Hi,
When invoking the "pki --verify" command, the user has to supply all
of the CA certs along the trust chain for the verification to take place
appropriately. This could be cumbersome if the trust chain is long
(>1). If there are CRLs, they also have to be supplied as well. If the
certificate store is known (default location for example such as
/etc/ipsec.d/), shouldn't this all be done automatically? i.e, once you
know the certificate to be verified, you can lookup the issuers all the
way up to the root CA with their associated CRLs. Is there any reason
why it doesn't work that way, other than nobody gotten around to doing it?
Regards,
Jafar
- [strongSwan] pki --verify Command Jafar Al-Gharaibeh
-
