Thanks
-Original Message-
From: Tobias Brunner
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Wong, Richard
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Hi Anthony,
> ? can VICI be configured to load a specific SCA cert per VPN (would
> this help)
That doesn't make a difference. As mentioned, only the identity is relevant on
the client. So unless you can get the server to send a TLS certificate request
only for a specific intermediate CA you can't control the client's certificate
selection if you use the same identity for both end-entity certificates.
Similarly, on the server side, where strongSwan sends TLS certificate requests
for all available CA certificates (i.e. like the certs option, the cacerts
option is only relevant for IKE, not for EAP-TLS).
Regards,
Tobias