Hi Tobias, On 02/23/18 14:25, Tobias Brunner wrote: > Hi Harri, > >> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem >> would help, but apparently it doesn't. > > strongSwan reads only the first certificate from PEM encoded files. So > put them in separate files. >
I have 2 additional question here (hope you don't mind): Even if Strongswan ignores the additional certs, is it possible that some crypto implementation *used* by Strongswan does not, but reads all certificates found in the cert files (in /etc/ipsec.d)? Does Strongswan send just the first certificates it has read to the peer, or does it send the whole certificate file (the chain)? Reason for asking is that I see some weird authentication failures if I cut off the additional certificates from the chain files and put them into seperate files. Regards Harri
signature.asc
Description: OpenPGP digital signature