 5.6.3. > But with this new version I am facing issue in loading my certificates and > keys. Strongswan fails to load certificates. > I noticed this new line in it 'building CRED_CERTIFICATE - X509 failed, > tried 3 builders' > > charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux > 4.4.0-116-generic, x86_64) > charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders > charon: 00[CFG] loading ca certificate from > '/etc/ipsec.d/cacerts/ca_dummy.pem' failed > charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders > charon: 00[CFG] loading ca certificate from > '/etc/ipsec.d/cacerts/ca_ecdsa.pem' failed > > Is there any new plugin which is needed for it because same certificate I > was able to use it with previous version ? > > -- > Best Regards, > > Yogesh Purohit > -- Best Regards, Yogesh Purohit
