Hi,

> but when I do:
> 
> $ strongswan pki --issue .... --flag nonRepudiation

That's not a flag value supported by strongSwan (it will just be ignored).

> and then:
> 
> $ strongswan pki --print --in ipsec.d/certs/suc...@openstack.der.new
> 
> ...
> 
>   flags:     
> ..
> 
> nothing gets there?

With the pki tool you don't have to do anything special as it doesn't
encode keyUsage flags (except for CA certificates and CRL signer
certificates, which you both don't want to use as end-entity
certificates for IKE authentication).

Regards,
Tobias

Reply via email to