Hi! Somewhat old:
On Fri, Apr 27, 2007 at 06:08:13PM +0200, Rafa?? Brodewicz wrote: >Hannah Schroeter pisze: >>I've tried to setup an IPSEC client connection. However, I see that it >>doesn't work because the X509 certificate I've been given by my CA has no >>subjAltName extension. And I'm not sure whether I'll be able to get them >>to add one for me. >>So, is there any reason why one can't bring ipsecctl/isakmpd to find the >>certificate to use by the certificate DN or e.g. its emailAdress part? >>And btw... Why can you specify a USER_FQDN as srcid type in ipsec.conf(5), >>but not add something like that as subjAltName attribute to an X509 >>certificate (I see that only IP or FQDN are available as extensions in >>the default /etc/ssl/x509v3.cnf and I see no mention of something that >>looks like USER_FQDN in the openssl(1) manpage either). >Here's a simple script that I'm using for generating certificates. >http://brodewicz.pl/files/create_certs.sh That doesn't help my problem. I'm not the CA! I have the given certificate without subjAltName and just wonder why isakmpd/ipsec.conf can't select a certificate by (part of the) DN oder by certificate fingerprint as additional possibility. Kind regards, Hannah.
