Hello Tobias ? can VICI be configured to load a specific SCA cert per VPN (would this help)
-----Original Message----- From: Tobias Brunner <tob...@strongswan.org> Sent: Wednesday, November 28, 2018 2:21 AM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert Hi Anthony, As I suspected, you use the same identity for the two end-entity certificates that are signed by different intermediate CAs: > ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth, > ..." > issuer: "..., CN=TDY Test SCA 1" > ... > altNames: ra00...@teledyne.com > ... > ipsec pki –-print –i /etc/swanctl/x509/Org2.crt > subject: "CN=RA00017.auth, ..." > issuer: "..., CN=TDY Test SCA 4" > ... > altNames: ra00...@teledyne.com > ... The configured identity is ra00...@teledyne.com in both configs, that you also configure a different certificate explicitly doesn't matter because EAP-TLS currently doesn't use that setting (the lookup is done based on the configured identity only). Certificate requests should be considered, but if the cert request is for the root CA that won't help (it might even depend on the order of the certificate requests if multiple are received). Regards, Tobias
