Thats what is confusing, its the QuoVadis root CA which is one we use on a whole batch of servers and my osx machine validates those certs just fine. ... and I can see them ( root and intermediate) in the system root keystore... but certainly if I remove it from the mobileconfig file I don't connect ,if I put it in there I do A
On 11 January 2018 at 12:01, Noel Kuntze < noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > Hi, > > You only need to install a root certificate, if the issuer of your server > certificate or its root certificate are not in the client's certificate > store. > A client needs to be able to verify the server's certificate from the root > to the server certificate. That includes CRLs and OCSP. > > That's PKI 101. > > Kind regards > > Noel > > On 10.01.2018 12:44, Alex Sharaz wrote: > > Hi, > > I've got a .mobileconfig file set up that will allow a macOS/iOS user to > connect to my SSwan VPN server (5.6.1) > > In it I have a cert payload defined containing both the intermediate and > root cert of the server certificate. This all works just fine > > > > However, our security people are objecting to the fact that I'm > installing a root CA on the client device. > > > > Server cert has an intermediate cet between it and the root CA > > > > server config is > > > > conn it-services-ikev2 > > left=%any > > leftauth=pubkey > > leftcert=vpn.york.ac.uk.pem > > leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk> > > leftsendcert=always > > leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0> > > leftfirewall=yes > > right=%any > > rightauth=eap-radius > > rightsendcert=never > > rightgroups="Cserv" > > eap_identity=%any > > keyexchange=ikev2 > > rightsourceip=%itservices > > fragmentation=yes > > auto=add > > > > > > If I remove the root cert from the mobileconfig, connection fails. > Should I be able to connect without the root CA in the payload? > > > > Rgds > > Alex > > > >