Join Log in
Score:0
deltamind106 avatar Server

Why does StrongSwan charon-cmd client require the --cert command-line option for multiple CA chain certificates?

cn flag
deltamind106

I have a StrongSwan charon server on Ubuntu 18.04. I connect to this server with a StrongSwan charon-cmd client from another Ubuntu Linux machine.

The command I use from the client machine to connect to the server is:

charon-cmd --cert ./GoDaddyCA1.crt --cert GoDaddyCA2.crt --host xxx.example.com --identity myusername

It works great, but I don't understand why I need two "--cert" options in the command line to trust both GoDaddy CA certificates in the chain.

My personal certificate is served by the StrongSwan server, and its authority is the GoDaddyCA1.crt. The GoDaddyCA1.crt certificate has an authority of the GoDaddyCA2.crt certificate. The GoDaddyCA2.crt is a self-signed root certificate.

So, the authority chain is:

MyPersonalCert.crt -> GoDaddyCA1.crt -> GoDaddyCA2.crt

The meaning of the charon-cmd command-line option "--cert" is to declare that "this is a certificate that I trust". So, I would expect that by trusting the GoDaddyCA1.crt, then my personal certificate should also be trusted.

But that's not good enough for charon-cmd. The charon-cmd client demands that I specify "--cert" to trust all the way to a self-signed certificate. But this seems superfluous. If I trust the intermediate CA certificate, then obviously I must also trust it's authority CA cert, right?

Is this a bug, or a feature? If it's a feature, what benefit does it provide?

23
0 + 0
vpn
Score:1
avatar Server
cn flag
ecdsa

Intermediate CA certificates are currently not accepted as trust anchor in strongSwan, only self-signed root CA certificates.

If the server sends the intermediate CA certificate along with the server certificate, you only have to trust the root CA certificate (i.e. --cert GoDaddyCA2.crt will be enough). If it doesn't, make sure it's installed and check the config (e.g. send_cert in swanctl.conf). Only if that's not an option, you can't avoid having to configure both certificates on the client.

0 + 0
deltamind106 avatar
cn flag
deltamind106
Thank you for this advice. I do not have an /etc/swanctl directory in my Linux distribution (Ubuntu 18.04), and therefore I don't have a swanctl.conf file (or I don't know where it is). I have StrongSwan 5.6.2 from a few years ago, so maybe this is a new config file? Is there some configuration in 5.6.2 that is analogous, which will allow me to configure the server to send an intermediate CA certificate?
0
Reply
cn flag
ecdsa
Did you check if it's already sent? Otherwise, check the _leftsendcert_ setting in ipsec.conf and make sure the intermediate CA certificate is installed in `/etc/ipsec.d/cacerts`.
0
Reply
deltamind106 avatar
cn flag
deltamind106
You were right, once I added the intermediate cert to the /etc/ipsec.d/cacerts directory, then it automatically sent it. So there was nothing to configure, and it works now without the client needing to trust multiple certs. Thanks!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.