Hello all, I'm using ocsp for certificate checks and this works ok. But I have explicitly specified cacert parameter in ca section of ipsec.conf. CA chain may looks like this: (devcert)<-subca1<-subca2<...<-rootca. All of them are installed in /etc/ipsec.d/cacerts (with exception of devcert of course). When cacert points to subca1 the ocsp request is ok, i.e. the serial number of certificate to check is serial number of remote device's certificate.
But as far as I understand there is no need for having in /etc/ipsec.d/cacerts all subca installed, rootca is enough (when oscp is disabled). But in that scenario how should I set the cacert option in ca section if I want to use ocsp? And I am curious is this possible to omit cacert setting and use certificate "from transmission". i.e. the subca1 certificate that was received from remote device. Is far I understand when only rootca is installed on the device, this device will receive subca* from remote device during ikev2 negotiation. Thanks in advance for any answers. Regards, John
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users