Re: [strongSwan] A couple of offerings for the community
Hi Derek, > (1) An IKEv2 profile importer for Windows 10, modeled on the > strongSwan profile importer for Android: > https://github.com/dcamero2016/vpn-importer Nice idea. local.ca is wrong, though, it's the CA certificate to verify the remote's certificate, it hasn't necessarily anything to do with the client's authentication or certificate (i.e. should be remote.ca, or remote.cert to keep it compatible with our format). And why change local.p12 to local.pfx? (It's still a PKCS#12 container, no?) Regards, Tobias
Re: [strongSwan] A couple of offerings for the community
I will look into changing local.ca to something more appropriate. Originally I wanted to use p12 files with everything in them (CA cert, client cert, client key), but this created messiness on the Windows end. This is why I separated out the CA cert, with the client cert and the client key going into a pfx file. Regards, Derek. On Mon, Jan 28, 2019 at 1:32 AM Tobias Brunner wrote: > > Hi Derek, > > > (1) An IKEv2 profile importer for Windows 10, modeled on the > > strongSwan profile importer for Android: > > https://github.com/dcamero2016/vpn-importer > > Nice idea. local.ca is wrong, though, it's the CA certificate to verify > the remote's certificate, it hasn't necessarily anything to do with the > client's authentication or certificate (i.e. should be remote.ca, or > remote.cert to keep it compatible with our format). And why change > local.p12 to local.pfx? (It's still a PKCS#12 container, no?) > > Regards, > Tobias
Re: [strongSwan] A couple of offerings for the community
Hi Derek, > Originally I wanted to use p12 files with everything in them (CA cert, > client cert, client key), but this created messiness on the Windows > end. As mentioned in the previous mail, the CA certificate that issued the client and server certificates don't have to be the same (often they aren't). Does Windows require the complete chain for the client certificate? > This is why I separated out the CA cert, with the client cert and > the client key going into a pfx file. Because you expect the PKCS#12/PFX file in local.p12 to contain CA certificates? That isn't necessarily the case, it could just as well be only the client certificate and key (because the issuing CA certificate is not required on Android). Providing CA certificates to verify the server certificate (if it's even necessary) via remote.cert is usually better anyway as that avoids warnings on older Android releases (and maybe cleaner if the CAs are different). Regards, Tobias
