On Fri, 18 Aug 2023 12:45:37 -0600 Nels Lindquist <[email protected]> wrote:
> Hi, all. > > While we transition from certificates signed by our expiring internal > CA, I'd like to be able to use client certificates signed by either > the old or new CA for VPN access. > So... can leftca/rightca take multiple values? Can there be multiple > parallel connection definitions with different certificates/CAs for > the same functionality? Or something else entirely? If you omit leftca and rightca any valid ca from your nss db is ok which is normally what you want. Only if you have extra ca certs you want to trust for single connection only you are in trouble and you need to duplicate all your connections with different local certificate and rightca=%same... Some vpn clients only allow gateway to have certificate signed by same ca so you might be forced to duplicate your connections for transition anyway because your gw certificate must match client certificate ca in this case. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
