Hi Sven, > In your example scenario the CA has the policy set too. > I'm a bit unsure if this is necessary, because a RFC 5280 in section > 4.2.1.4 (Certificate Policies) states: > > "When a CA does not wish to limit the set of policies for certification > paths that include this certificate, it MAY assert the special policy > anyPolicy, with a value of { 2 5 29 32 0 }." > > Does this "MAY" mean, that a root certificate without any policy does > not limit the policy?
No, I think it simply means that instead of listing all the valid policies the certificate MAY define anyPolicy instead. According to section 6 the absence of a policy extension clears the allowed policies for certificates under that certificate (6.1.3 (e) and also 6.1.2 (a)), this doesn't reject the certificate, it just means the policies will be ignored. > Or SHOULD I set the special policy, iff I want > no limitation? Yes, I think so. > How does strongswan evaluate this? Does it need the policy in the root > certificate too and is this correct? Yes, the constraints plugin checks that the policy in an end-entity certificate is either contained explicitly in the CA certificates (or mapped to a different OID via policy map), or that they specify the anyPolicy OID. The complete trust chain is checked. > What, if I do NOT own the CA but have a Sub-CA signed by an official CA? > > Can I use certification policies then? Depends on the policy extension in that official CA certificate. > Currently I have an user certificate with a specific policy and a > Sub-CA with a "anyPolicy" set. But I cannot connect, if I enable the > "rightcertpolicy" option... Then the root CA probably has no policy extension and the policy will be ignored and, therefore, can't be matched to the rightcertpolicy option. Regards, Tobias