Hello Abbishek, hello listreaders, On Monday 29 March 2010 12:23:35 Abbhishek Misra wrote: > Still i get following. > > could not parse loaded certificate file > '/etc/ipsec.d/cacerts/cacert-new.pem'
Perhaps you like to have a close look at the output of: openssl x509 -in /etc/ipsec.d/cacerts/cacert-new.pem -noout -text That should give all content of the cert in cleartext onto the console. If there is no error at all using this command, perhaps we need to increase debugging of charon. After rereading your first posting, I found: : RSA cakey.pem "password" What the hell do you need the cacert key decrypted for in ipsec sessions, sorry? There _should_ be no need of that within the ipsec-context. Or I'm missing some new features like signing keys on the fly or the like? ;-) I'm rather sure, you need the cacert itself, but a no time the corresponding private key. You only need private keys for the local end cert. Each side, of course. So please have a review of your config and the contained keys. The cacert key you only need to sign both end certifcates. I'm rather sure. And thats the only reason beside the signing of a crl (sheduled on a regular basis). Anyhow, this unneccessary added line in ipsec.conf should not give any reason for not being able to read the cert. Please have a look at the cert-file. Hope that helps, happy working. Johannes
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users